Also available in Dutch / Nederlands

(EU Charter of Fundamental Rights, Article 8(2); GDPR, Article 12(5))

Academic researchers relying on “data donation” are urging their government, the Council of the European Union and the European Parliament to vote against a highly contested amendment in the proposed Omnibus Act.

Key takeaway

This proposed act concerns a change to Article 12(5) GDPR which would allow controllers to refuse or charge for access requests if these pursue purposes other than data protection. The proposal would lead to a substantive change to how the right of access operates in practice. It not only weakens a citizen’s fundamental right to be informed about the processing of their personal data (Article 8(2) EU Charter of fundamental rights), it also undermines data donation-based research by academics, investigative journalists and many others.

In open letters, academic researchers1 and policymakers2 warn that the proposal may obstruct forms of independent research that relies on voluntary data donation by individuals. Studies on digital well-being, political polarisation or platform-driven behavioural harms often depend on individuals exercising their access rights and sharing results with researchers. As such research typically serves broader public-interest and academic research purposes rather than narrow data protection objectives, controllers could use the amended language to refuse access or to charge extra (something researchers cannot afford in most cases), thus effectively limiting external scrutiny of, for instance, large online platforms3.

Why is the right of data access important?

As more and more information about people is stored in databases, a growing number of people are exercising their right of access for individual or broader societal goals. The right of access is widely used in for instance employment contexts to support claims in for instance labour, credit scoring or medical disputes4. Access has also served broader public interests: research participants voluntarily donate personal data they received after an access request to academic researchers for various research purposes; for instance, to research the influence of social media on child well-being, AI use, the dissemination of digital health data, or the manipulation of democratic processes in social media campaigns during election campaigns.

What is at stake?

At this moment, access requests are not purpose specific. The Omnibus Act will, however, only permit access requests if the request serves a data protection purpose (such as rectification, erasure, or objection). This sharply departs from established EU court case law confirming that individuals may legitimately exercise their access right without having to provide any particular motivation5. In the same vein, research based on donated data will no longer be realistic if the proposal is adopted. Controllers could easily categorise requests outside data protection purposes as “abusive”, as the proposal will lower the bar for controllers to reject a request by invoking an “incompatible purpose” or a “reasonable suspicion of excessiveness”6. Notably, the Commission has not provided any evidence that the right of access is currently being abused7. The proposed restriction therefore lacks necessity and proportionality. Furthermore, the restriction of legitimate data donation practices might impede academic freedom as enshrined in Article 13 of the EU Charter of Fundamental Rights.

Conclusion

The Omnibus Regulation should focus on genuine, demonstrable problems such as clarification, simplification, and increasing consistency in digital legislation, and should leave Article 12(5) GDPR intact. The Commission does not provide any compelling reason why it interferes with the fundamental right of access. True innovation thrives on transparency and evidence, not on shielding incumbents from scrutiny. This amendment would protect platform opacity at the expense of legitimate academic research purposes, policy insights, and informed citizenry that genuine European competitiveness requires.

  1. Open Letter: The amendment to Article 12, paragraph 5 GDPR in the Omnibus Proposal Undermines Evidence-Based Policymaking, Data Access Collaboratory, link; Skiotyté, G and Sadauskaité, A (2026) A Digital Omnibus: identifying interlinks and possible overlaps between different legal acts in the field of digital legislation to streamline tech rules, Study requested by the EU Parliament IMCO committee, February 2026, link; NOYB (2026) Digital Omnibus. First analysis of Select GDPR and ePrivacy Proposals by the Commission, version 3.0, link

  2. EDPB-EDPS joint opinion 2/2026. On the Proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus) adopted 10 February 2026, link; European Digital Rights, Beyond simplification. How the digital omnibus weakens core GDPR safeguards (position paper) 2026, link

  3. Skiotyté, G and Sadauskaité, A (2026), see note 1. 

  4. In the context of credit scoring, see OpenSchufa: The campaign is over, the problems remain – what we expect from SCHUFA and Minister Barley (2019) Algorithm Watch and Open Knowledge Foundation Deutschland, link; in the context of labour see Gellert R et al., The Ola and Uber judgments: for the first time a court recognises a GDPR right to an explanation for algorithmic decision-making (2021), Blogpost Digital Legal Lab, link; for medical purposes see Skiotyté, G and Sadauskaité, A (2026), see note 1. 

  5. Judgment of the Court of Justice of 26 October 2023, Case C-307/22, ECLI:EU:C:2023:811, Paras 38 and 43; Mahieu, R. (3 December 2025). The Ominous Omnibus: Dismantling the Right of Access to Personal Data. Verfassungsblog, link; NOYB (2025), Digital Omnibus. First analysis of selected GDPR and ePrivacy proposals by the Commission (Version 1.0). 

  6. Celeste, E. (9 December 2025) Digital Omnibus: quo vadis? Dublin City University, link

  7. Skiotyté, G and Sadauskaité, A (2026), see note 1.