knowledge 19 January 2026 |

Digital Omnibus Regulation – Missed Opportunity

The EDPB’s agenda for its monthly meeting in January 2026 includes discussion of the EDPB’s position on the Draft Digital Omnibus Regulation that was published by the European Commission on 19 November 2025. This eagerly awaited draft sets out proposed amendments to a range of EU laws, including the GDPR, as part of the EU’s simplification agenda. Reaction to it has been understandably mixed. It contains proposed amendments that will be the subject of much discussion, including the EDPB’s comments once they are finalised, but left many stakeholders disappointed with potential amendments that it does not include.

One of the missed opportunities notable by its absence from the Draft Digital Omnibus Regulation is a proposal to amend data subjects’ rights in respect of complaints to data protection authorities (“DPA”) and the associated obligations of DPAs.

Data subjects’ rights include the right under Article 77 to make a complaint to a DPA and the right under Article 78(2) to “an effective judicial remedy where the [competent DPA] does not handle a complaint or does not inform the data subject within 3 months on the progress or outcome of the complaint”. This right and how it has been interpreted has a material impact on the ability of DPAs to manage their resources to have the maximum impact. It also enables data subjects to require organisations to incur significant time and expense in responding to DPAs about minor or spurious complaints.  The rights to complain to a DPA and to have a complaint ‘handled’ are often weaponised and occasionally abused by complainants in connection with disputes relating to other matters.

The stated goal of the Draft Digital Omnibus Regulation is to optimise the application of EU laws “to bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness” and to “ensure that compliance with the rules comes at a lower cost, delivers on the same objectives, and brings in itself a competitive advantage to responsible businesses”.  Bearing this in mind, it is a shame that the GDPR complaints regime does not appear to be in line for an overhaul.

The rights to complain to a DPA and to an effective judicial remedy where a DPA does not handle a complaint or inform the complainant within 3 months on the progress or outcome set out in Article 78 are linked to Article 57(1)(f), which specifies that the tasks of a DPA include to ‘handle’ complaints made to it and investigate them, to the extent appropriate. The CJEU considered the extent of a DPA’s obligations regarding ‘handling’ complaints under the GDPR, interpreted in light of the Charter of Fundamental Rights of the EU (and particularly the right to an effective judicial remedy under Article 47 of the Charter), in the Schrems II case and held as follows:

In EDPB Document 02/2021 on SA’s duties in relation to alleged GDPR infringements, the EDPB reflected on the Schrems II decision and other relevant case law and concluded that pursuant to Article 57(1)(f), DPAs have “a duty to handle each and every complaint submitted to them and to investigate the subject matter of the complaint to the extent appropriate”.  The EDPB acknowledged that there can be some variation between DPAs as to how they handle complaints in light of the principle of national procedural autonomy, but emphasised the EU law principles require a degree of consistency.

The EDPB concluded that “for every admitted complaint - which is not withdrawn – [DPAs] must thus provide an outcome specifying the facts and legal considerations for e.g. rejecting the complaint or dismissing the complaint i.e. not investigating it further, with a view to make it a legally attackable act”.

This interpretation of the requirements of the GDPR regarding the handling of complaints by DPAs is not unreasonable based on the current wording of the GDPR. However, it results in DPAs having to incur a level of time and effort in dealing with complaints, even minor or trivial ones, that is arguably unnecessary, as a matter of EU constitutional law. 

Article 47 of the Charter does provide that everyone whose rights and freedoms under the Charter are violated has the right to an effective remedy before a tribunal. However, this does not mean that anyone whose fundamental rights are violated must have not only a right to complain to a competent authority but also a right to a judicial remedy where their complaint is not ‘handled’ or they are not informed of progress or an outcome within 3 months. Like any other right provided for by the Charter, the right to an effective judicial remedy may be restricted, provided that the restrictions: (a) are provided for by law and adopted for reasons of public interest recognised by the EU: (b) are necessary and proportionate; and (c) respect the essence of the right. Articles 77 and 78 of the GDPR do not explore the limits could apply to the right to an effective judicial remedy in the context of complaints to a DPA. Instead, they provide for a complaints regime that is pro-individual and which imposes a substantial burden on DPAs and, indirectly, on organisations who are the subject of complaints.

The European Council’s brief for the European Commission in relation to the Digital Omnibus Regulation included to “swiftly bring forward further ambitious simplification packages among others […] on digital”. It is unfortunate that the European Commission has not focused on the GDPR complaints regime in this context.