Introduction
In November 2025, the European Commission unveiled the Digital Omnibus, a package it presented as a simple piece of housekeeping which forms part of their overarching strategy to simplifying EU policies: less red tape, lower compliance costs — especially for smaller companies (SMEs) — and a tidying-up of the many overlapping digital laws that have piled up over the years. On the surface, that sounds uncontroversial and needed given the amount of regulatory procedures in the last couple of years. But anyone who looks more closely will notice that something far more fundamental is at stake. Tucked inside the “simplification” language are proposals that reshape one of the most sensitive questions in European data protection law: under what conditions personal data may be used to develop and run artificial intelligence.
That is why privacy professionals like me are paying such close attention. The promise was simplification. The substance, it turns out, is something else.
It also helps to understand that the Commission did not table one proposal, but effectively split the work into two tracks. The Digital Omnibus on AI contains targeted amendments to the AI Act itself and has been fast-tracked, because the AI Act’s high-risk obligations were originally due to apply from 2 August 2026 and the institutions wanted to provide legal certainty before that date which could not be achieved due to a lack of expected guidelines provided by the same institutions. The second track (sometimes called the Data Omnibus) amends the GDPR, the ePrivacy Directive, the Data Act and cybersecurity laws, and is moving on a slower timeline.
Both tracks are working their way through the EU’s ordinary legislative procedure, which ends in the so-called trilogue: closed-door negotiations between the Parliament, the Council and the Commission to agree a single final text. As of mid-2026, the picture is mixed. The AI track has been the subject of intense, and at times stalled, trilogue negotiations against the August deadline. However given the circumstanced explained above it was not a suprise that they came to an agreement by end of may this year. The GDPR track on the other hand is less advanced and has not yet reached political agreement. In other words, much of what follows is still a moving target, these are positions and compromise texts, not settled law. That is precisely why it is worth understanding now what is at stake, while the outcome can still be shaped.
Overview of the Digital Omnibus: the GDPR-relevant parts
The full package is sprawling, touching everything from incident reporting to cookie consent. This article deliberately sets most of that aside and focuses on the parts that matter for the relationship between the GDPR and AI. Three provisions sit at the centre of the debate.
The first is a proposed new Article 88c of the GDPR, which would confirm that the development and operation of AI systems can rely on “legitimate interests” as a lawful basis under Article 6(1)(f) GDPR.
The second is a proposed amendment to Article 9 GDPR (a new Article 9(2)(k)), which would create an exception allowing the processing of special categories of data which are sensitive information such as health, religion, ethnicity, political views or biometric data that ends up in AI training sets.
The third sits in the other track: Article 4a of the AI Act, which would permit the deliberate use of special category data specifically to detect and correct bias in AI systems.
A useful way to keep the two data-protection threads apart from the outset: Article 9 is about sensitive data you never wanted but cannot fully avoid in the context of training AI systems or models, while Article 4a is about sensitive data you deliberately need to avoid biases while training AI systems. Same problem, sensitive data meeting AI, approached from opposite directions.
Current discussions
Legitimate interests and the new Article 88c
Anyone who wants to process personal data needs a lawful basis for doing so. One of the options under the GDPR is “legitimate interests.” The Commission’s idea with Article 88c was to state explicitly that developing and operating AI can rest on this basis, accompanied by safeguards: data minimisation, greater transparency, and an unconditional right for individuals to object.
The stated goal was to make AI development easier, to increase legal certainty, and to preserve fundamental rights at the same time. But the central insight from the debate is this: Article 88c confirms that legitimate interests as a legal basis is generally available for AI, yet it changes nothing about the structure of Article 6(1)(f) GDPR. It creates no new lawful basis, it grants no presumption in favour of AI development, and most importantly it leaves the hardest hurdle fully in place: the balancing test, in which the controller’s interests must be weighed against the rights of the people whose data is used.
As a result, several practical problems remain unresolved. The first concerns compliance with the transparency obligations owed to affected data subjects — an obligation that is difficult to meet where personal data is harvested at scale from the open internet, frequently without the willingness or the practical means to discharge the information duties under Article 14 GDPR. A second, more structural problem is left untouched entirely: the reasonable expectations which must be taken into account according to recital 47 GDPR is disregarded in the vast majority of training scenarios. People generally do not expect their data to be used to train models, which weighs against the controller in the balancing test. And the right to object becomes largely theoretical once the data is already baked into a trained model — there is no obvious way to extract one person’s contribution after the fact. In short, Article 88c clarifies, but it does not transform.
How sensitive this area is became clear in negotiations. Although the provision survived into the Council’s working text, it was ultimately rejected. Even a modest “clarification” proved too contested to hold which is a telling signal of how politically charged the link between AI and legitimate interests has become.
Special category data and the new Article 9(2)(k)
This is where the questions become even more fundamental. Special category data is, as a rule, prohibited under Article 9 GDPR and may only be processed in narrowly defined exceptions. AI training runs straight into this rule: anyone processing vast quantities of data inevitably sweeps up sensitive information too, even when they never intended to. Read strictly, that would make large-scale AI training permanently unlawful.
The Commission therefore proposed a new exception. It follows a three-step logic: avoid collecting such data in the first place; if it slips in anyway, erase it; and where erasure would require disproportionate effort, at least protect it and making sure it does not surface in outputs or reach third parties. The reasoning, set out in the accompanying recital 33, is that the law should not disproportionately hinder AI development, but the exception applies only where effective safeguards are in place across the system’s lifecycle, and only where the sensitive data is not actually needed for the purpose.
