A view from Brussels: Simplification? Barely. Uncertainty? For sure.

Until now, practitioners were able to operate under a reasonably robust assumption that they could rely on legitimate interest to train their artificial intelligence models. Of course, it is one thing to say they can use this legal basis; it is another to conclude that it might be the only legal basis available. 

Regardless, practitioners could point to the European Data Protection Board's December 2024 opinion, which lays out accountability conditions for controllers to use legitimate interest as a legal basis in the development and deployment phases of AI models in some cases. They could also rely on scholars' literature supporting this legal reasoning. 

The European Commission's proposal, in its pending Digital Omnibus, to codify this interpretation of the EU General Data Protection Regulation and its application in the AI training context, therefore, made sense on paper. This would enshrine into law what the practice has been on the ground, providing primary law coverage, aligned with European privacy regulators' opinions. The best of both worlds. 

And then, came the first plot twist. In a February 2026 joint opinion, the EDPB and European Data Protection Supervisor, while agreeing with the Commission's premise, opposed that this inclusion was not needed and that if kept in the final text, its condition of application should be clarified. 

Stakeholders across industry groups and civil society also shared a range of concerns. Legitimate interest must meet a high bar of accountability, but some note that this amendment could create a loophole enabling large-scale processing of personal data for AI without the ability for users to give consent. 

A second, more pivotal plot twist happened a few days ago. News reports emerged relaying that the Council of the European Union is considering removing the inclusion of legitimate interest as a legal basis for AI in the omnibus proposal. 

One way to look at it is that, by asking to remove this proposed amendment to the GDPR, the Council is preserving the status quo that predated the Omnibus proposal: an opinion commonly agreed to by European data protection authorities that says it is okay to use legitimate interest, provided organizations meet certain conditions.

However, the fact that legislators may end up removing this provision from the Commission's proposal is sending mixed signals: do member states disagree with its substance or do they merely think it is not needed?

In fact, the primary short-term effect of these negotiations is to fuel uncertainty. Removing this proposed language from the GPDR amendment could cancel out some level of legal clarity painstakingly acquired, in part thanks to the EDPB guidance which, as an aside, is not even binding. 

It also eliminates a chance for legislators to examine how GDPR requirements associated with the use of legitimate interest apply in real-life AI use cases, another area that raises a lot of compliance challenges under the current regime. 

This debate is an important one. Where the chips fall will have immense consequences on AI-based innovation in Europe and will determine, in part, how bold companies can afford to be in this space.