Amnesty Warns EU Digital Omnibus Could Weaken GDPR and AI Act

Amnesty International has published a detailed analysis warning that the European Commission’s proposed Digital Omnibus reforms could undermine fundamental rights protections under both the GDPR and the EU AI Act. The proposals, first unveiled in November 2025 as part of a broader competitiveness agenda, are framed as regulatory simplification — but civil society groups argue they amount to a rollback of hard-won digital rights.

Two elements of the proposal are drawing particular concern. First, the Commission proposes to redefine what constitutes personal data under the GDPR. Amnesty and other civil society organisations warn that narrowing this definition could allow technology companies to harvest more personal data for the training and operation of AI systems without triggering the full weight of GDPR protections. Second, the proposals introduce carveouts for AI that would require companies to remove data from AI systems only if doing so does not require “disproportionate efforts” — a term that is not clearly defined and is open to broad interpretation by industry.

The EDPB and EDPS have also weighed in, warning in a February 2026 joint opinion that the Digital Omnibus proposal risks weakening accountability mechanisms and creating regulatory uncertainty. Their concerns align with those raised by Amnesty: that simplification should not come at the cost of the safeguards that make EU data protection law effective.

The proposals are now moving through the legislative process, with Parliament committees expected to shape their positions in the coming months. For compliance teams, the uncertainty is itself a risk factor — organisations must prepare for a regulatory landscape that may shift in either direction.

Acompli perspective: Whatever the final legislative outcome, the underlying compliance principles are unlikely to change. Organisations that invest in robust data mapping, maintain thorough records of processing, and build defensible risk assessment frameworks will be well-positioned regardless of where the definitional boundaries land. The strongest response to regulatory uncertainty is operational maturity — ensuring that your privacy programme can adapt to evolving requirements without starting from scratch.