EU Digital Omnibus Sparks GDPR Privacy Fight as Council Drops Personal Data Redefinition

Summary

The EU Council has removed the European Commission's proposed redefinition of "personal data" from the Digital Omnibus package, blocking a change that privacy advocates warned would let companies bypass GDPR protections when training AI systems. The compromise text, circulated by the Cypriot presidency in February 2026, strips out the most controversial amendment while leaving other GDPR modifications on the table - including a new "legitimate interest" basis for AI development that European Digital Rights (EDRi) says still threatens data subject rights.

Key Details

The European Commission introduced the Digital Omnibus in November 2025 as a competitiveness package to "simplify" the AI Act, GDPR, and other data laws. The original proposal added a paragraph to GDPR Article 4(1) stating that information "shall not be personal for a given entity where that entity cannot identify the natural person." Privacy regulators pushed back hard. The European Data Protection Board and European Data Protection Supervisor issued Joint Opinion 2/2026, warning the revised definition "would result in significantly narrowing the concept of personal data" and should not be adopted.

The Council agreed. Its leaked compromise text eliminates the redefined personal data provision entirely. But several other GDPR amendments survived the cut. The package still proposes modifications to transparency obligations, changes to how individuals exercise data subject rights, new rules for sensitive data use in AI systems, and a specific legitimate interest basis that companies can invoke when developing or operating AI.

Amnesty International published an analysis on April 2, 2026, arguing the remaining proposals "cut holes in the EU's flagship data protection law" and make it easier for companies to harvest personal data for AI training. The organization noted Amazon alone spent €7 million on EU lobbying in a single year. EDRi called for complete rejection of the Digital Omnibus, stating that "simplification should focus on improving enforcement" rather than reducing corporate obligations.

Under the surviving provisions, companies could refuse data removal requests from AI systems if compliance requires "disproportionate efforts" - a term critics say is too vague to prevent abuse. Controllers could also reject data access requests deemed for "purposes other than the protection of their data."

Why This Matters

The Digital Omnibus battle sets the direction for global data privacy standards. Because GDPR serves as the baseline for privacy laws worldwide - including frameworks that influenced CCPA and state-level U.S. laws - any weakening of EU protections creates downstream pressure on consent and compliance standards everywhere. The new legitimate interest basis for AI development means businesses collecting personal data through consent forms, registrations, and intake workflows face shifting rules about how that data can later be reused.

The European Parliament must still weigh in before any changes become law. The EDPB's forthcoming pseudonymisation guidelines will shape how organizations interpret safeguards in the interim. Companies operating across EU and U.S. jurisdictions now face compliance requirements moving in opposite directions: U.S. states are tightening consent rules while the EU debates loosening them for AI.

For businesses managing consent forms and data collection workflows, this regulatory uncertainty makes documenting clear, specific consent language more critical than ever - particularly when personal data may later be processed for purposes beyond the original collection.

Sources

• Amnesty International - How EU proposals to "simplify" tech laws roll back our rights (April 2, 2026)
• European Digital Rights (EDRi) - The Digital Omnibus: A Step Back from the Brink, the Risks Remain (March 17, 2026)
• IAPP - EU member states' leaked Digital Omnibus compromise proposal eliminates revised GDPR definition of 'personal data'