EU Digital Omnibus Drops Legitimate Interest for AI Training
Summary
This IAPP opinion piece analyzes ongoing uncertainty in the EU regarding whether legitimate interest can serve as a legal basis for training artificial intelligence models under the GDPR. The European Commission's proposed Digital Omnibus would codify the EDPB's December 2024 opinion permitting legitimate interest for AI training under certain accountability conditions. However, the Council of the European Union is reportedly considering removing this proposed provision from the final text, contrary to the EDPB and European Data Protection Supervisor's February 2026 joint opinion that while agreeing with the premise, opposed the inclusion as unnecessary. Stakeholders across industry and civil society have raised concerns that the amendment could create a loophole enabling large-scale processing of personal data for AI without user consent.
About this source
GovPing monitors IAPP Privacy News for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 46 changes logged to date.
What changed
This article discusses the evolving regulatory landscape surrounding the use of legitimate interest as a legal basis for AI model training under the GDPR. The piece describes how organizations relying on legitimate interest for AI training could face heightened uncertainty if the Council of the European Union removes the proposed codification from the Digital Omnibus. While the current EDPB guidance permits legitimate interest under certain accountability conditions, stakeholders express concern that removing the proposed amendment could either preserve the status quo or eliminate a hard-won opportunity for legislative clarity. Companies developing or deploying AI models in Europe should monitor these legislative negotiations closely as the outcome will directly affect their data processing legal bases and compliance strategies.
The implications for affected parties center on planning and legal certainty. Technology companies and organizations using personal data to train AI models in the EU cannot currently rely on a stable legislative foundation for their data processing operations. Without codification in the Digital Omnibus, the sector must continue relying on EDPB guidance that, while persuasive, is not binding. This creates ongoing compliance risk for AI-based innovation in Europe.
Archived snapshot
Apr 24, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
OPINION Published
23 April 2026
Subscribe to IAPP Newsletters Editor's note
The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
Until now, practitioners were able to operate under a reasonably robust assumption that they could rely on legitimate interest to train their artificial intelligence models. Of course, it is one thing to say they can use this legal basis; it is another to conclude that it might be the only legal basis available.
Regardless, practitioners could point to the European Data Protection Board's December 2024 opinion, which lays out accountability conditions for controllers to use legitimate interest as a legal basis in the development and deployment phases of AI models in some cases. They could also rely on scholars' literature supporting this legal reasoning.
The European Commission's proposal, in its pending Digital Omnibus, to codify this interpretation of the EU General Data Protection Regulation and its application in the AI training context, therefore, made sense on paper. This would enshrine into law what the practice has been on the ground, providing primary law coverage, aligned with European privacy regulators' opinions. The best of both worlds.
And then, came the first plot twist. In a February 2026 joint opinion, the EDPB and European Data Protection Supervisor, while agreeing with the Commission's premise, opposed that this inclusion was not needed and that if kept in the final text, its condition of application should be clarified.
Stakeholders across industry groups and civil society also shared a range of concerns. Legitimate interest must meet a high bar of accountability, but some note that this amendment could create a loophole enabling large-scale processing of personal data for AI without the ability for users to give consent.
A second, more pivotal plot twist happened a few days ago. News reports emerged relaying that the Council of the European Union is considering removing the inclusion of legitimate interest as a legal basis for AI in the omnibus proposal.
One way to look at it is that, by asking to remove this proposed amendment to the GDPR, the Council is preserving the status quo that predated the Omnibus proposal: an opinion commonly agreed to by European data protection authorities that says it is okay to use legitimate interest, provided organizations meet certain conditions.
However, the fact that legislators may end up removing this provision from the Commission's proposal is sending mixed signals: do member states disagree with its substance or do they merely think it is not needed?
In fact, the primary short-term effect of these negotiations is to fuel uncertainty. Removing this proposed language from the GPDR amendment could cancel out some level of legal clarity painstakingly acquired, in part thanks to the EDPB guidance which, as an aside, is not even binding.
It also eliminates a chance for legislators to examine how GDPR requirements associated with the use of legitimate interest apply in real-life AI use cases, another area that raises a lot of compliance challenges under the current regime.
This debate is an important one. Where the chips fall will have immense consequences on AI-based innovation in Europe and will determine, in part, how bold companies can afford to be in this space.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here .
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Contributors:
Isabelle Roccia
CIPP/E
Managing Director, Europe
IAPP
Tags:
Law and regulation GDPR Privacy
Related Stories
### EU Digital Omnibus: Analysis of key changes 9 Dec. 2025
ANALYSIS
### Former AI Act negotiator Laura Caroli on the proposed EU Digital Omnibus for AI 17 Dec. 2025
### Notes from the AI Governance Center: What the EU's proposed Digital Omnibus means for AI governance professionals 17 Dec. 2025
OPINION
### EU Digital Omnibus amendments to GDPR to facilitate AI training miss the mark 9 Feb. 2026
OPINION
Mentioned entities
Related changes
Get daily alerts for IAPP Privacy News
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from IAPP.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when IAPP Privacy News publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.