On 20 January 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 1/2026 on the proposal for a Regulation presented by the European Commission on 19 November 2025, aimed at simplifying the implementation of the harmonised rules in the field of artificial intelligence, the so-called “Digital Omnibus on AI”.
As is well known, the proposal intervenes in certain provisions of Regulation (EU) 2024/1689 (“AI Act”), primarily with the aim of simplifying compliance obligations for small and medium-sized enterprises, improving the coordination of this regulatory framework with other legal frameworks, including those relating to the protection of personal data, as well as, specifically in this regard, facilitating compliance with Regulation (EU) 2016/679 (“GDPR”) by allowing providers and deployers of any AI system to process special categories of personal data (referred to in Article 9 GDPR) for the purposes of detecting and correcting bias. Regarding these aspects, in general terms, the supervisory authorities appear supportive of the objective of addressing the difficulties that have emerged during the initial phase of implementation, but they raise several concerns regarding the proposed amendments, which risk dangerously lowering the standards of personal data protection. The main amendments addressed in the Opinion will therefore be analysed below.
Processing of Special Categories of Personal Data for the Purposes of Detecting and Correcting AI Bias
As anticipated, one of the most sensitive issues concerns the proposal aimed at introducing a new Article 4a, replacing Article 10(5), which would allow, where necessary, the processing of special categories of personal data by providers and deployers of all AI systems and models, subject to the appropriate safeguards specified in the draft proposal supplementing the GDPR (in accordance with the proposed amendments to Article 9 GDPR referred to in the previous article).
Therefore, the proposal would extend both the material and personal scope of Article 10(5) of the AI Act to all AI systems and models and would also cover deployers.
The authorities acknowledge that the possibility of identifying and correcting algorithmic bias may contribute to preventing discriminatory effects and strengthening system safety. However, they recall that the processing of sensitive data constitutes an exception to the general prohibition regime provided for under European data protection law. Therefore, the EDPB and the EDPS recommend maintaining the requirement of “strict necessity” and emphasise the need to clearly circumscribe the cases in which such processing may be considered justified.
Registration and Documentation
A second aspect of concern relates to the proposal to remove the obligation to register, in the European database, certain artificial intelligence systems which, although falling within those listed in Annex III of the AI Act, are classified by the provider as not high-risk.
According to the authorities, the registration obligation (as provided for under Articles 6(3) and 49(2) of the current AI Act) constitutes an essential tool for ensuring transparency and accountability, as it allows both the public and the competent authorities to be informed of the assessments carried out by providers and to intervene promptly where critical issues arise.
In the authorities’ view, although providers would still be required to document their assessment that the AI system is not high-risk, before such system is placed on the market or put into service, and to make such documentation available to the competent national authorities upon request, this would not be sufficient if not accompanied by registration.
Regulatory Sandboxes at European Union Level
Importance is attached to the proposal to establish regulatory sandboxes for artificial intelligence also at the level of the European Union.
The EDPB and the EDPS welcome this initiative, recognising that such tools may contribute to promoting innovation and facilitating the development and testing of AI systems, including by small and medium-sized enterprises.
However, the authorities point out that the proposal, unlike the provisions applicable to national sandboxes, does not expressly clarify the role of data protection authorities in supervising personal data processing carried out within the EU sandboxes.
The EDPB and the EDPS also note that the proposal does not sufficiently clearly define which data protection authority should be considered competent in cases where the sandbox involves multiple Member States, nor how such competence should be coordinated with the cooperation mechanism provided for under the GDPR.
According to the authorities, these aspects should be expressly clarified in the legislation, in order to avoid legal uncertainty and ensure consistent application of personal data protection rules.
Supervision and Enforcement by the AI Office
The Opinion also addresses the issue of supervision of systems based on general-purpose AI models.
The proposal grants exclusive competence to the AI Office over certain categories of systems, in particular where the model and the system are developed by the same provider or where they are integrated into large online platforms.
The EDPB and the EDPS acknowledge the advantages of centralised supervision but emphasise the need to ensure adequate coordination with data protection authorities.
AI Literacy
The authorities also focus on the issue of artificial intelligence literacy.
The proposal provides for transforming the current obligation, imposed on providers and deployers, to ensure an adequate level of staff training, into an obligation for the Commission and the Member States to merely “encourage” such activities.
According to the EDPB and the EDPS, such an amendment would risk significantly weakening the system of safeguards provided for under the AI Act.
AI literacy is in fact considered a fundamental element for ensuring the informed and responsible use of these technologies and for guaranteeing respect for fundamental rights throughout the entire lifecycle of AI systems.
Lawyer Lorenzo Baudino Bessone and Dr. Giulia Gitto