- with Inhouse Counsel
Highlights
- The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have called for stringent limits and standards on processing sensitive personal data for AI bias detection, maintaining the strict necessity requirement.
- According to the EDPB and EDPS, registration obligations for all AI systems, including those classified as "not high-risk," should be maintained to support public accountability and risk mitigation.
- According to the EDPB and EDPS, companies must ensure their staff has adequate AI literacy, as the opinion recommends maintaining an obligation on companies to ensure such AI literacy.
The EDPB and EDPS released a joint opinion on the European Commission's Digital Omnibus on AI proposal on Jan. 20, 2026. The commission's proposal aims to amend the EU AI Act to simplify certain regulatory elements, address administrative burdens, broaden support for small- and mid-sized businesses, and adjust timelines for high-risk AI system requirements.
The joint opinion addresses several key areas. It discusses the extension of the legal basis for processing special categories of personal data (such as racial or ethnic origin, political opinions, or health data) for the purposes of detecting and correcting bias within AI systems. The EDPB and EDPS recommend that these practices should remain strictly necessary, with the scope clearly circumscribed and subject to robust safeguards.
Regarding transparency, EDPB and EDPS support maintaining the obligation for AI system providers to register all AI systems in the EU database for high-risk systems, including systems deemed not high-risk when referenced in Annex III of the AI Act. The EDPB and EDPS indicate that removing this obligation could reduce accountability, provide incentives for providers to avoid proper risk analysis, and "provide an undesirable incentive for providers to unduly invoke this exemption."
The opinion also covers regulatory sandboxes for AI innovation at the EU level. It notes that competent data protection authorities should be associated with these sandboxes, and their roles should be clarified to ensure legal certainty during personal data processing. Additionally, recommendations are made for the continued involvement of the European Data Protection Board in advisory capacities.
The joint opinion highlights that AI literacy should remain an internal obligation for providers and deployers, rather than shifting responsibility to public authorities. Maintaining appropriate training and awareness is seen as integral to the responsible use of AI systems.
The proposal by the commission suggests postponing certain core provisions for high-risk AI systems. The EDPB and EDPS acknowledge objective reasons for delay, such as the need for harmonized standards and designated authorities, but express concern about its potential impact on fundamental rights and legal certainty. The joint opinion instead "invites the co-legislators to consider whether it would be appropriate and feasible to maintain the current timeline for certain obligations, e.g. on transparency," and to the extent the proposed is adopted, joint action should be taken to minimize delay.
Takeaway
The EDPB-EDPS's joint opinion outlines a range of recommendations for the EU's AI regulatory proposal. Companies operating in the EU should be aware of ongoing requirements for transparency, documentation, data protection, and employee training as the regulatory framework evolves. While adjustments to compliance timelines may be introduced, core obligations regarding accountability and protection of individual rights remain focal points in the discussion.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
