AI and personal data: lawful bases clarified, not removed
One of the most significant developments being discussed is the clarification of lawful bases for AI model training. The Digital Omnibus recognises AI model development as a legitimate interest, particularly for general-purpose models. The proposals seek to provide greater legal certainty around relying on legitimate interests for AI training, subject to safeguards, transparency and the right to object.
Certain conditions remain which include:
- necessity and proportionality should be demonstrated;
- appropriate safeguards should be in place; and
- transparency should be meaningful for individuals whose data is used.
Crucially, GDPR principles such as lawfulness, fairness, transparency, purpose limitation, data minimisation and accountability all continue to apply in full. AI development is not exempt from GDPR, rather, lawful bases are being interpreted more pragmatically.
Streamlining Risk, Accountability and Documentation
Another strong theme is convergence. The Digital Omnibus encourages alignment between:
- Data Privacy Impact Assessments (DPIAs) and AI risk assessments reducing duplicated documentation
- accountability across the AI lifecycle, with clearer allocation of responsibility
- EU-wide approaches to defining and documenting high-risk processing
Where an AI system and general-purpose model are provided by the same entity, oversight would move to the European AI Office, reducing engagement with multiple national authorities. Documentation obligations are also being refined with published EU-wide lists of high-risk activities, standardised templates and a self-assessment model for systems that are low-risk or narrowly constrained.
What should Privacy and Compliance teams be doing?
For privacy professionals, the Digital Omnibus sends a clear signal: compliance expectations could become more risk-sensitive, more integrated and more outcome-driven.
Organisations should understand:
- That the proposal is subject to change and the final article could be end up quite different
- How current policies, programs and procedures are compliant to existing regulatory requirements
- How GDPR, AI Act and digital compliance activities could be streamlined without weakening controls
- whether current AI training and development activities are supported by clear lawful bases, safeguards and transparency
- how accountability and documentation can be simplified while remaining defensible
The Digital Omnibus aims to sharpen responsibility, not remove it.
Status and Next Steps
The Digital Omnibus forms part of a package of legislative proposals which will now be subject to the ordinary legislative procedure. The proposals will be examined and negotiated by the European Parliament and the Council and may be amended before the final text is adopted, probably in mid-to-late 2026 or early 2027.
Timelines for implementation will depend on the progress of the legislative process and the final agreed wording. The GDPR continues to apply in full. However, as mentioned, this is an appropriate time for organisations to assess where the proposals may have operational impact if adopted.
If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.