News

Digital Omnibus: AI is nearing the finish line – is EU data law heading down the wrong track?

18.06.2026

The provisional agreement reached on 7 May 2026 between the European Commission, the European Parliament and the Council of the European Union regarding the Digital Omnibus on AI falls short of its stated aim of promoting innovation. Against this backdrop, the yet-to-be-reached agreement on the Digital Omnibus (on data law) is of paramount importance for Europe’s attractiveness as a business location. Rather than rushing to close a deal, the EU should seize this opportunity to enact genuine reforms that avoid stifling AI innovation at an early stage.

Few changes made under the Digital Omnibus on AI

The amendments to the AI Act envisaged under the Digital Omnibus on AI are in principle to be welcomed, but they do not provide businesses with sufficient relief from administrative and compliance burdens:

Deadlines for high-risk AI systems postponed:

The original dates for the rules on high-risk AI to come into force – 2 August 2026 for the first group of obligations and 2 August 2027 for the second group (Article 113 of the AI Regulation) – are being postponed. Accordingly, the rules will apply

(i) for high-risk AI systems within the meaning of Article 6(2) of the AI Act read in conjunction with Annex III only as from 2 December 2027, and

(ii) for high‑risk AI systems that under Article 6(1) of the AI Act are integrated as safety components in products only as from 2 August 2028.

The reason for the postponement is the Commission’s delay in implementing the harmonised standards which are intended to set out the high-risk obligations in more detail.

Other relevant changes:

In addition, the following adjustments are to be made:

  • AI systems listed in Annex I, point 1 that fall within the scope of the Machinery Regulation will no longer be covered by the AI Act, but instead be governed by sector‑specific rules under the Machinery Regulation;
  • the statutory legal ground that permits the use of sensitive data for bias correction under Article 10(5) of the AI Act is to be extended to providers and operators of all AI systems – instead of only those of high‑risk AI systems – and will in future be set out in Article 4a of the AI Act;
  • AI systems used to generate sexual deepfakes (nudifier tools) or to depict sexual abuse of children (CSAM) are to be prohibited as from December 2026;
  • the obligation to implement AI literacy under Article 4 of the AI Act is to be downgraded to a mere best‑efforts obligation; and
  • the applicability of the obligation to label AI‑generated content in a machine‑readable format under Article 50(2) of the AI Act is to be postponed by four months to 2 December 2026, where the AI system had already been placed on the market before 2 August 2026.

Although these changes are welcomed in practice, it remains unclear how a primary focus on postponing the application of various provisions is supposed to bring about genuine relief for businesses and promote the EU’s capacity for innovation.

The Digital Omnibus – a last chance for a real change of course?

In order to achieve measures that genuinely promote innovation – unlike in the case of the Digital Omnibus on AI – the EU should avoid rushing into a compromise on the Digital Omnibus in the field of data law. Instead, it should carefully examine how businesses can actually be relieved of regulatory burdens and then implement measures that deliver a tangible easing of those burdens.

This is particularly true given the complexity of the project as the general Digital Omnibus affects a wide range of legal acts. Among other things, the Data Act is to undergo numerous adjustments as part of a consolidation of EU data law: the Data Governance Act, the Regulation on the free flow of non-personal data and the Open Data Directive are to be repealed and, in part, incorporated directly into the Data Act.

Another central element is the reduction of red tape in relation to reporting obligations: the risk threshold for reporting personal data breaches is to be raised, and a single EU-wide reporting channel (“single entry point”) is to be created. Through this interface, companies will in future be able to report breaches in a uniform way under the GDPR, the NIS 2 Directive, DORA, the eIDAS Regulation and the CER Directive.

Possible changes to the GDPR are attracting considerable attention from both policymakers and legal scholars. Above all, the failure to make meaningful adjustments to the GDPR has the potential to exert significant effects on the AI sector.

