EDPB and EDPS opinion on the adoption of the Digital Omnibus on AI

News

On January 21, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) released a joint opinion on the European Commission's proposal for a "Digital Omnibus". Hategan Attorneys summarizes the opinion, which aims to simplify the implementation of certain harmonized rules under the AI Regulation without diminishing the high level of protection provided by the GDPR.

General position

The authorities support the overall objective of the proposal, namely to simplify the implementation of the AI Act, provided that the level of protection of fundamental rights, in particular the right to data protection, is not affected.

The need for a careful balance between reducing administrative burdens and maintaining guarantees for fundamental rights is underlined.

 

Processing of special categories of data (detection and correction of biased data)

In principle, the extension of the legal basis for the exceptional processing of sensitive data for the purpose of detecting and correcting biased data is supported.

However, the authorities request:

  • strict limitation of the cases in which such processing is permitted for non-high-risk systems;
  • maintenance of the "strict necessity" standard, at least at the level applicable to high-risk systems;
  • additional clarifications and concrete examples to avoid abuse and legal uncertainty.

 

Registration and documentation

While supporting the reduction of administrative burden, the EDPB and EDPS:

  • oppose the removal of the obligation to register in the EU database for systems referred to in Annex III, even if the provider considers them non-high-risk;
  • warn that removing this obligation would reduce transparency, traceability, and accountability of providers and create misguided incentives.

 

EU-level AI regulatory sandboxes

The initiative is well received, particularly for supporting innovation and SMEs.

However, the following clear guidelines are provided:

  • involvement of data protection authorities (DPAs) in the supervision of data processing;
  • clarification of competences and relationship with GDPR mechanisms;
  • granting the EDPB an advisory role and observer status within the AI Board.

 

Supervision and enforcement – the role of the AI Office

The authorities welcome the strengthening of cooperation between the AI Office and other competent authorities.

It is requested that:

  • the cases in which the AI Office has exclusive competence be clearly defined;
  • there be close cooperation with DPAs when there are risks to privacy and data protection;
  • the explicit inclusion in the normative text (not just in the recitals) of the exclusion of the AI Office's competence over systems used by EU institutions, which are under the control of the EDPS.

 

Cooperation between authorities (FRABs & MSAs)

The objective of simplifying and streamlining cooperation is supported.

It is recommended to:

  • clarify the role of MSAs as administrative intermediaries, without assessing the substance of requests;
  • guarantee the independence and powers of DPAs;
  • establish clearer rules for cross-border cooperation and deadlines without undue delays.

 

AI literacy

The EDPB and EDPS oppose removing the direct obligation on providers to ensure an adequate level of AI literacy.

The obligation on the Commission and Member States to "encourage" AI literacy should not replace, but at most complement, the existing obligation.

 

Implementation timeline for high-risk systems

The authorities understand the practical reasons for the postponement, but express serious concern about the impact on the protection of fundamental rights.

The following is therefore suggested:

  • maintaining the current deadlines for certain key obligations (e.g. transparency);
  • reducing delays as much as possible if the postponement is still adopted.

 

Conclusion

The EDPB and EDPS support the overall objective of the Digital Omnibus on AI to facilitate the implementation of the AI Act, but strongly emphasize that any simplification measures must maintain a high level of protection of fundamental rights, in particular the right to the protection of personal data. The authorities warn against reducing transparency, accountability, and oversight obligations, as well as against unjustified relaxation of the conditions for processing sensitive data. The authorities think that data protection should stay a key part of AI governance, and data protection officials should keep an active and independent role in how the AI Act is applied and checked. Finally, the EDPB and EDPS point out that any delays in the application of the rules on high-risk AI systems may effectively affect the protection of individuals in a rapidly evolving technological context, which is why they call for caution, regulatory clarity, and coordinated action from all stakeholders.

 

Authors:
Ioana Chiper Zah and Tatiana Țapu