EU Privacy Regulators and Civil Society Push Back as Digital Omnibus Moves to Weaken GDPR and Delay AI Act Protections
The EU Commission's Digital Omnibus proposes narrowing GDPR's personal data definition and delaying AI Act high-risk rules by 16 months. Official data protection authorities and privacy groups are opposing the changes.
Overview
The European Commission’s Digital Omnibus package—a sweeping legislative proposal to streamline EU digital regulations—is meeting coordinated resistance from both official data protection authorities and civil society groups. Introduced in November 2025, the package proposes targeted amendments to the General Data Protection Regulation, the EU AI Act, the ePrivacy Directive, and related laws, with the stated goal of cutting compliance costs and stimulating European competitiveness. On February 10, 2026, the bloc’s two main data protection bodies issued a formal joint opinion raising significant objections to several provisions. Privacy advocacy organizations have gone further, calling the proposal a wholesale retreat from the principles that made the GDPR globally influential.
What the Commission Is Proposing
The Digital Omnibus targets two major legal frameworks in ways that have drawn the most scrutiny.
First, the package proposes narrowing the definition of “personal data” under GDPR Article 4. Under the existing framework, personal data is broadly construed: if a piece of information could reasonably be used to identify an individual, it is covered. The omnibus would shift this to an entity-specific test, where information no longer qualifies as personal data for a given organization unless that organization itself has “means reasonably likely to be used” to re-identify the person. As analyzed by the IAPP, this reflects recent Court of Justice of the EU rulings—but would effectively allow the same data to receive different levels of protection depending on who holds it.
Second, the proposal would allow AI training to rely on the GDPR’s “legitimate interest” legal basis—a more flexible standard than the explicit consent or careful documentation typically required for large-scale personal data processing. This change is framed as removing an ambiguity that made European AI development harder to execute.
On the AI Act side, the package delays enforcement of high-risk AI system provisions by up to 16 months. Under the original schedule, systems classified as high-risk under Annex III—covering AI used in employment, education, and access to essential services—were due to face full compliance obligations in August 2026. The omnibus would push that deadline to December 2027. Systems under Annex I (higher-risk embedded AI) would move from August 2027 to August 2028. The Commission says this reflects the time needed for technical standards to mature.
Official Regulators Object
On February 10, 2026, the European Data Protection Board and the European Data Protection Supervisor issued their joint opinion on the Digital Omnibus AI proposals. The bodies offered measured support for some streamlining efforts while objecting to provisions they say would erode accountability.
According to the EDPS press release, the authorities stated: “Administrative simplification must not, however, lower the protection of fundamental rights.” The opinion specifically warns that deleting mandatory registration requirements for high-risk AI systems would “significantly undermine accountability” and create incentives for providers to falsely classify their systems to avoid obligations. The bodies also object to proposed changes that would shift AI literacy responsibility away from deploying organizations and toward government bodies.
In a separate joint opinion issued in January on the GDPR provisions, as covered by noyb, the data protection authorities rejected the narrowed personal data definition outright, stating it would “go far beyond a targeted modification” and open loopholes that courts have previously closed. They also opposed restricting the right of data access to “data protection purposes” only, a change that would bar its use in journalism, research, and other legitimate contexts.
Civil Society Warnings
Privacy advocacy groups have issued sharper assessments.
The Electronic Frontier Foundation describes the package as creating “‘complification’ rather than simplification,” arguing that entity-specific data definitions generate legal confusion that harms smaller players while benefiting large platforms able to structure themselves around the new rules. As analyzed by the EFF, the legitimate-interest provision for AI training is particularly concerning because it permits sensitive personal data—including health and demographic information—to be used in AI systems under vague safeguards that would not apply to non-AI processing of the same data.
European Digital Rights (EDRi) describes the omnibus as “a massive reopening of EU’s core digital protections,” and has called on the European Council and Parliament to reject the proposals. According to EDRi, the package also weakens automated decision-making rules and reshapes ePrivacy device access standards through provisions that have received less public scrutiny.
Max Schrems, whose litigation has repeatedly shaped EU data protection law, stated that the changes “happened without proper procedures and are not based on evidence but rather on fear and industry claims,” as reported in previous noyb coverage.
What Happens Next
The Digital Omnibus is now in trilogue—the negotiating process involving the European Commission, the European Parliament, and the Council of the EU. Both the Parliament and Council must approve the final text before it becomes law, with adoption expected by mid-2026. The official objections from the EDPB and EDPS carry legal weight as formal advisory opinions, though they are not binding on legislators. Whether they shift the final text toward stronger safeguards remains to be determined.