This concerns proposals to amend the definition of personal data, the legal basis for AI training and the rules on cookies. There are said to be substantial differences between the position of the European Commission in its proposal of 19 November 2025 and the still unpublished compromise text of the Council of the European Union of 10 June 2026. Mediation efforts under the Cypriot Council Presidency have so far not led to any decisive progress. The Commission even fears that the proposed amendments could undermine the central objectives of simplification and legal certainty.

No real reform of the definition of personal data?

The weakness of the Digital Omnibus as a vehicle for reform is particularly evident in the planned amendment of the definition of personal data. The Commission’s proposal to recast Article 4(1) GDPR and to base identifiability on a relative understanding of identifiability is in principle the right approach. In future, the decisive question is to be whether the specific controller, taking account of the means reasonably likely to be used by it, is in fact in a position to identify a natural person. To complement this, the proposal provides in Article 41a GDPR that the Commission will, by means of implementing acts, lay down criteria for this identifiability.

However, the Council rejects this approach in its current compromise text. Instead of Article 4(1) GDPR, a new Article 29a GDPR is to introduce an explicit provision on the conditions for pseudonymisation.

This means that a key opportunity for reform is in danger of being wasted. The codification of the conditions for pseudonymisation (which is reasonable in itself) does not remove the existing legal uncertainty regarding the scope of the GDPR, which the Commission sought to resolve by amending Article 4(1) of the GDPR. This is a significant obstacle, mainly for innovation-driven data projects: as long as data protection liability continues to be based on abstract re-identification risks rather than on actual controllability, data-driven innovation in Europe will continue to be held back.

No legal certainty for AI training?

Another issue of key importance for Europe’s capacity to innovate is the question of the legal basis on which personal data may be processed for the training of AI models. In this regard, the Commission initially put forward, in the form of Article 88c GDPR, a proposal that is in principle to be welcomed as a way of reducing existing legal uncertainty. Under that proposal, the processing of personal data for AI training could expressly be based on a legitimate interest under Article 6(1)(f) GDPR, provided that the overriding interests of the data subjects do not conflict with such processing. Supported by safeguards such as a right to object, this would at least partially reduce the current, in practice barely workable, reliance on consent solutions.

By contrast, the deletion of the proposed Article 88c GDPR, as envisaged by the Council of the European Union, would send the wrong signal. Instead, the Council’s position relegates the substance of that proposal to a recital only (Recital 33a), and even there in a weaker form. Rather than providing the urgently needed legal certainty for AI training, the EU would thus refrain from making a clear choice in favour of innovation‑friendly framework conditions. Yet, for large‑scale investment in European AI infrastructure, it is essential that data protection foundations are designed in a reliable and practical way. If the EU fails to provide this clarification, its regulatory framework once again risks producing above all one thing: uncertainty, reluctance to invest and a further competitive disadvantage for Europe as a location in the global AI race.

Tracking technologies / cookies

With regard to tracking technologies (especially cookies), the Commission’s proposal also sets out a reform package that, at first glance, promises long‑overdue relief. The very idea of transferring key ePrivacy rules into the GDPR is to be welcomed in principle because it opens up the prospect of a more uniform and practicable legal framework. The current split between the ePrivacy Directive and the GDPR is a core problem: while the ePrivacy Directive generally requires prior consent simply for setting or reading cookies, this model leaves almost no room in practice for the GDPR’s risk‑based system to operate for the subsequent processing of the data. This mainly encourages a flood of banners and “consent fatigue”.

In this respect, the Commission’s proposal for Article 88a GDPR pointed in the right direction as it aimed to extract the cookie rules from the ePrivacy Directive and integrate them into the GDPR. The additional exemptions that were envisaged, for example for a website’s own audience measurement or system security, as well as a user‑friendly one‑click way to reject cookies, were likewise expected to make things noticeably easier in practice. Nevertheless, this approach still does not go far enough. On the one hand, it would provide a remedy only for personal data, and on the other, for purely technical cookies, it would structurally continue to rely on a consent‑centred model. A genuine reform would have to make clear that the entire structure of the GDPR, with all its legal bases, can apply to the setting and reading of cookies, instead of once again effectively clinging to an outdated special regime.

