On 7 May, the European Parliament and the Council of the EU (the "Council") reached a provisional agreement on the Digital Omnibus on AI (the "AI Omnibus"). This agreement is the last procedural step before the final vote.

The final agreement significantly weakens several important safeguards in the AI Act, as Liberties and other civil society organizations have been warning could happen. It is also an ominous sign as lawmakers continue to negotiate another omnibus proposal that could similarly weaken key EU data-protection legislation.

The Digital Omnibus package

In November 2025, the European Commission released its Digital Omnibus package, which includes two de-regulatory proposals: the Digital Omnibus and the AI Omnibus.

Built under the narrative of "simplification" – reduce administrative burdens for companies to make the EU more economically competitive – both Omnibuses risk undoing many of the hard-won protections for data protection, privacy and from harmful AI applications.

Indeed, hidden behind the “simplification” euphemism is reality that the new proposals will delay essential fundamental rights safeguards and give Big Tech exactly what it has been lobbying for.

The Digital Omnibuses aims to deregulate key aspects of the AI Act (in the AI Act Omnibus) the General Data Protection Regulation (GPDR) and the ePrivacy Directive (in the Data Omnibus), bowing to industry pressure while also opening the European market to riskier technologies, creating market distortion and legal uncertainty. Liberties has strongly advocated against these two proposals, and will continue to do so as they are pushed along this accelerated, unprecedented legislative process.

AI Omnibus takes aim at important safeguards

The risk is already becoming real. The AI Omnibus, agreed upon by EU lawmakers on 7 May and pending final passage in June, will formally delay the application of the AI Act’s obligations for high-risk AI systems. Fundamental rights safeguards that are supposed to go into force in August 2026 will instead be pushed off for more than a year, until December 2027: The agreement will now postpone the enforcement of the AI Act for high-risk AI systems until December 2027 from certain obligations.

Among other changes, the AI Omnibus: enables expanded use of sensitive personal data for detecting and mitigating bias within all AI systems, whether they are deemed high-risk or not; waters down AI literacy requirements for providers and deployers of AI systems, eroding the human-oversight safeguard; exempts AI in industrial applications from certain aspects of the scope of the law until specific sectoral legislation is adopted; and reduces the information providers of high-risk applications must disclose in the public database registry. The only good news is that the EU database registration obligation for non-high-risk systems was largely saved.

The AI Omnibus is likely to be adopted in the June 2026 Plenary session of the European Parliament. If this happens, it will be one of the fastest procedures to adopt digital legislation in the last decade and a serious step backwards for fundamental rights. It will likely open the door for even more calls to reduce burdens for companies and safeguards for people. De-regulation is a big priority for most governments and corporations, and this is felt in the rush to adopt this piece of legislation.

For the AI Omnibus, our main demands were:

• First, the proposal should have not taken place, especially given that the AI Act was not entered into application. Furthermore, there should have been a proper impact assessment and a serious consultation process before proposing any changes. None of this has happened.
• The public register is essential: Under the present AI Act, if a company develops or provides a system that appears high-risk but decides it isn’t, they must publicly register that decision. This allows journalists, researchers, and civil society to investigate these companies. The original proposal would have deleted this requirement entirely, which would have been the equivalent to removing the requirement for food companies to list ingredients. Thankfully this requirement was mostly stopped.
• The delay of application of the AI Act, and especially of high-risk systems, means that these systems can continue operating without adequate safeguards. We know about cases with terrible consequences, leaving people exposed to errors, bias, and discrimination for far longer.
• When adding the Data Omnibus (see below), the attack on fundamental rights protections becomes even more dangerous.

Data Omnibus moving at a slower pace

The Data Omnibus, on the other hand, is moving slowly. Discussions will start in Parliament in earnest in May, and all indications are that it will take time to reach agreements in the Parliament and in the Council. Autumn will be crucial, so anyone interested in preparing amendments and influencing policy-makers in Brussels or in Member State capitals should keep that in mind.

On 1 July, Ireland will take over the Presidency of the Council of the EU. Although Presidencies tend to have (in theory) a managerial rather than a decisive role in the Council, lax enforcement of the GDPR in Ireland may translate into aggressive changes to the GDPR and ePrivacy being pushed through quickly. At the same time, it is also possible that the Irish Presidency decides to adopt a low profile to clean up its image as a Big Tech haven (for tax and data protection alike).

A surprising factor in the Data Omnibus is that the Council is taking the role of the defense of core protections in the GDPR, while the Parliament (despite some notable exceptions) may be the one ready to reduce protections for people to defend business interests. For the Data Omnibus, our main areas of work are:

• Definition of personal data: The proposed text redefines what constitutes personal data, leading to a more vague definition that may open the gates for the (ab)use of personal information, especially by AI Applications.
• Legitimate abuse: AI will use your personal information under the “legitimate interest” exception, created for low-risk situations. If this change goes through, AI companies will be able to abuse our personal data (including intimate photos, private documents, or chat history) without asking permission.
• Right to access: The proposed changes to Article 12, which regulates access to personal data, will make it more difficult for people to access their personal data held by companies.
• Automated welfare: Automated decision making (ADM) has been the target of numerous controversies, including the infamous scandal in Dutch social welfare distribution, among others. The changes to Article 22 could allow ADM to be used more intensively, as we will see a reduction in our right to object to decisions made by machines on issues such as job applications.
• Cookies: Nothing generates more consensus than anger against cookie banners. Although the legislator has lost opportunities to ban surveillance advertising, it may be possible (but very difficult) to ensure that users can send a "do not track" (DNT) signal in their browsers and operative systems for non-technical cookies, finally getting rid of both corporate surveillance and cookie banners. However, given publishers' dependence on the existing ad tech industry, this will be an uphill battle.
  
  

Liberties is following developments around both omnibuses closely and will continue to provide updates as they become available. Stay tuned by subscribing to our newsletter and considering supporting Liberties or your local Liberties member so we can continue our work.

Further reading:

Liberties’ Digital Omnibus campaign page

Liberties’ response to the European Commission’s Digital Omnibus Simplification Agenda Call for Evidence

Liberties’ analysis of the Digital Omnibus proposals.