Digital Omnibus: the joint opinion of the EDPB-EDPS between regulatory simplification and new risks for data protection

Data Governance & Data Protection

On February 10, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 2/2026 on the proposed regulation known as the Digital Omnibus, through which the European Commission aims to simplify the digital regulatory framework of the Union by intervening, among other things, on the GDPR, ePrivacy Directive, Data Act, and Data Governance Act.

The initiative is driven by the declared goal of rationalizing the European digital rulebook: reducing administrative burdens for businesses and public administrations, improving consistency across different digital regulations, and promoting the development of the data economy.

In their opinion, however, the EDPB and EDPS take a nuanced position. On the one hand, they welcome certain simplification measures – such as the introduction of common models for data breach notifications and DPIAs, or the clearer definition of “scientific research” within the context of the GDPR – which could contribute to greater harmonization across Member States.

On the other hand, the European authorities raise strong concerns about some substantial amendments to the GDPR, which are seen as potentially reducing the level of protection of fundamental rights. In particular, the opinion criticizes the proposal to reframe the definition of “personal data,” noting that a definition constructed negatively – based on a particular entity’s inability to identify the data subject – could significantly narrow the scope of the regulation and create new interpretative uncertainties.

Similar concerns arise regarding the idea of delegating to the Commission the power to adopt implementing acts to determine when pseudonymized data can be considered non-personal: according to the EDPB and EDPS, such a choice would directly impact the material scope of the GDPR and should remain within the interpretative domain of supervisory authorities and case law.

The opinion also addresses some emerging issues in the data economy, including the use of legitimate interest in the development and use of artificial intelligence systems, and the introduction of an exemption for incidental processing of special categories of data during model training. Again, the European authorities urge lawmakers to more precisely define the applicable conditions and strengthen safeguards for data subjects.

Overall, the opinion reflects the image of a structural tension in European digital law: the pursuit of regulatory simplification and economic competitiveness on the one hand, and the safeguarding of the European data protection model on the other.

For organizations, the Digital Omnibus thus represents not only a potential “simplification” intervention but also a shift that could deeply impact the very structure of European data law. In this perspective, the legislative debate in the coming months will be crucial in determining whether the goal of making the European regulatory framework more agile can be reconciled with the need to preserve the current level of protection of fundamental rights.

Contracts concluded through online interfaces and the right of withdrawal

Internet law

With Legislative Decree No. 209 of December 31, 2025, published in the Official Gazette on January 8, 2026, Italy implemented Directive (EU) 2023/2673 of the European Parliament and Council of November 22, 2023, introducing significant changes to the regulation of distance contracts concluded with consumers.

One of the main innovations is the introduction, into the Consumer Code, of a new digital functionality for exercising the right of withdrawal, aimed at making it easier and more immediate for consumers to exercise this right in contracts concluded via online interfaces.

In particular, the legislative decree amends Article 49 of the Consumer Code, strengthening the information obligations of the professional. Before the consumer is bound by a contract concluded online, the professional must inform the consumer not only of the conditions, terms, and methods of exercising the right of withdrawal but also (where applicable) of the existence and location within the interface of the digital tool that allows the exercise of the withdrawal.

The new Article 54-bis of the Consumer Code establishes that, in distance contracts concluded online, the professional is required to provide the consumer with a digital means of withdrawing from the contract directly online. This functionality must allow the consumer to easily enter or confirm at least their name, the identifying elements of the contract from which they wish to withdraw, and the electronic means through which they will receive the confirmation of withdrawal.

The withdrawal function must be clearly identifiable within the digital interface and marked with an unequivocal label, such as “withdraw from the contract here” or an equivalent phrase, remain available for the entire period during which the right of withdrawal can be exercised, and be easily accessible for the consumer.

Once the withdrawal statement has been completed, the consumer must be able to submit it via a confirmation function labeled “confirm withdrawal” or equivalent. After submission, the professional is required to send the consumer, without undue delay, an acknowledgment of receipt on a durable medium containing the text of the statement and the date and time of transmission. The right of withdrawal is considered exercised in a timely manner if the online statement is sent by the consumer before the expiration of the deadline for its exercise.

