EU Digital Omnibus: GDPR Reform for AI Training – What Businesses Need to Know Now

GDPR AI training compliance is facing a turning point: with the so-called 'Digital Omnibus' package, the European Commission published on 19 November 2025 a proposal to reform the General Data Protection Regulation in one of its most consequential areas for the AI economy. Companies training or deploying AI models should follow this process closely — the implications could be substantial.

What Is the EU Digital Omnibus Package?

The 'Digital Omnibus' package is a legislative initiative by the European Commission that aims to consolidate and simplify several existing EU digital laws into a single omnibus regulation. The goal is to eliminate contradictions between different legal acts and reduce administrative burden for businesses.

The package includes proposed amendments to the GDPR, the AI Act, the Product Liability Directive, and the Data Act. The Commission's stated objective is to keep Europe competitive in the global AI race — without, in its official framing, abandoning fundamental data protection standards.

The Key GDPR Change: Legitimate Interest for AI Training

The most significant change for the AI sector concerns Article 6 GDPR — the legal bases for processing personal data. Under current law, companies must identify a clear legal basis for any processing of personal data: typically consent, contract performance, or — under strict conditions — legitimate interest.

The Digital Omnibus draft proposes to explicitly recognize AI training as a legitimate interest under Art. 6(1)(f) GDPR. This would mean that companies could, under certain conditions, use existing business data to train AI models — without explicit consent from the data subjects.

What This Means in Practice

Whether training AI models on personal business data — customer communications, contracts, internal documents — is lawful under GDPR has been one of the biggest legal uncertainties in the European AI market. Data protection authorities across EU member states have taken differing positions.

An explicit GDPR basis for AI training would:

• Create legal certainty for companies wanting to develop specialized AI models based on their own customer or business data
• Enable use without consent, provided the legitimate interest does not override the rights and interests of data subjects
• Improve competitive parity with US providers operating under different legal frameworks

The Limits of Legitimate Interest

Critically, recognition as a legitimate interest is not a blanket permission. The balancing test still applies: companies must document that their interest in AI training does not override the legitimate interests of data subjects. Sensitive data categories under Art. 9 GDPR — health data, biometric data, political opinions — are explicitly excluded and continue to require consent or another specific legal basis.

Data protection officers will scrutinize the balancing assessment on a case-by-case basis. Companies wishing to rely on legitimate interest must document this assessment carefully.

What Changes for German and European Businesses?

Businesses can potentially benefit in several scenarios:

Scenario 1: Training internal language models A company wants to train an in-house LLM on historical customer enquiries and support tickets. Until now, the legal basis for this was unclear. With the Digital Omnibus, legitimate interest could serve as the basis — provided the data is pseudonymised and contains no sensitive categories.

Scenario 2: Improving existing AI systems A software provider wants to refine its deployed AI classification model using transaction data from existing customers. Legitimate interest could apply here too — with an appropriate balancing assessment and transparent notification to data subjects.

Scenario 3: Industry models in B2B Several companies in the same sector want to jointly train a specialized model. The GDPR reform could make collaborative training projects legally more manageable.

What Does Not Change

Some fundamental GDPR principles remain untouched:

• Purpose limitation: Data may only be used for the purpose originally communicated, unless a compatibility assessment for the new training use is conducted
• Data minimisation: Only actually required data points may be processed
• Data subject rights: Rights of access, erasure, and objection remain fully intact — including the right to object to processing based on legitimate interests
• Accountability: Documentation of the balancing assessment remains mandatory

EU AI Act: Deadline Extensions at a Glance

Alongside the GDPR reform, the Digital Omnibus package also contains adjustments to the EU AI Act. The full applicability of high-risk AI requirements — originally set for August 2026 — is proposed to be significantly delayed. The draft sets out concrete new dates:

• Annex III systems (recruitment AI, credit scoring, emotion recognition, etc.): new deadline 2 December 2027 instead of 2 August 2026
• Annex I systems (AI embedded in safety-regulated products): new deadline 2 August 2028 instead of 2 August 2027
• Notified bodies for external conformity assessments are not yet accredited in many member states — the extension reflects this reality

Important caveat: the extensions are conditional — the amending regulation must enter into force before 2 August 2026. If that does not happen, the original deadlines remain in force. Companies that have already begun compliance preparation should continue that work.

Current Legislative Status

The Digital Omnibus draft is in early legislative stages as of April 2026. Following the Commission's publication, the process involves:

1. Trilogue negotiations between the Commission, European Parliament, and Council 2. Opinions from national data protection authorities (Article 29 Working Party / EDPB) 3. Formal vote in Parliament and Council 4. Transition period of at least 12–18 months after entry into force

Final adoption before end of 2026 or early 2027 is unlikely. The draft may change significantly in trilogue — particularly under pressure from the European Data Protection Board (EDPB), which has expressed criticism of any weakening of GDPR legal bases.

What Should Companies Do Now?

1. Inventory AI training projects Create a complete list of all AI projects where personal data is used or planned for training, fine-tuning, or evaluation. Document the legal basis currently in use.

2. Involve your data protection officer Discuss the potential implications of the Digital Omnibus with your DPO. Assess together which projects could benefit from an expanded legal basis.

3. Prepare a Legitimate Interest Assessment For projects where legitimate interest could become relevant, prepare a Legitimate Interest Assessment (LIA) now. This provides a head start once the reform comes into force.

4. Do not wait for the reform Projects currently based on consent or contract performance should not wait for the reform. The EU AI Act deadline extension must not be misread as a deferral of compliance work.

5. Monitor developments Follow developments at the EDPB and national data protection authorities. Germany's Datenschutzkonferenz (DSK) is expected to publish its own position statement.

Conclusion

The EU Digital Omnibus could significantly ease the path for companies wanting to train AI on their own business data. Recognizing AI training as a legitimate interest would resolve years of legal uncertainty — with clear limits for sensitive data categories and with data subject rights fully preserved.

At the same time: the draft is not yet law. Companies should prepare strategically but should not change existing data protection practices on the basis of a text not yet enacted. Those who do the groundwork now — inventory, balancing assessment, documentation — will be well positioned once the reform takes legal effect.

---

*Planning AI projects and want to understand how the GDPR reform affects your training data? Sophera Consulting advises on privacy-compliant AI implementation — from legal basis analysis to technical execution. Schedule a free initial consultation.*