Get Started

Digital Omnibus on AI : Clarifying the Application of the GDPR to Artificial Intelligence Models

Executive Summary

The Digital Omnibus on AI refers to a European initiative aimed at clarifying the application of the GDPR to artificial intelligence systems, particularly foundation models and generative AI.
It does not constitute a new standalone regulation, but rather a structured and operational interpretation of existing obligations, in line with the AI Act (Regulation (EU) 2024/1689).

1. Legal Context and Regulatory Timeline

  • The GDPR has been applicable since 25 May 2018.
  • The Artificial Intelligence Regulation (AI Act) was adopted in 2024.
  • Its application is progressive between 2025 and 2026, depending on the category of systems concerned.
  • The Digital Omnibus fits within this transitional phase, with the aim of ensuring regulatory consistency between data protection law and AI regulation.

👉 Its primary objective is to prevent a purely theoretical application of the GDPR that would be incompatible with the technical realities of AI models, without weakening the protection of individuals.

2. Personal Data and AI: An Unchanged Criterion, a Renewed Application

2.1 Applicable Legal Principle

Under Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person.

This criterion:

  • is technologically neutral,
  • applies regardless of the type of processing,
  • is based on the concept of identifiability, whether direct or indirect.

2.2 The Question of Models and Their Parameters

The Digital Omnibus highlights a central legal debate, without definitively resolving it:

  • The internal parameters of a model (weights, embeddings, latent space)
    ➜ are not automatically classified as personal data.
  • They may nevertheless fall within the scope of the GDPR where there is a reasonable possibility of re-identifying an individual from the model.

This assessment must be conducted on a case-by-case basis, taking into account:

  • technical extraction or inversion capabilities,
  • the state of the art,
  • the means reasonably available to the controller.

👉 The legal analysis remains grounded in the risk of identification, not in the abstract nature of the technical object.

3. Information Obligations and the Training of AI Models

3.1 General Principle

Article 14 of the GDPR requires individuals to be informed when their data are collected indirectly.

In the context of generative AI:

  • data often originate from public sources,
  • training relies on massive datasets,
  • individualized information may prove materially complex.

3.2 Framing of Exceptions

The Digital Omnibus reiterates that:

  • the exception based on disproportionate effort (Article 14(5)(b))
    ➜ is neither automatic nor general.
  • it must be strictly justified, documented, and proportionate.

The AI Act complements this approach through structured transparency obligations, including:

  • information on the main categories of data used,
  • a description of training purposes,
  • coordination with the protection of trade secrets.

4. Right of Access and Generative AI: Scope and Limits

4.1 Legal Basis

The right of access under Article 15 of the GDPR allows individuals to obtain:

  • confirmation that processing exists,
  • access to their personal data,
  • information about the general logic of the processing.

4.2 Application to AI Models

The Digital Omnibus introduces a key distinction:

  • The right of access covers:
    • personal data relating to the individual,
    • system outputs where they are linked to that individual.
  • It does not extend to:
    • the models themselves,
    • algorithms,
    • internal parameters as such.

Where data have been integrated into a model in an irreversible and anonymized manner, the right of access may be limited, provided that:

  • such impossibility is objectively demonstrated,
  • it is documented within the system’s governance framework.

5. Operational Impact of the Digital Omnibus for Companies

The Digital Omnibus confirms a clear shift:

  • AI compliance is becoming a matter of legal and technical data engineering,
  • every technical choice must be capable of being explained, justified, and documented.

It does not create new autonomous obligations, but rather:

  • strengthens traceability requirements,
  • mandates a combined reading of the GDPR and the AI Act,
  • increases accountability across the entire AI value chain.

Conclusion

The Digital Omnibus on AI marks the end of an abstract approach to compliance.
It establishes a contextualized, proportionate, and technically informed application of the GDPR to artificial intelligence systems.

By 2025–2026, the legal certainty of AI projects will depend less on formal declarations and more on an organization’s ability to demonstrate robust governance of data and models.

 

Facebook
Pinterest
Twitter
LinkedIn

Latest Post

Streamlines and optimizes legal processes!
Linkedin

Links

Legal

Contact

Exadvize © Copyright 2024 - 2026. All Rights Reserved