The proposed Article 88b GDPR on browser‑level consent is another example of the fundamental problem with this approach. Under this provision, users would be able to set their cookie preferences centrally in the browser, and website operators would in principle have to respect these machine‑readable signals. However, the proposal rightly meets with substantial resistance because it does not solve the existing problems but rather exacerbates them. A browser‑ or even operating‑system‑level, uniform consent signal can hardly meet the requirements for informed and specific consent because when users make that choice they do not yet know the concrete context of each individual website, its purposes or its data‑processing operations. At the same time, shifting the collection and transmission of consent to just a few browser and operating system providers would concentrate control in their hands and create both technical and competition risks. Added to this would be considerable implementation costs for website operators, as well as potentially massive losses for advertising-funded digital business models.

To this extent, the Council’s predominantly critical stance on moving the ePrivacy rules into the GDPR is, at least initially, an expression of justified criticism of the Commission’s proposal: simply relocating or “technologising” the existing consent model is not enough. Yet the Council’s compromise proposal likewise falls short of a genuine structural reform. What is needed instead is a coherent legal framework in which the placing of cookies and the subsequent data processing are treated as a single functional process, and in which the legal basis is determined in a context‑specific and risk‑appropriate manner. This is the only way to reduce unnecessary requests for consent, effectively combat consent fatigue and at the same time create conditions that support innovation and provide legal certainty.

Conclusion

Taken as a whole, it is clear that the Digital Omnibus is far more than just a technical reform project. It serves as a litmus test of whether the EU is prepared to adapt its data legislation to the realities of a data-driven economy. While the Commission, at least in specific areas, seeks to provide long‑overdue refinements and more workable rules, the Council’s current draft largely continues to preserve the status quo in a conservative fashion. This risks squandering yet another opportunity for Europe as a location for innovation. Especially from an application‑oriented perspective, there are strong arguments for pursuing the Commission’s modernising approach more decisively. In this way, it would be possible to strengthen legally certain support for innovation without fundamentally calling into question the level of protection afforded by the GDPR.

Your contacts

Pascal Schumacher
Pascal Schumacher+49 30 20942030
Marieke Merkle
Marieke Merkle+49 89 28628227
Steffen Sundermann
Steffen Sundermann+49 30 20942221

AI & Robotics
Cybersecurity
Data Economy & Data Protection
Digital Content
Digital Markets & Services
Outsourcing & Cloud
Software & IT Projects

Share

Well
informed

Subscribe to our newsletter now to stay up to date on the latest developments.

Subscribe now
Show all

Insights

Atomium Brussels
News

Digital Omnibus: AI is nearing the finish line – is EU data law heading down the wrong track?

18.06.2026
cheerful manager female entrepreneur
News

Europe on the way to technological sovereignty? The EU’s Tech Sovereignty Package

11.06.2026
urban commuters in the morning
News

More EU-level steering, new selection criteria, new obligations: the EU proposal on the 2 GHz MSS band and its implications from 2027 onwards

10.06.2026
Female Robotics pulsed
News

Cybersecurity in the Supply Chain: Components and Spare Parts under the Cyber Resilience Act – what Economic Operators need to consider until 11 December 2027

26.05.2026
female holding a 3d drone pulsed
News

European Commission updates antitrust rules for technology transfers (including data licensing)

20.04.2026
Digital pen tablet Contractor Compliance Check
News

Act implementing the Consumer Credit Directive 2023 passed

17.04.2026
people on glass staris
News

Implementing legislation for "withdrawal button" published: section 356a of the German Civil Code to enter into force on 19 June 2026

13.03.2026
Update Commercial
News

Update Commercial 2026

19.02.2026
European flags
News

Update Commercial 2026: Sales and distribution-related antitrust law

19.02.2026