In light of the new regulation, businesses operating in e-commerce must update their digital interfaces and contractual documentation, ensuring the implementation of a digital withdrawal functionality that complies with the requirements set out in the new Article 54-bis of the Consumer Code and updating the pre-contractual information and general terms and conditions of contract to specifically address the new withdrawal exercise method.

The new regulation entered into force on January 23, 2026, and requires, for many operators, a revision of e-commerce interfaces and related digital processes for managing relationships with consumers.

Monitoring of workers and processing of personal data: the Garante intervenes on Amazon

Data Protection

With Provision No. 10224096 of February 24, 2026 (the «Provision«), the Italian Data Protection Authority (Garante) imposed a fine on Amazon following a joint inspection with the National Labor Inspectorate, contesting the methods of collecting and managing personal data of workers deemed incompatible with the principles of Regulation (EU) 2016/679 (“GDPR”).

The Authority examined specific organizational systems implemented at the company’s logistics centers, finding that the collection and organization of workers’ personal data exceeded the scope necessary for managing the employment relationship. In particular, such data included information related to health status, exercise of union rights, and aspects of employees’ personal and family lives. These data fall into the special categories defined in Article 9 GDPR and are subject to enhanced protection, allowing their processing only under specific legal grounds and with adequate safeguards.

According to the Authority, the availability of such information within company systems led to organizational structures and classifications of workers that were essentially akin to «registration» systems, with the resulting risk of creating individual dossiers that could impact employment relationship management, staff evaluations, and the imposition of disciplinary measures. In this context, the Garante identified violations of the fundamental principles of the European data protection law, particularly the principles of data minimization, limitation of purpose, and proportionality of processing.

The Provision particularly highlights the risk that digital systems employed for organizational or personnel management purposes could evolve into tools for the systematic collection of data beyond the declared purposes. In the workplace context, this risk is exacerbated by the structural asymmetry between employer and employee, which necessitates a particularly rigorous examination of the legality, necessity, and proportionality of the processing activities.

The decision is especially relevant for companies adopting advanced technological systems for workforce management, such as workforce management tools, HR analytics platforms, or performance monitoring systems. The integration of various corporate information sources – such as HR systems, security tools, operational platforms, and internal reporting channels – can create complex information ecosystems in which data relating to workers are aggregated, correlated, and made accessible across multiple organizational levels. Without proper data governance and stringent access, usage, and retention criteria, such architectures can result in excessive or non-compliant processing, violating the principle of necessity.

The Provision marks an additional signal of the growing attention from supervisory authorities towards digital monitoring and data analysis applied to the workplace. Specifically, the Garante reaffirms that the use of advanced technologies in personnel management cannot lead to systematic profiling of workers or justify the collection of data that is not strictly relevant to the employment relationship.

From a compliance perspective, the case highlights the importance of designing company systems based on the principles of privacy by design and by default, particularly when processing involves employee data or automated processes for performance and work organization analysis. In these contexts, a central role is played by the prior assessment of risks to the rights and freedoms of data subjects, using tools such as data protection impact assessments, which help identify and mitigate potential issues arising from the use of monitoring technologies or data analysis tools.

Overall, the Garante’s Provision serves as a significant reminder for data-driven companies to rigorously check the ways in which workers’ data are collected, organized, and used within corporate digital systems, ensuring that each processing activity is strictly necessary, proportionate, and adequately justified from a legal standpoint.

Electronic Health Record 2.0: countdown to the March 31, 2026 deadline

Data protection & med regulatory

March 31st marks the final stage for the evolution of digital healthcare in Italy. By this date, the last phase for the full implementation of the Electronic Health Record («EHR 2.0«), established by Article 12 of Legislative Decree No. 179 of October 18, 2012, in line with the implementation schedule, will be triggered. The initiative aims to revolutionize the management of clinical data and the relationship between healthcare facilities, professionals, and patients.

