Abstract
The European Commission’s Digital Omnibus proposal aims to simplify the European Union’s complex digital legislative framework, which includes the GDPR, Data Act, and AI Act. While streamlining regulatory compliance is an attractive objective for healthcare stakeholders, it must not compromise the foundational elements of patient rights, privacy, and data security. This policy-oriented perspective analyzes the proposed amendments and the subsequent European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) Joint Opinion 2/2026. Through a thematic and doctrinal analysis of these regulatory documents, this article examines four critical areas impacting digital health: (1) definitions of personal and pseudonymised data; (2) data processing for scientific research and AI; (3) the balance between data subject rights and administrative burdens; and (4) emergency data access and ePrivacy. We argue that data security is a prerequisite for trustworthy digital health systems, and regulatory simplification must not inadvertently expand the attack surface for health data. We conclude that while the Digital Omnibus offers necessary relief from compliance fatigue, true digital health governance requires a ‘security-by-design’ roadmap. Policymakers must adopt targeted derogations for health data that facilitate EHDS cross-border interoperability and AI innovation, without dismantling the foundational pseudonymisation and transparency safeguards upon which patient trust relies.
Keywords
Introduction: Digital omnibus and the health data ecosystem
Digital transformation in healthcare increasingly depends on large-scale data processing across clinical care, research, public health and commercial digital health services. European health systems already operate within a dense regulatory landscape, including the The General Data Protection Regulation (GDPR), the ePrivacy Directive, the Data Governance Act, the Data Act, the Artificial Intelligence (AI) Act and the emerging European Health Data Space.1–6 However, the successful adoption of these technologies hinges fundamentally on robust data security. As highlighted by Karacic Zanetti and Nunes, data security is not merely a technical compliance requirement, but a foundational prerequisite for trustworthy digital health governance. 7 Without secure systems, the promise of digital innovation is compromised by vulnerabilities that can erode patient trust, compromise privacy, and infringe upon fundamental patient rights. Empirical scholarship similarly shows that perceived privacy and boundary risks reduce individuals’ willingness to disclose health information, making trust a precondition for scalable digital health. 8
The European Commission’s Digital Omnibus proposal seeks to streamline this landscape by amending multiple instruments in a single act, aiming to reduce administrative burden, improve legal certainty and support innovation. 9 For health stakeholders, these objectives are attractive given the complexity of complying with overlapping rules and heterogeneous national implementations. Yet, any simplification must be carefully balanced to avoid undermining the security architectures that safeguard sensitive health data.
The European Data Protection Board (EDPB)– European Data Protection Supervisor (EDPS) Joint Opinion 2/2026 shows, however, that simplification is not neutral. 10 Several amendments would affect the scope of protection for individuals and rebalance powers between independent data protection authorities and the European Commission. Because health data are highly sensitive and circulate across diverse systems and jurisdictions, these changes carry significant risks if they inadvertently lower data security thresholds or weaken governance. frameworks.
Methodological approach
To systematically assess the implications of the Digital Omnibus for the healthcare sector, this article is framed as a policy-oriented perspective utilizing a combination of doctrinal legal analysis and thematic policy analysis. The primary sources for this review were purposively selected to represent the core of the current and proposed European digital governance framework: the European Commission’s Digital Omnibus proposal (COM(2024) 468 final) and the EDPB-EDPS Joint Opinion 2/2026.9,10 These were analyzed alongside existing foundational legislation, including the GDPR, the AI Act, and the Data Act.1–6
Secondary literature and policy commentaries were identified to contextualize these legal texts within the specific operational realities of digital health. Rather than a systematic quantitative review, this methodology relied on a qualitative thematic extraction. We mapped the Commission’s proposed legislative simplifications against the warnings raised by the EDPB and EDPS, specifically filtering for provisions that intersect with health data governance, patient privacy, and clinical workloads. This approach allows for a replicable, conceptual evaluation of how broad digital regulations might specifically alter the risk landscape and operational requirements of European digital health systems.
