The proposal for the “Digital Omnibus” has sparked considerable debate among AI and privacy experts. The Digital Omnibus is a legislative package introduced by the European Commission that amends several digital laws simultaneously, including the General Data Protection Regulation (GDPR) and the Data Act.
The proposal shows that the European Commission intends to amend the GDPR on multiple points. A key motivating factor appears to be the global AI-race. The EU aims to strengthen its position and competitiveness compared with the United States and China, which currently lead the way in AI-development and innovation.
In one of our earlier blogs, we already outlined the potential consequences of the Digital Omnibus for the AI Act. In this blog, we examine the proposed amendments to the GDPR, with a focus on the use of (special categories of) personal data for training AI-models. Before discussing the Digital Omnibus, it is useful to briefly outline the current rules governing the use of (special categories of) personal data for AI-training.
How does the GDPR currently apply to AI-training?
Earlier this year, several social media platforms, including Facebook, LinkedIn and X, announced plans to employ users’ personal data for AI-training purposes. This reignited the debate on the extent to which organisations may use personal data to train AI-models.
Under the GDPR, personal data may only be processed if there is a lawful basis. User consent may appear as the most obvious ground, but in practice it is difficult to implement when AI-training involves the personal data of millions of individuals. After all, how could you possibly ask everyone for consent? And how can users give informed consent if it is unclear which data will be used and for what purposes?
Many organisations therefore rely on the lawful basis of legitimate interests, for instance to improve existing products or to develop new digital services. The European Data Protection Board (EDPB) has clarified that legitimate interests may, in principle, serve as a legal basis for AI-training. However, whether this is lawful will ultimately depend on the context, the data involved, individuals’ reasonable expectations and the safeguards in place to protect their rights. As such, relying on this legal ground requires a balancing act of (competing) interests.
The Dutch Data Protection Authority (DPA) has adopted a more critical approach to the use of this lawful basis for AI-training. The DPA notes that certain safeguards, including the removal of personal data from datasets before AI-training, can only be effectively evaluated in practice. The DPA also encourages individuals to exercise their right to object when their personal data are used for AI training by Big Tech companies.
The processing of special categories of personal data, such as data revealing ethnicity, religion, or health, for the purposes of AI training is particularly controversial. The GDPR generally prohibits the processing of such data, unless the individual has given explicit consent or a another statutory exception applies. In some cases, an exception may exist where individuals have clearly made this information public themselves. However, this must be carefully assessed before any AI-training takes place. Where no such exception applies, the use of special categories of personal data for AI-training is considered unlawful.
What changes does the Digital Omnibus propose to the GDPR?
The Digital Omnibus proposes introducing a new Article 88c to the GDPR, which would explicitly permit the processing of personal data for AI-training on the basis of legitimate interests. Consequently, obtaining individual consent would, in principle, no longer be required for the use of personal data in AI-training. In reality, this would not significantly alter current practice, since AI-training is already commonly based on legitimate interests. Rather, the proposal is intended to provide greater legal certainty and to resolve the ongoing debate among privacy regulators on the use of legitimate interests for AI-training.
The proposal also suggests that the European Commission plans to introduce a new exception to the prohibition on processing special categories of personal data under Article 9 GDPR, which would allow such data to be used in the development and use of AI-models. This would significantly expand the scope for using special categories of personal data in AI-training compared to the current framework. From a GDPR perspective, it is debatable whether this development is desirable. The prohibition on processing special categories of personal data serves an important purpose, as this data reveals fundamental differences between individuals and groups, such as race, ethnicity or sexual orientation. Increased use of this data in AI-training enhances the ability of AI-systems to profile individuals and could potentially enable AI-models to construct detailed profiles of individuals who were never part of the original training data set. While the level of risk is contingent on how these models are ultimately used, the potential for misuse and discrimination should not be overlooked.
What does the proposal mean for the future of the GDPR?
At this stage, the Digital Omnibus is merely a proposal. Its final form is still subject to political negotiations, and the proposed changes have not yet been formally adopted. Until then, the GDPR in its current form will remain in full force.
On the one hand, the proposal raises several concerns. It could create legal uncertainty, cause confusion for organisations, and lead to costly litigation. It also prompts a broader question: will the Digital Omnibus genuinely strengthen the competitiveness of European companies, or will it mainly benefit Big Tech companies and allow them to further entrench their dominance?
On the other hand, there may be situations in which training or testing AI-models using (special categories of) personal data can be justified or even necessary. For example, such data may be crucial for detecting bias or discriminatory outcomes in AI-systems. Without insight into how different groups are affected, structural inequalities are likely to remain invisible.
The proposal ultimately raises important questions about the future of the GDPR and the delicate balance between innovation and the protection of fundamental rights. Will Europe’s strong privacy framework be able to withstand the growing pressure of global AI-development?
Would you like to read more about this topic? Read our previous blog on the Digital Omnibus.