The implementation schedule for the functionalities of EHR 2.0 has been structured as follows, according to Annex D of the Ministry of Health Decree of September 7, 2023, modified by the Ministry of Health Decree of December 30, 2024:

• Phase I (by March 31, 2025): Focused on the right to automatic masking between prescriptions and related documents, as well as the registration of operations to allow the patient to view them;
• Phase II (by September 30, 2025): Includes the identification of the patient through the National Patient Registry (ANA), the creation of the Synthetic Health Profile, and the masking of «highly protected» data;
• Phase III (by March 31, 2026): Marks the complete population of the EHR with all the contents specified in Article 3 of the Ministry of Health Decree of September 7, 2023 (including reports, drug prescriptions, medical records, emergency department reports, etc.), to be entered within five (5) days of service delivery, including services provided outside the National Health Service (SSN).

Obligations for healthcare facilities and professionals

All private healthcare facilities (accredited or authorized) and independent healthcare professionals are subject to the same obligations as public facilities for the population of the EHR as required by the Ministry of Health Decree.

Among the main actions to take in preparation for the full implementation of EHR 2.0 are:

• timeliness: population of the EHR 2.0 with the required data (reports, medical records, prescriptions, etc.) must occur within five (5) days of the service being provided;
• interoperability: documents must be developed according to national technical standards to ensure uniform consultation within the EHR 2.0;
• data protection and consent collection: healthcare professionals are required to update their privacy notices regarding the processing of patients’ personal data, informing them that communication to the EHR 2.0 is a legal obligation. They must obtain the patient’s consent for accessing the record for healthcare, prevention, and prophylactic purposes and ensure the right to mask the documents of their patients.

In conclusion, the imminent deadline calls for rapid technological and organizational adjustments. Non-compliance not only hampers the path toward an accessible, data-driven healthcare system but also exposes data controllers to risks related to violations of legal obligations and data protection regulations, particularly concerning health data, which is highly sensitive.

Non-existent jurisprudential citations: the Syracuse Court sanctions the uncritical use of generative artificial intelligence by the defense

Artificial Intelligence

With judgment no. 338 of February 20, 2026, the Court of Syracuse condemned the plaintiff to aggravated procedural responsibility under Articles 96, paragraphs 3 and 4, of the Italian Civil Procedure Code (c.p.c.) for introducing four completely non-existent jurisprudential citations into the proceedings, attributing this conduct to the unverified and uncritical use of generative artificial intelligence tools.

In particular, the Court of Syracuse noted that none of the jurisprudential precedents cited by the plaintiff corresponded to the actual content of the referenced judgments: in two cases, the rulings concerned completely unrelated matters, while in the other two, the citations were simply non-existent.

To conclude that the plaintiff had uncritically used content generated by artificial intelligence tools, the Court proceeded by exclusion: first, it dismissed the possibility of a malfunction in professional databases; second, it excluded mere clerical error, as the jurisprudential maxims were created anew; finally, it ruled out the independent fabrication of content, as this would expose the professional to disciplinary consequences disproportionate to any defensive advantage. The only remaining explanation, according to the Court, and the most consistent one, was the use of a generative language model without subjecting the outputs to any process of source verification. On this basis, the Court of Syracuse, citing the «common knowledge» about the inferential and probabilistic nature of Large Language Models (subject to hallucination phenomena), qualified the uncritical use of such tools in the absence of verification against official databases as gross negligence, under Article 96 c.p.c.

It is important to remember that the same Law No. 132/2025 on artificial intelligence requires professionals to use such tools exclusively to support their activities, thereby necessitating a process of control and verification on their part.

The Syracuse ruling is not isolated. The recent jurisprudential landscape shows differentiated orientations: on one hand, rulings that have applied Article 96 c.p.c. in cases of acts drafted with the support of artificial intelligence containing allegations completely unrelated to thema decidendum or irrelevant citations; on the other hand, decisions that have excluded sanctions when the use of artificial intelligence was merely confirmatory of an already established defense line and not aimed at fraudulently influencing the judge.