The selection of the critical areas discussed in this Perspective was not arbitrary, but rather emerged iteratively from our thematic analysis of the Joint Opinion. 10 Recognizing that the Digital Omnibus addresses a vast array of general digital market and telecommunications issues, we applied our expert judgment to isolate only those provisions that directly intersect with the legal foundations of European healthcare. 9 Specifically, these areas were prioritized because they map directly onto the most highly utilized—and heavily debated—mechanisms for health data processing under existing law, namely GDPR Article 9 (special categories of data), Article 22 (automated decision-making), and Article 89 (scientific research). 1 Furthermore, these domains represent the specific friction points where the EDPB and EDPS explicitly flagged the highest potential risks to fundamental rights concerning sensitive personal data. 10 By filtering out general consumer tech regulations, this selection provides a focused, clinically and operationally relevant lens through which to view the Omnibus proposal.
This Perspective focuses on Joint Opinion issues most salient for digital health: (1) the attempted re-definition of personal data and the status of pseudonymised data; (2) the treatment of scientific research, AI development and automated decision-making; (3) the balance between data subject rights and administrative burden; and (4) emergency data access, data intermediation and ePrivacy-related changes affecting health data flows.1–6,9,10
Digital omnibus proposal: EDPB/EDPS assessment and digital health implications.
Personal data, pseudonymisation and foundations of health data protection
Health data governance in Europe assumes that health information is almost always personal data, and that pseudonymisation reduces risk but does not take data outside the GDPR.1,10 The Joint Opinion stresses that the Digital Omnibus proposal would significantly affect this foundation.
The proposal would add wording to the GDPR and the Regulation for EU institutions stating that information is not personal data for a given entity if that entity cannot identify the individual, and that it does not become personal data for that entity merely because a recipient has means to identify that person.1,9,10 It would also empower the Commission to adopt implementing acts specifying when pseudonymised data cease to be personal for particular actors. 9
The EDPB and EDPS argue that these changes narrow the material scope of EU data protection law and conflict with Court of Justice case law, which recognises that data can be personal even where identification depends on another party’s means and that the possibility of “singling out” individuals is relevant in itself.1,10,11 The proposed text also departs from the CJEU’s recent interpretation of when data become personal when disclosed to a recipient with re-identification means.10,11
In healthcare, data routinely move between controllers with different identification capabilities, including hospitals, registries, research consortia and digital health vendors.1,10 If the definition of personal data is relativised to each actor, organisations may claim that datasets are “non-personal” for them even when those data remain re-linkable elsewhere, fragmenting accountability and complicating risk assessment. 10
The proposed implementing acts on pseudonymisation add uncertainty by allowing the Commission to define when pseudonymised data are no longer personal for certain entities, effectively adjusting the scope of data protection law through implementing acts.9,10 The EDPB and EDPS view this as encroaching on the role of independent supervisory authorities and courts and as likely to increase, not reduce, legal complexity. From a data security perspective, diluting the legal standards for pseudonymisation directly expands the attack surface. Strong pseudonymisation acts as a critical cybersecurity safeguard; if regulatory simplifications allow for weaker de-identification techniques, healthcare databases become significantly more vulnerable to malicious re-identification attacks and data breaches.
They therefore urge legislators not to adopt the new definition or the implementing-act mechanism, and instead to clarify pseudonymisation and anonymisation through EDPB guidance grounded in Court of Justice of the European Union (CJEU) jurisprudence.10,11 For digital health, retaining a robust, technology-neutral notion of personal data is essential for consistent protection across infrastructures and borders.1,10
Scientific research, AI development and automated decision-making in health
A central promise of the Digital Omnibus for health is clarification of the rules for scientific research. The proposal introduces a definition of scientific research and clarifies aspects of purpose limitation and transparency for secondary use of data.9,10 The Joint Opinion welcomes harmonisation but insists that the definition must be precise, anchored in methodological rigour, ethical standards and contribution to generalisable knowledge.
