Publication date 29/04/2026
Bandera de la UE
Description

One of the main objectives of the renewed European Data Strategy is to overcome the current regulatory fragmentation by proposing a new regulation colloquially called  the Digital Omnibus Regulation. The aim is to consolidate and rationalise a large part of the data regulations in a single standard. Among other measures, the Regulation modifies the Data Act, which would therefore remain in force, but with a new wording. In other words, the Omnibus has an instrumental potentiality, since it is only an instrument to modify other regulations, whose wording will therefore be updated.

Since the proposal was made public in November 2025, the debate has accelerated. The joint opinion of  the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the scope of this initiative has recently been released.It welcomes the integration of the rules of the Data Governance Act and the Open Data Directive into an updated version of the Data Act, on the grounds that it facilitates compliance with them and also the consistent application of the rules on access to and re-use of data generated by public sector entities. However, while acknowledging progress in harmonising regulation and simplifying compliance,  it expresses "significant concerns" about changes that, without being merely technical, generate uncertainties and affect the protection of personal data. Below, we will focus on some of the most relevant aspects.

The controversy over the concept of personal data

The proposal to add a new paragraph to Article 4.1 of the GDPR to clarify when information is personal data is probably the most controversial aspect of the proposed regulation. Until now, it was understood that any information that would allow a person to be identified was personal data for any subject, even if only a third party had the means to identify him. The new proposal changes this situation. Specifically, it is intended to specify that:

'Information relating to a natural person is not necessarily personal data for any other person or entity merely because another entity can identify that natural person. The information will not be personal to a given entity where that entity cannot identify the natural person to whom the information relates having regard to the means that may reasonably be used by that entity. Such information does not become personal to that entity merely because a potential downstream recipient has means that could reasonably be used to identify the natural person to whom the information relates.'

The opinion warns that using a negative approach to define what is not understood by personal data may imply a reduction in legal certainty, that is, an effect contrary to that intended with the initiative. The report considers that there may  be collateral effects that, ultimately, imply a loss of guarantees. Let's imagine the health data contained in a medical record. According to the current approach, such information is subject to the GDPR even when it is dissociated from its owner and, once pseudonymized, is placed in the hands of a research team or made available to health authorities for public health purposes. On the other hand, if we look at the proposal of the Digital Omnibus Regulation, it could be considered that, in such cases, they are no longer considered "personal data" for the aforementioned subjects who receive them. Specifically, it is emphasized that the reform incorporates as a legal norm what is simply a jurisprudential criterion adopted to resolve a specific case, which leads to not taking into account the context and singularities of the same, in addition to other relevant decisions of the Court of Justice of the European Union (CJEU) itself.

On the other hand, the opinion states that the relativity of the concept used may be an "invitation" to generate organizational structures in the processing of personal data with the sole intention of avoiding the application of the guarantees, limits and conditions established by the GDPR. Specifically, by considering as "non-personal" the information that a specific entity cannot identify, even if other subjects are capable, it could encourage data controllers to promote somewhat forced legal engineering solutions, in order to evade regulation without applying real anonymization mechanisms. In particular, an entity could formally outsource essential aspects of information processing – such as access to pseudonymisation keys or data combining capabilities – to other legally distinct entities. In this way, they would not be personal data for any of them since each one alone would not be able to associate the information with the owner, although in practice it would be easy to know their identity. The consequence of this formal pseudonymisation would be the non-application of essential guarantees of the regulation on personal data, such as the obligation to carry out an impact assessment or the effectiveness of the rights of the data subject.

Is the Commission competent to determine what is personal data?

The opinion also rejects the approach of the proposal to enable the Commission to specify, by means of implementing acts, in which cases pseudonymised data cease to be personal data for certain entities. This would mean leaving the delimitation of the scope of a fundamental right in the hands of a legal instrument designed for technical issues of application. In this regard, it is considered that the delimitation by interpretative means of what is and what is not personal data must continue to be the competence of the supervisory authorities and the courts, since, otherwise, more complexity would be generated collaterally and, therefore, legal uncertainty would be increased.

AI and sensitive data: exception or open door?

As we explained in a previous commentary, in terms of artificial intelligence (AI), the Commission's proposal pays special attention to the impact of the reform on the protection of personal data, a perspective previously analysed by the EDPB in 2024. In particular, the Commission seeks to strengthen legal certainty by introducing specific rules on the use of legitimate interest to train and operate certain AI systems. Legitimate interest is the basis that would allow a company or entity to train or improve an AI system with personal data, as a data controller, without the need for consent from its owner, when such processing is necessary for a legitimate purpose (e.g. to improve a model, detect abuse, ensure greater security, optimise a service...),  provided that the rights of the owners of the information should not prevail and, additionally, certain guarantees are respected.

In addition, the proposal adds an additional exception for cases where special categories of Article 9 GDPR data appear incidentally or residually  in the lifecycle of those systems. According to paragraph 5 that is intended to be added to that provision:

"Appropriate organisational and technical measures shall be implemented to prevent the collection and otherwise processing of special categories of personal data. Where, despite the application of such measures, the controller detects special categories of personal data in the datasets used for training, testing or validation, or in the AI system or model, it shall delete such data. If the erasure of such data requires a disproportionate effort, the controller shall in any event  protect such data effectively and without undue delay so that it cannot be used to produce results, nor can it be disclosed or otherwise made available to third parties."

