“Digital Omnibus” and data protection: regulatory simplification with greater responsibility in AI

The European Union continues to make progress in streamlining its digital regulatory framework through the proposal known as the “Digital Omnibus”. In this context, the European Data Protection Board and the European Data Protection Supervisor have adopted Joint Opinion 2/2026 (hereinafter, ‘the Opinion’), in which they analyse the scope of the proposal and make observations aimed at ensuring that administrative simplification is compatible with a high level of protection of personal data and of fundamental rights.

One of the core aspects of the Opinion is the need to avoid regulatory loopholes with regard to certain artificial intelligence systems which, beyond generating content, can operate with a certain degree of autonomy and have a significant impact on the legal or personal sphere of data subjects. The authorities warn that these systems must remain clearly within the regulatory perimeter and that any legislative adjustments must preserve consistency with the General Data Protection Regulation and with the risk-based approach that inspires European digital regulation. At the same time, it is emphasised that artificial intelligence (AI) literacy — at the technical, organisational and governance levels — is a structural element in ensuring effective compliance and strengthening reliance in these technologies.

The Opinion also introduces relevant nuances in relation to the processing of special categories of data. In particular, it contemplates, in a limited manner and subject to strict safeguards, the possibility of using sensitive data when necessary to detect and mitigate biases in AI systems, always under parameters of necessity, proportionality and adequate safeguards. At the same time, it supports the maintenance and reinforcement of prohibitions on those uses of technology which, by their nature, may be particularly intrusive or harmful to fundamental rights.

In short, the approach of the European authorities is clear: regulatory simplification must be accompanied by greater substantive responsibility. Less formalism does not mean lower standards. Organisations must adequately document and justify their assessments, especially when they conclude that a system does not reach the high-risk category. The traceability of decisions, rigorous impact analysis and sound governance in the field of AI and data protection will continue to be determining factors for operating with legal certainty in the new digital regulatory environment.