10
To conceptualize the extensive scope of the Digital Omnibus, Figure 1(a) illustrates how the proposed amendments intersect with the existing EU digital regulatory framework. As shown, while the proposal introduces positive simplification opportunities (highlighted in green), it simultaneously introduces high-risk alterations to foundational GDPR concepts (highlighted in red). (a) Conceptual map of the EU digital regulatory framework and proposed amendments. Existing core instruments shaping digital health (e.g., GDPR, AI Act, EHDS) are outlined alongside key changes proposed by the Digital Omnibus. Proposed amendments are categorized by risk level (red = high risk, yellow = moderate risk, green = simplification opportunities) based on the EDPB–EDPS Joint Opinion 2/2026. (b) Implications of the Digital Omnibus for the digital health ecosystem. The figure highlights the key stakeholders involved and analyzes the specific risks, governance requirements, and workload impacts across core data processing areas (e.g., secondary research, AI development, and emergency access).
For digital health research, including clinical trials, registries and real-world evidence studies, a clearer framework for further processing can reduce uncertainty around using clinical data under appropriate safeguards.1,10 The Opinion supports recognising that further processing for research can be compatible with initial purposes without repeating a compatibility test in every case, provided that safeguards such as pseudonymisation, minimisation and oversight are applied.1,5,10
The narrowing of the personal data scope fundamentally shifts the accountability landscape. As mapped in Figure 1(b) (Section A), this risks fragmenting accountability across the digital health ecosystem, particularly for multi-party flows involving hospitals, registries, and researchers.
At the same time, the EDPB and EDPS stress that simplification must not erode core principles. They call for a clear distinction between genuine scientific research and commercial data exploitation presented as “innovation”, and for transparency derogations—where informing each data subject would be impossible or involve disproportionate effort—to remain narrow and conditional. 10 For health organisations, this implies that any simplification will be coupled with expectations of demonstrable ethical governance and documentation of research choices.5,10 Furthermore, the aggregation of massive health datasets required for AI training introduces centralized security risks. If the Omnibus proposal relaxes the conditions for secondary data use without simultaneously mandating state-of-the-art security protocols (such as encryption and secure processing environments), the resulting governance framework will fail to protect patients against emerging cyber threats.
The omnibus interplay with the EHDS and innovation trade-offs
A critical gap in the Commission’s simplification drive is the lack of explicit alignment with the European Health Data Space (EHDS), arguably the most transformative digital health legislation in the EU. 12 The EHDS is designed to foster a trusted environment for the primary and secondary use of health data. However, the Digital Omnibus risks creating regulatory dissonance. For example, if the Omnibus broadly relaxes the oversight of data intermediation or weakens the legal threshold for pseudonymisation, it could inadvertently undermine the highly secure, controlled processing environments envisioned by the EHDS for secondary research. 9
Furthermore, while the EDPB/EDPS raise valid alarms regarding patient rights, their regulatory stance often defaults to maximum risk aversion, which can stifle the operationalization of “learning health systems”. 10 Broader digital health scholarship emphasizes the tension between strict data protection and the ethical imperative of data utility for public health (often framed as “data solidarity”). From an industry and clinical research perspective, the current fragmented regulatory landscape causes severe “compliance fatigue.” Therefore, some of the Commission’s simplification efforts—such as harmonizing Data Protection Impact Assessments (DPIAs) and enabling machine-readable consent signals—should be viewed not merely as a dilution of rights, but as necessary, pragmatic trade-offs. If implemented with strict cybersecurity baselines, reducing bureaucratic redundancies can actually enhance patient care by accelerating AI deployment and reducing the administrative drag on healthcare providers and digital health vendors.
