This week at a glance
• The April 28 political trilogue on the AI Omnibus is days away, with Member States aligning on high-risk timelines, AI Office competence, and sensitive data use
• A key GDPR change is taking shape: a dataset could soon be “personal” for one controller but not another
• The data/GDPR track is now moving in parallel with the AI track, not trailing behind
Countdown to April 28: what’s on the table
The second political trilogue on the AI Omnibus takes place on April 28. Ahead of it, two Council-level meetings this week signal where things are heading.
Coreper received an update on interinstitutional negotiations on April 20, with Member States preparing common lines on high-risk timelines, AI Office competence, and the use of sensitive data for bias correction. Separately, a Council working party convened on April 17 to discuss the full Digital Omnibus package. That’s notable: it’s the first visible sign that the data/GDPR track is now moving in parallel with the AI track.
The GDPR is being quietly rewritten, and deidentification is at the center
While most eyes are on the AI track, a proposed shift in GDPR Article 4 could matter just as much. An IAPP analysis published on April 16 argues that the Omnibus would codify a “relative approach” to personal data. In practice, a dataset could be considered “personal” for one controller but not another, depending on the means reasonably available to each.
The goal: unblock data-sharing deadlocks like the Scania/SRB cases under the Data Act. But if adopted, it would come with a new burden. Controllers would increasingly need documented deidentification narratives rather than simple assertions that data is anonymous.
The proposed GDPR changes also include a single EU-wide DPIA list and template replacing the current 27 national lists. The EDPB is already consulting on the DPIA template (deadline: June 9, 2026), which gives an early sense of where things are heading.
Also this week
Commissioner Michael McGrath framed the Digital Omnibus as part of a wider single-market push at an IAPP event on April 16, positioning EU Inc. and the European Business Wallet as the next simplification layer. On the other side, EDRi warned that the Omnibus quietly rewrites the EU data acquis by folding multiple instruments into the Data Act, concentrating power with large actors before the existing framework has been fully implemented. For a consolidated view of where each institution stands before April 28, the MediaLaws Digital Omnibus Legislative Tracker is the cleanest single source available.
Worth watching
None of this is law yet. The Omnibus is still a proposal in trilogue, and anything could change before formal adoption. That said, a few things are worth keeping on your radar:
- The April 28 political meeting. If a political agreement lands, the timeline toward formal adoption accelerates. We’ll cover the outcome next week.
- The relative approach to personal data. If it makes it into the final text, it would change how businesses think about deidentification. Worth understanding now, even if action comes later.
- The GDPR track in general. It’s easy to focus on the AI headlines, but the data provisions could affect day-to-day compliance just as much.