Specifically, with the reference to the incidental nature, it would be a matter of dealing with those cases in which personal data of this unique nature are processed without being a deliberate objective, that is, without having been sought or intended to include them: this would be the case, for example, of a dataset for image recognition AI if a photo that reveals sexual orientation or political beliefs unexpectedly appears. Continuing with the example, this would happen if the objective was to identify objects, not people or sensitive features, but within thousands of photos, an image appeared in which someone wears a T-shirt with a political slogan or a same-sex couple appears kissing, which could reveal sexual orientation. In this case, although it was not intended to process sensitive data, the images have nevertheless been processed deliberately without intending to; but they should be prevented from being disclosed or from appearing indirectly in the context of the use of the AI tool.

Residual processing, on the other hand, refers to the possibility that, for unavoidable technical reasons, "traces" of sensitive data may remain in AI models throughout the life cycle of the system, even after anonymisation filters have been applied. This could happen, for example, when training a  customer service chatbot with real conversations where there are mentions of medical problems in trivial contexts that do not constitute a medical consultation in the strict sense.

The opinion recognises that, in practice, residual treatments can occur that are difficult to avoid, but calls for a much stricter wording linked to effective safeguards throughout the life of the system. It also recalls that there are already adequate interpretative criteria to frame its use in AI contexts without the need to add a specific clause, which could be interpreted as a general legal authorization to train models whenever there is a contract or an abstract commercial interest. In this sense, the recommendation of the opinion is that, if the reference is maintained, it should be accompanied by clear requirements for impact assessment, documentation and reinforced right of opposition. In short, it is a matter of preventing the reform from consolidating a general authorisation to process special categories of data under the label of "incidental" or "residual".

Finally, with regard to automated processing of personal data – whether or not it involves the use of AI tools – the opinion proposes to maintain the principle of prohibition as a general rule that the Commission intends to eliminate. It admits, however, the existence of a set of assessed exceptions in which automation may be justified. In short, it is a matter of preventing the new regulation from appearing to offer a general authorisation simply because there is a contract with the interested party, even if automation is not really necessary to execute it.

The use of biometric data for identification purposes

One of the proposals that is most favourably received by the opinion is the proposed new derogation to authorise the processing of special categories of data in the context of biometric authentication, provided that the means of verification is under the exclusive control of the data subject. This is an issue that has sparked significant controversy in Spain as a result of the practical guide disseminated by the Spanish Data Protection Agency – currently under review – and the subsequent sanctioning and restrictive measures that have been adopted by this entity. The opinion understands that allowing this type of processing, when the data or means remain in the hands of the user, can reinforce security without adding disproportionate risks, provided that strict guarantees are required on purposes, conservation and non-reuse for other purposes.

Open data and reuse of public sector information

The opinion establishes two clear limits when assessing the scope of the reform proposed by the Commission to integrate the various existing rules in this area into the new version of the Data Act, the scope of which we have already explained in detail.

Firstly, the opinion emphasises that the new regulation does not generate, in itself, an additional or automatic obligation  for public bodies to allow the reuse of personal data, pointing out that  it does not constitute a new autonomous legal basis, in accordance with Article 6 of the GDPR, to legitimise access and reuse.

Thus, a mere request for reuse under the new wording of the Data Act would not be enough to oblige an Administration to transfer personal data, nor does it replace the need to resort to a specific legitimate basis in the GDPR – public interest (art. 6.1.e), consent (art. 6.1.a), legal obligation (art. 6.1.c),  etc.—which, in any case, must be evaluated on a case-by-case basis in accordance with the principles of necessity and proportionality. All this without prejudice to the application of the measures that were already contemplated from its initial version of the Data Governance Act, and which would now be integrated into the new updated version of the Data Act.

Secondly, in situations of public emergency – such as pandemics, natural disasters or, but not limited to, massive cyberattacks – the reform that the Commission proposes for the Data Act enables certain public authorities to access data held by private subjects, both personal and non-personal, where there is an exceptional need to use certain data to perform functions in the public interest. In this type of situation, the opinion proposes a strict gradation of the intensity of the measures:

  • Anonymous data should be used, which would therefore be outside the scope of the GDPR.

  • Only if they are insufficient for the need raised, could personal data be used, but pseudonymised, i.e. identifiable only by the person who possesses the additional information necessary for re-identification;

  • It calls for the necessary adoption of appropriate technical and organisational measures throughout the entire life cycle of the processing: from collection, through analysis, to erasure when it is no longer necessary to store it.

In short, according to the joint opinion of the EDPB and the EDPS, the Digital Omnibus Regulation is an essential initiative aimed at strengthening a European model to promote data accessibility without affecting the right to personal data protection. Beyond the final result of the processing of this initiative, once the legislative process has been completed, the opinion analysed highlights the need to pay special attention to data governance models in the projects and initiatives that are promoted. In particular, it is essential to refine in particular: the legal bases for the processing of personal data, the scope of risk analyses and impact assessments, the documentation of the measures taken to address regulatory compliance and, ultimately, the distribution of roles and the scope of obligations that correspond to each subject,  all this based on clear, coherent premises that respect the core of the fundamental right to data protection.

Content produced by Julián Valero, Professor at the University of Murcia and Coordinator of the “Innovation, Law and Technology” (iDerTec) Research Group. The content and views expressed in this publication are the sole responsibility of the author.

Legislación y justicia
datos personales
Europa
datos abiertos
Data Act
Data Governance Act
regulación
protección de datos

Related Content

Una mujer de negocios hace clic en un holograma de IA que se muestra en una pantalla

The universalization of AI: when creating artificial intelligence is no longer the work of experts
Imagen para ilustrar el post que representa gobernanza de datos

Recommendations for addressing data governance
4 piezas de puzzle que convergen, representando los cuatro tipos de interoperabilidad: técnica, semántica, organizativa y jurídica,

Interoperability: the invisible art of connecting data, systems, and People