AI development and residual special-category data
The proposal also addresses the use of legitimate interest as a legal basis for processing personal data, including health-related data, in AI development and testing, and introduces a specific derogation for incidental, residual special-category data in AI training and validation.6,7,9,10 The Joint Opinion recognises the practical problem: training large models or diagnostic algorithms may inadvertently include small amounts of special-category data that are difficult to remove.6,10
However, the EDPB and EDPS insist that any such derogation must be strictly confined to incidental and residual cases and must not legitimise deliberate collection or use of health data for AI development without a valid Article 9 GDPR basis.1,6,10 For researchers and institutions, developers cannot treat these provisions as a general relaxation of rules. They must continue to rely on explicit consent, public interest in public health or scientific research, and implement robust minimisation and lifecycle safeguards.1,5,6,10
Automated individual decisions in healthcare
Automated decision-making is increasingly embedded in clinical workflows, from triage scoring to diagnostic support. Article 22 GDPR currently establishes a general prohibition on decisions based solely on automated processing that produce legal or similarly significant effects, subject to defined exceptions. 1 The Digital Omnibus proposal rephrases this framework more as a positive list of permitted automated decisions.9,10
The Joint Opinion warns that this reframing risks diluting protection. The EDPB and EDPS recall that the Court of Justice has interpreted Article 22 (1) as a prohibition in principle that does not depend on individuals invoking it.10,11 They argue that the new text must preserve this structure—“shall not be based solely on automated processing, unless…”—and clarify that necessity under Article 6 (1) (b) cannot be presumed merely because a contract exists.1,5,10
In healthcare, automated outputs can significantly influence diagnosis, treatment or access to services even when clinicians remain formally in the loop.5,13 The Opinion’s emphasis on a strong protective structure is a warning against labelling systems as “assistive” when their outputs effectively determine patient trajectories. Meaningful human oversight, context-sensitive assessments of significance and a practical ability for patients to contest outcomes remain central for trustworthy digital health AI.5,10,13
While the Joint Opinion cautions against shifting the GDPR’s prohibition of automated decision-making to a ‘positive list’ of permissible use cases, we must critically evaluate the practicalities of clinical AI. 10 Digital health developers and clinicians increasingly rely on automated triage and diagnostic support tools to manage overwhelming healthcare demands. The regulators’ fear of diluted patient safeguards is proportionate regarding autonomous life-or-death clinical decisions. However, insisting on heavy, continuous human oversight for low-risk, routine algorithmic administrative tasks (e.g., automated patient scheduling or preliminary scan sorting) creates unsustainable bottlenecks. The acceptable trade-off in the digital health context is a risk-stratified approach: embracing the Omnibus’s simplification for operational AI, while preserving strict “human-in-the-loop” mandates explicitly for high-stakes clinical interventions.
Data subject rights, healthcare workload and trust
Healthcare providers already struggle to manage data subject requests for access, rectification and erasure in complex IT environments. The Digital Omnibus proposal seeks to clarify when requests can be considered manifestly unfounded or excessive and introduces additional flexibility for transparency duties in low-risk contexts.1,2,9,10
The Joint Opinion accepts that abuse of rights is a concern but criticises proposals linking “abuse” to the motives of data subjects, such as using access rights for non-data-protection purposes. 10 The EDPB and EDPS recall that the GDPR protects fundamental rights and freedoms broadly and that access may legitimately serve many aims.1,10,11 They recommend defining abusiveness by reference to abusive intention and maintaining a high threshold, with documentation and opportunities for individuals to clarify their request before refusal.1,10
For healthcare organisations, this means any simplification is unlikely to justify broad refusals of complex or large-scope access requests. Emphasis remains on proportionate handling, patient dialogue and clear procedures. The Opinion’s recognition of resource constraints may support investment in better tooling and portals that facilitate self-service access. 10
On transparency, the Opinion supports reducing redundant information duties where individuals already have stable, adequate information, but warns that concepts such as “non-data-intensive activity” and “clear and circumscribed relationship” are too vague. 10 In healthcare, it may be reasonable to avoid repeating full notices at every encounter, but patients must still be able to obtain complete information on request and must know that this right exists.1,10
Emergency data access, data intermediation and ePrivacy in health
The Digital Omnibus also amends rules on access to data in public emergencies and on data sharing via intermediation and altruism organisations, and simplifies aspects of terminal equipment and consent.3,4,6,9,10 These changes are especially relevant for public health surveillance, registries, remote monitoring and app-based digital therapeutics.