Here too the criticism is substantial. The exception creates no standalone lawful basis therefore Article 6 still applies fully, which drags the balancing-test problem from the Article 88c debate right back in. There is little practical guidance on how sensitive data can realistically be erased once it is embedded in a trained model. And key terms such as “disproportionate effort” and “effective protection” are left undefined. The worry is that the provision lowers the barriers for AI while significantly relaxing Article 9, without offering enough certainty or genuine protection in return.
The Council’s proposed changes to Article 9
This is the part worth dwelling on, because the Council did not discard the Commission’s idea, it rather tightened it in four concrete ways.
First, and most importantly, it narrowed the scope. The exception would apply only to sensitive data that remains in the dataset incidentally and residually, genuine accidents, not the deliberate processing of sensitive data. The Commission’s text had been looser on this point; the Council closes the door on using the exception as a general licence.
Second, it raised the bar for skipping deletion. Erasure may only be avoided where it is impossible or manifestly disproportionate, and even then the data must be protected against any further processing or use for other purposes.
Third, it added an ongoing duty to check, on a regular basis, that the safeguards actually work, not a one-off fix at the start.
Fourth, it required comprehensive documentation of those measures and their results across the AI system’s entire lifecycle.
Taken together, these changes make the provision noticeably better: more tightly scoped, more accountable, better documented. But the underlying concerns are not fully resolved. There is still no standalone legal basis; the balancing-test problems from Article 88c remain; the vague key terms survive; and the broader question — whether AI is being granted special treatment for sensitive data that comparable processing would not enjoy — has not gone away.
The other direction: bias detection under Article 4a of the AI Act
Where Article 9 deals with sensitive data you would rather not have, Article 4a of the AI Act flips the logic. Here, sensitive data is meant to be processed deliberately and on purpose which means to detect and correct bias in AI systems. The rationale is intuitive: to check whether a system disadvantages a particular group, you need to know and analyse the very characteristics that make the data sensitive. The provision permits this by way of exception, but under strict conditions: there must be no alternative data that works just as well (including synthetic or anonymised data), pseudonymisation and strict access controls must apply, the data must not be passed to third parties, it must be deleted once the bias has been addressed, and the justification must be documented.
Notably, the aim of Article 4a enjoys broad support. Detecting bias and preventing discrimination is an objective few would oppose. The dispute is about something else: the extension. The exception was originally aimed at high-risk AI. The proposal widens it to other AI systems and models, and to deployers. Critics, including the European Data Protection Board and the European Data Protection Supervisor, fear that a well-intentioned, narrowly conceived exception could gradually become usable across a very broad range of systems, and that the strict “necessity” standard might be softened into a looser proportionality test. During negotiations on the AI track, the Council moved to reinstate the requirement that special category data may be processed for this purpose only where it is strictly necessary, an attempt to keep the exception genuinely exceptional. On the other side, there are good arguments for the broader scope: bias occurs outside high-risk AI too, and deployers often have better visibility of real-world bias than providers do. The debate, in other words, is not about whether bias detection should be possible, but about where to strike the balance.
Analysis of the key aspects
Step back from the individual provisions, and a consistent pattern emerges across all three.
In each case, the processing of personal and even sensitive data for AI purposes is made easier, while the genuinely hard questions are left open. Article 88c removes none of the obstacles in the balancing test; it merely confirms a basis that was arguably available anyway. Article 9(2)(k) acknowledges a real technical problem which is that training sets cannot be perfectly purified in advance but leaves the meaning of its own safeguards (“disproportionate effort,” “effective protection”) undefined. Article 4a addresses a real and widely shared concern about discrimination, but its expansion risks normalising the processing of sensitive data well beyond the narrow case it was designed for.
A second thread runs through all three: none of them removes the need for a normal GDPR lawful basis. Article 88c does not create one; Article 9(2)(k) explicitly does not; and Article 4a operates expressly without prejudice to the GDPR. The provisions sit on top of the existing framework rather than replacing it. That is reassuring in principle — the GDPR’s architecture is not being dismantled — but it also means the simplification is, in practice, more modest than the framing suggests. Controllers still have to do the hard analytical work; they simply have clearer permission to begin.
There is also a worthwhile critical observation about the legislative process itself. An initiative launched to reduce complexity has, at least in the short term, generated a great deal of it: parallel timelines, contingency planning, and uncertainty about which version of the rules will ultimately apply. Some civil-society voices have gone further, characterising parts of the package as a quiet rollback of digital rights, while industry has pushed for even more far-reaching simplification. Both reactions point to the same underlying truth: This is not a purely technical exercise, but a substantive rebalancing dressed in technical clothing.
It is worth being candid about what we do not yet know. Because the GDPR track has not reached agreement and the texts are still in motion, the final shape of all three provisions could change. The analysis above is therefore best read as a snapshot of an open debate rather than a verdict on settled law.
Conclusion
So, back to the question in the title: simplification exercise or paradigm shift? The honest answer is both and that is precisely where the tension lies.
On their face, these measures look like clarifications. In substance, they recalibrate the GDPR in favour of AI. Across all three provisions, AI-related processing of personal and sensitive data is made easier, while the questions that matter most — legal certainty and effective safeguards — are left unresolved, and a normal lawful basis remains a precondition throughout. It is a genuine simplification in form, but a quiet paradigm shift in substance. And it is the substance, not the form, that remains contested.
For organisations developing or deploying AI, the practical takeaway is not to assume that the Digital Omnibus hands them an easy new permission. The smarter response is to watch the trilogue outcomes closely, to keep documenting legitimate-interests assessments and safeguards as rigorously as before, and to treat any new exception as an addition to existing GDPR obligations rather than a replacement for them. The framing may be simplification, but the diligence required is anything but simple.
This article reflects the state of the legislative debate as of mid-2026. The Digital Omnibus proposals are still moving through the EU legislative process, and the final texts may differ from the positions described here.
