An update on developments in the field of personal data regulation and AI following the position paper "Omnibus Digital and Omnibus AI" by the Dutch Autoriteit Persoonsgegevens the fact sheet "Omnibus AI and Omnibus Digital" by the working group Assessment of New Commission Proposals led by the Ministry of Foreign Affairs.
With its Digital Omnibus proposal of November 19, 2025, the European Commission has taken a significant step toward harmonizing and simplifying EU digital legislation. In our previous article, we already pointed out that this proposal explicitly states for the first time that the processing of personal data for the training and use of AI models and systems is possible – under certain conditions – on the basis of legitimate interest. It also introduces a new, albeit limited, exception for the processing of special categories of personal data without consent when training AI, and revises the definition of "personal data," which could have significant implications for the (permitted) use of pseudonymous data in an AI context.
Meanwhile , both the Dutch Autoriteit Persoonsgegevens “AP”) and the Dutch government have published their views on the Digital Omnibus proposal. Whereas the European Commission clearly focuses on simplification and “optimization of the digital regulatory framework,” these responses show that the intended relaxations also entail new risks and uncertainties. In this blog, we highlight the changes discussed earlier and the relevant comments made by the AP and the cabinet.
One of the most significant changes in the proposal is the way in which the European Commission wants to interpret the definition of personal data less broadly. Whereas the GDPR, as well as national supervisory authorities and EU advisory bodies, traditionally take a broader, absolute approach to interpreting this concept, the European Commission now opts for a more transparent, context-dependent approach. Pseudonymized data will no longer be considered personal data for the recipient, as long as the recipient does not have additional information to determine which individuals are involved.
On paper, this seems like a logical clarification, especially in a world where (pseudonymized) datasets are often processed by many parties for different purposes. In practice, however, this shift is expected to have a major impact on the question of when the GDPR still applies (and to whom). And that is precisely what both the AP and the cabinet are criticizing.
The AP argues that the proposed amendment, however technical it may seem, strikes at the heart of the fundamental right to data protection. If it becomes unclear which data, at which stage of processing, should be protected and which should not, the AP believes that this not only weakens supervision, but also makes it more difficult for citizens to maintain control over their digital identity. The AP also emphasizes that data that can be used to profile or track people must always continue to be considered personal data.
The cabinet is also concerned. According to initial analyses, the proposal goes "beyond a codification" of the much-discussed SRB judgment of the Court of Justice of the European Union, which focused on the scope of the concept of "personal data" and to which the European Commission specifically refers in the Digital Omnibus proposal. The bill could materially reduce the protection of personal data without, in the government's opinion, contributing convincingly to reducing the regulatory burden. The latter is precisely one of the government's objectives.
The second striking topic that we highlighted in our previous article is the explicit recognition in the bill that legitimate interest can serve as a basis for training and using AI models and systems with personal data. In short, the Digital Omnibus proposal requires organizations to weigh up interests, minimize data collection, and implement strict security safeguards. It also introduces an absolute right of objection, which must be exercisable without conditions by individuals whose personal data is being used.
It is striking that the AP and the cabinet seem to take a fundamentally different approach to this clarification than the European Commission. Whereas the European Commission positions the proposal as a clarification of when legitimate interest can be invoked in an AI context, the AP fears that this "suggests a broadening that does not exist."
According to the AP, legitimate interest was never excluded as a basis for processing. The proposed text was therefore essentially unnecessary and could actually create more confusion. The AP also sees the risk that, as a result, organizations would interpret legitimate interest as a generic exemption for the processing of personal data in an AI context, whereas a careful weighing of interests should remain an integral part of this basis.
The cabinet goes one step further and calls the proposal "one of the most impactful changes" within the GDPR amendments in the Digital Omnibus. The concerns mainly focus on the impression that legitimate interest would by definition apply to AI training and exploitation, without a full necessity test and weighing of interests still having to take place. Furthermore, the government emphasizes the importance of proper preconditions for the processing of special categories of personal data, given the serious consequences this can have for the individuals concerned.
In short, the tension is clear. The European Commission wants to provide scope for
innovation, but both the AP and the cabinet have expressed their concerns about the proposed changes.
In our previous article, we discussed how large-scale AI training introduces tensions around transparency and the enforceability of rights. With large datasets, often obtained through scraping, data subjects are usually unaware that their data is being used. The right to object is then mainly theoretical.
In its position paper, the AP emphasizes that various elements of the Digital Omnibus proposal could actually lead to less transparency and less effective accountability. Examples include raising the thresholds for data breach notifications and removing registrations for certain AI systems. This would put pressure on both supervision and public control.
The cabinet also points to the broader consequences of the shift of implementing and standard-setting powers to the European Commission. According to the proposal, the European Commission will be able to determine when a data breach should be considered "high risk," in which cases a DPIA is mandatory, and even what information still qualifies as personal data in the case of pseudonymization. This shifts responsibilities that are normally vested in independent supervisory authorities and the European Data Protection Board to a political institution.
The cabinet considers increased political decision-making to be an explicit risk because the GDPR is an elaboration of a fundamental right. Changes that affect fundamental rights must be carefully analyzed and discussed, according to the cabinet. The lack of an impact assessment also makes it difficult to assess whether the intended simplification will actually be achieved.
The proposals in the Digital Omnibus are not yet set in stone. While the European Commission wants to take a step towards simplification, both the AP and the cabinet warn that the balance between innovation and protection must not be lost sight of. The current discussion is therefore not only technical or legal, but also touches on fundamental choices about the relationship between data-driven innovation and fundamental rights in the EU. The coming months will reveal the extent to which the European Parliament and the Council will take on board the concerns of national regulators and member states. In the meantime, we will be keeping a close eye on developments.
i Dutch Autoriteit Persoonsgegevens, Position paper AP: Omnibus Digital and Omnibus AI,
(accessed on January 16, 2026) https://www.autoriteitpersoonsgegevens.nl/documenten/position-paper-ap-omnibus-digitaal-enomnibus-ai.
ii Working Group on the Assessment of New Commission Proposals, Sheet 2: Omnibus AI and Omnibus
Digital, (accessed on January 16, 2026) https://open.overheid.nl/documenten/be71c2d5-
7811-4d59-98a5-34c9ac4b8b86/file.
iii CJEU September 4, 2025, case C-413/23 P, ECLI:EU:C:2025:645 (EDPS v SRB)
