The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have their reservations regarding the European Commission’s intentions to simplify existing rules governing artificial intelligence (AI).
In November 2025, the executive branch of the European Union introduced the Digital Omnibus, a set of proposals to simplify the existing rules on AI, cybersecurity, and data protection.
One of the proposals in the Digital Omnibus expands the use of AI systems to collect personal and sensitive types of information, like ethnicity and health data, for the purpose of detecting and correcting discrimination.
Additionally, the Digital Omnibus empowers tech companies to invoke a “legitimate interest” and use user data without prior consent for training AI models. Currently, the General Data Protection Regulation (GDPR) prohibits companies from collecting and using personal data without explicit consent.
Advocacy groups have voiced their concerns that the proposed changes could weaken consumers’ privacy protection.
European privacy and data protection authorities share the concerns. In a Joint Opinion, the EDPB and EDPS state they support the general objectives of the Digital Omnibus, specifically the ones that address the challenges in the AI Act.
However, administrative simplification must not lower the protection of fundamental rights of individuals, in particular the fundamental right to the protection of personal data.
“A careful balance needs to be kept between reducing administrative burden where possible, without undermining the protection of fundamental rights in the context of AI. Therefore, the EDPB and the EDPS warn against reducing the existing protection offered under the AI Act without careful consideration of the protection of the rights of individuals,” the Joint Opinion says.
Furthermore, the EDPB and EDPS recommend including the obligation to register AI systems when they fall under the categories listed as high-risk. The agencies also welcome the creation of EU-level AI regulatory sandboxes to promote innovation. However, data protection authorities (DPAs) from EU Member States should be directly involved in the supervision of data processing within these sandboxes.
Lastly, the EDPB and EDPS advise maintaining a duty for AI providers and vendors to ensure their staff are up-to-date on the latest developments in AI.
The European privacy authorities are well aware of the complexity of the AI landscape and welcome efforts to ease the burdens for businesses and organizations, but not at the expense of individual citizens.
“Innovation and efficiency are crucial and can coexist with maintaining accountability of AI providers. However, data protection authorities must maintain a central role when it comes to the processing of individuals’ personal data,” EDPB Chair Ana Talus says in a statement.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked