The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a critical joint opinion on the proposed 'Digital Omnibus' simplification of AI Act implementation, warning that streamlined procedures could undermine fundamental data protection rights and create enforcement gaps.
The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have issued a joint opinion that raises significant concerns about the European Commission's proposal to simplify the implementation of harmonized artificial intelligence rules through what's being called the 'Digital Omnibus on AI.' The opinion, formally designated as EDPB-EDPS Joint Opinion 1/2026, scrutinizes the proposal's potential impact on fundamental rights, particularly data protection, and warns that streamlining procedures could inadvertently create regulatory loopholes and weaken enforcement mechanisms.
What Happened: The Digital Omnibus Proposal
The European Commission proposed the Digital Omnibus as a legislative package designed to simplify and accelerate the implementation of the AI Act by consolidating various procedures and creating more efficient administrative processes. The proposal aims to reduce bureaucratic burden by establishing unified oversight mechanisms, standardizing compliance assessments, and creating a single digital gateway for AI providers to navigate regulatory requirements. However, the EDPB and EDPS argue that this simplification comes at the cost of thorough data protection scrutiny and could create a two-tier system where AI systems with significant privacy implications receive less rigorous evaluation.
The joint opinion specifically targets Article 56 of the proposed regulation, which outlines the simplified conformity assessment procedures for certain high-risk AI systems. The data protection authorities contend that this article creates an automatic presumption of compliance with data protection requirements when an AI system meets certain technical specifications, effectively bypassing the need for Data Protection Impact Assessments (DPIAs) mandated under Article 35 of the GDPR.
Legal Basis: GDPR and AI Act Interplay
The EDPB and EDPS base their concerns on several key legal provisions:
Article 35 of the GDPR - Requires data controllers to conduct DPIAs when processing is likely to result in high risks to individuals' rights and freedoms. The joint opinion argues that many AI systems classified as high-risk under the AI Act inherently involve such processing and should therefore trigger mandatory DPIAs regardless of simplified conformity assessment procedures.
Article 22 of the GDPR - Prohibits automated decision-making that produces legal or similarly significant effects concerning individuals without meaningful human review. The opinion warns that streamlined procedures could allow AI systems with automated decision-making capabilities to enter the market without adequate safeguards for human oversight.
Article 5 of the AI Act - The joint opinion references the AI Act's own provisions on prohibited AI practices and high-risk systems, emphasizing that data protection principles are integral to the AI Act's risk-based approach. The EDPB argues that simplification cannot override the AI Act's fundamental risk assessment requirements.
Article 56 of the proposed Digital Omnibus - The specific provision that creates simplified procedures is criticized for potentially violating the principle of proportionality under EU law by applying the same simplified process to AI systems with vastly different risk profiles and data processing activities.
The authorities also reference the Charter of Fundamental Rights of the European Union, particularly Article 8 (right to data protection) and Article 7 (respect for private and family life), arguing that the proposal fails to adequately balance administrative efficiency with fundamental rights protection.
Impact on Users and Companies
For Individuals and Data Subjects
The joint opinion highlights several potential negative impacts on individuals:
Reduced Transparency: Simplified procedures could mean fewer opportunities for data subjects to be informed about how their data is used in AI systems, particularly when automated decisions affect their lives.
Weakened Redress Mechanisms: Streamlined compliance might create gaps where individuals cannot effectively challenge AI decisions or seek remedies for data protection violations.
Inadequate Risk Assessment: The automatic presumption of compliance could allow AI systems with significant privacy implications to enter the market without proper evaluation of their impact on individuals' rights.
Fragmented Protection: Different member states might interpret simplified procedures differently, creating inconsistent levels of protection across the EU.
For AI Providers and Companies
The opinion also identifies business implications:
Regulatory Uncertainty: Companies might face conflicting requirements from data protection authorities and AI regulatory bodies if the simplified procedures are implemented without clear guidelines.
Compliance Complexity: Rather than simplifying compliance, the proposal could create additional layers of complexity as companies navigate between AI Act requirements and GDPR obligations.
Market Access Risks: AI systems approved through simplified procedures might later face challenges from data protection authorities, creating market uncertainty and potential recalls or modifications.
Innovation Constraints: The opinion suggests that proper data protection scrutiny actually supports innovation by building trust and ensuring sustainable market development.
What Changes: Recommendations and Next Steps
The EDPB and EDPS propose several modifications to the Digital Omnibus proposal:
1. Maintain Separate Data Protection Scrutiny
The authorities recommend that data protection impact assessments should remain mandatory for AI systems processing personal data, regardless of simplified conformity assessment procedures under the AI Act. They suggest creating a parallel track where DPIAs are conducted simultaneously with technical conformity assessments.
2. Strengthen Oversight Mechanisms
The joint opinion calls for enhanced cooperation between national data protection authorities and AI regulatory bodies, including:
- Joint inspection protocols
- Shared information systems for risk assessment
- Coordinated enforcement actions
- Regular joint training programs for regulators
3. Clarify Legal Boundaries
The authorities recommend explicit language in the regulation that:
- Confirms the primacy of GDPR requirements over simplified AI Act procedures
- Establishes clear triggers for when simplified procedures cannot be applied
- Defines the scope of automatic compliance presumptions
- Creates appeal mechanisms for data protection authorities to challenge simplified assessments
4. Implement Phased Approach
The EDPB suggests a pilot program for simplified procedures with:
- Limited scope initially (certain types of low-risk AI systems only)
- Mandatory data protection oversight for the first two years
- Regular evaluation of impact on fundamental rights
- Sunset clauses requiring renewal based on evidence
5. Enhanced Transparency Requirements
The opinion recommends that all AI systems, regardless of assessment procedure, must provide:
- Clear information about data processing activities
- Details about automated decision-making processes
- Information about human oversight mechanisms
- Contact details for data protection inquiries
Broader Context and Industry Reaction
The joint opinion reflects growing tension between different regulatory approaches within the EU. While the European Commission seeks to reduce administrative burden and accelerate AI innovation, data protection authorities emphasize that fundamental rights cannot be compromised for efficiency.
Industry groups have responded with mixed reactions. Some technology companies support streamlined procedures, arguing that current regulatory complexity hinders European AI development. However, privacy-focused organizations and digital rights advocates have welcomed the EDPB-EDPS position, seeing it as necessary protection against regulatory capture.
The debate also highlights the challenge of regulating rapidly evolving technology. The AI Act represents one of the world's first comprehensive AI regulatory frameworks, while the GDPR established global standards for data protection. Harmonizing these two regimes without weakening either presents significant legislative challenges.
Implementation Timeline and Next Steps
The Digital Omnibus proposal is currently under review by the European Parliament and Council. The EDPB-EDPS joint opinion has been submitted as formal feedback and will be considered during legislative negotiations. If adopted without modifications, the simplified procedures could take effect within 18 months of the AI Act's full implementation.
Data protection authorities have indicated they will continue monitoring the proposal and may issue additional guidance or even challenge the regulation in court if fundamental rights protections are deemed insufficient. The joint opinion serves as a formal warning that simplified procedures must not compromise the rigorous data protection standards established by the GDPR.
For organizations developing or deploying AI systems, this regulatory uncertainty underscores the importance of maintaining robust data protection practices regardless of potential future simplifications. The EDPB and EDPS emphasize that compliance with both the AI Act and GDPR will remain essential, and that the current joint opinion should be viewed as guidance for future compliance strategies.
The full text of the joint opinion is available through the European Data Protection Board's official website, and the Digital Omnibus proposal can be accessed via the European Commission's legislative portal.
Comments
Please log in or register to join the discussion