Regarding emergencies, the proposal would remove an existing safeguard limiting public bodies to pseudonymised personal data when non-personal data are insufficient, allowing broader access to non-pseudonymised personal data.6,10 The Joint Opinion questions the necessity of this and recommends retaining pseudonymisation as the default safeguard wherever possible. 10 For health crises, rapid access to granular data can be vital, but experience from recent emergencies suggests that exceptional measures tend to persist and normalise expanded state access. The EDPB and EDPS therefore argue that emergencies should not reset the baseline of health data protection.2,6,10 While rapid data access during public health emergencies is vital, these mechanisms must not bypass core data security architectures. Emergency interoperability standards must be designed with ‘security-by-design’ principles to ensure that expedited access channels do not become permanent vulnerabilities that malicious actors can exploit. 14
In data intermediation and altruism, the proposal shifts from mandatory registration and relatively robust obligations to a lighter, more voluntary regime.4,6,10 While this may reduce formal burden for entities that mediate data for research and innovation, the Joint Opinion emphasises that trust in such entities depends on clear obligations, record-keeping and oversight.4,10 For digital health, where data altruism schemes are presented as vehicles for patient-centred sharing, weakening obligations risks undermining participation and legitimacy.4,10
Finally, the proposal seeks to reduce “consent fatigue” for terminal equipment, including cookies and similar technologies, by creating GDPR-based rules for personal data and enabling machine-readable user choices through browser- or device-level settings.3,9–11 The EDPB and EDPS support better technical means for expressing preferences but warn that fragmenting protection between GDPR and the ePrivacy Directive, broad consent exemptions and allowing some providers to override global signals could undermine user choice.3,10,11 As many digital health apps and telemedicine platforms depend on terminal equipment, coherent consent and preference management are essential.
Limitations
While this article synthesizes relevant legal and policy documents to clarify complex regulatory debates, it is important to acknowledge its methodological limitations. As a policy-oriented perspective based on documentary and doctrinal analysis, this manuscript lacks empirical evidence. The absence of primary data, such as stakeholder interviews, real-world implementation metrics, or institutional case studies, limits the ability to definitively generalize the practical, day-to-day impacts of the Digital Omnibus on specific healthcare institutions, clinicians, or patients. Consequently, the findings presented herein represent a conceptual contribution and a predictive risk assessment rather than a practice-validated evaluation. Future empirical research will be essential to measure how these regulatory simplifications actually influence data security practices and healthcare workflows once implemented.
Conclusion: A roadmap for digital health governance
The EDPB–EDPS Joint Opinion on the Digital Omnibus, although not health specific, has important implications for digital health. 10 It backs reforms that can genuinely help health organisations, such as clearer rules for scientific research, more proportionate breach notification, harmonised DPIA tools and measures to reduce consent fatigue.2–4,6,7,9,10
At the same time, it highlights that changes to the definition of personal data, pseudonymisation, AI and automated decision making, and emergency data access could weaken health data protection and undermine trust in digital health ecosystems.1,2,5,6,10 The EDPB and EDPS caution against using simplification to dilute substantive safeguards or to shift interpretative power away from independent authorities. 10
For healthcare providers, researchers, digital health companies and policymakers, the Joint Opinion offers a practical roadmap: sustainable, innovation-friendly digital health depends on protections that are clear, workable and consistently enforced, not relaxed.1,4,10,12 This requires governance structures that ensure robust pseudonymisation, sound risk assessment, transparent AI governance, proportionate handling of rights requests and ethically grounded data sharing, while engaging in the legislative process so that healthcare-specific needs are taken into account. 10
Ultimately, the debate between the European Commission’s simplification agenda and the EDPB/EDPS’s protective stance cannot be a zero-sum game. This perspective demonstrates that while the regulators’ concerns regarding data security and automated decision-making are highly proportionate to the risks, their approach must not paralyze data utility. As a roadmap for stakeholders, we argue that the path forward requires embracing administrative simplifications—like unified DPIAs and streamlined research exemptions—to foster a competitive digital health market. However, these efficiency gains must be counterbalanced by embedding strict, domain-specific safeguards into the forthcoming European Health Data Space, ensuring that simplification never comes at the cost of the patient’s fundamental right to secure, trustworthy healthcare.
Footnotes
Author contributions
EGB, MR, contributed to the conceptualization and design of this study. MR was the major contributor to the writing of the manuscript and drafted the initial content. EGB and MR revised the manuscript. All authors read and approved the final manuscript.
Funding
The authors received no financial support for the research, authorship, and/or publication of this article.
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
