Innovation Law Insights

Legal Break

Digital Omnibus and AI training: Will legitimate interest redefine the rules?

In the latest episode of Legal Break, Giulio Coraggio examines whether the proposed Digital Omnibus amendment could reshape the legal basis for AI training in Europe. Could legitimate interest under the GDPR become a more viable foundation for training AI systems under the EU AI Act framework? The implications for AI developers and deployers are significant. Watch the full episode here.

 

Privacy and cybersecurity

EDPB and EDPS joint opinion on the Digital Omnibus: Support for simplification, resistance to redefining personal data

The EDPB and EDPS joint opinion on the Digital Omnibus supports the European Commission’s goal of simplifying EU digital rules and strengthening competitiveness. But it firmly opposes proposed changes to the GDPR definition of personal data, warning that the amendments could narrow the scope of EU data protection law and weaken established case law. This tension between simplification and structural change lies at the heart of the current policy debate.

Adopted on 10 February 2026 by the European Data Protection Board and the European Data Protection Supervisor, the opinion is both pragmatic and cautious. It welcomes targeted reforms but draws a clear line where fundamental concepts are concerned.

What the EDPB and EDPS joint opinion on the Digital Omnibus supports

The EDPB and EDPS joint opinion on the Digital Omnibus doesn’t reject reform. On the contrary, it endorses several measures aimed at improving clarity and reducing unnecessary burden. In particular, the supervisory authorities support:

• adjustments to data breach notification rules;
• clarifications regarding Data Protection Impact Assessments (DPIAs);
• provisions facilitating processing for scientific research;
• lawful use of biometric data in identity verification; and
• efforts to reduce cookie banner fatigue under the ePrivacy framework.

These changes aim to optimise the application of the digital rulebook. They also seek to improve harmonisation and legal certainty across member states.

From a policy perspective, this reflects realism. Compliance can be simplified without lowering protection standards.

The core disagreement: Redefining personal data

The real friction identified in the EDPB and EDPS joint opinion on the Digital Omnibus concerns the proposed amendment to Article 4(1) GDPR.

The Commission suggests clarifying that information shouldn’t be considered personal data for an entity if that entity cannot reasonably identify the individual concerned, even if another entity could. At first glance, this appears technical. But the supervisory authorities view it as structural.

According to the joint opinion, redefining personal data in this way risks narrowing its scope and departing from established CJEU case law. The opinion also criticises defining personal data by describing what it is not. In their view, that approach could increase legal uncertainty.

The EDPB and EDPS oppose empowering the Commission, via implementing acts, to determine when pseudonymized data ceases to qualify as personal data. This decision directly affects the scope of EU data protection law. This isn’t a minor drafting issue. It concerns the gateway to the GDPR itself.

Why this debate matters for pseudonymization and AI

The EDPB and EDPS joint opinion on the Digital Omnibus comes at a sensitive moment. The EDPB is updating guidance on pseudonymization, while businesses are navigating interactions between the GDPR, the Data Act and AI regulation.

If personal data becomes more entity-specific, several practical questions arise:

• Will cross-border enforcement remain consistent?
• Could supervisory authorities interpret identifiability differently?
• How will organisations manage conflicts between GDPR obligations and Data Act data-sharing requirements?
• Will anonymisation become more flexible, or more uncertain?

The joint opinion also raises concerns about:

• legitimate interest as a basis for AI model training;
• automated decision-making safeguards;
• incidental processing of special categories of data; and
• fragmentation between GDPR and ePrivacy instruments.

So the issue isn’t theoretical. It directly affects innovation, compliance design and enforcement coherence.

Simplification versus structural shift

The Commission’s Digital Omnibus aims to modernise and streamline EU digital regulation. That objective is understandable. Businesses need predictability and coherence. But the EDPB and EDPS joint opinion on the Digital Omnibus highlights a critical distinction. Simplifying procedures isn’t the same as redefining core legal concepts.

The definition of personal data determines when the GDPR applies. Changing that definition means altering the scope of the entire regulatory framework. This is a strategic choice. A more contextual definition may provide flexibility. But it could also introduce fragmentation if different actors assess identifiability differently. The policy question is clear: can Europe modernise its digital rulebook while preserving a stable and uniform concept of personal data?

The broader implications

The EDPB and EDPS joint opinion on the Digital Omnibus signals support for competitiveness and innovation. At the same time, it insists on maintaining trust and a high level of protection for fundamental rights. Trust remains the foundation of EU data governance.

If simplification reduces red tape while preserving legal certainty, it strengthens the system. If structural redefinitions create grey zones, they may generate new forms of uncertainty. The coming legislative negotiations will determine whether the Omnibus remains a technical optimisation exercise or becomes a deeper recalibration of EU data protection architecture. Either way, the debate over the EDPB and EDPS joint opinion on the Digital Omnibus marks a pivotal moment in the evolution of the GDPR.

Author: Giulio Coraggio

 

EU Court of Justice clarifies the challengeability of EDPB binding decisions under the GDPR

The judgment delivered by the Court of Justice of the European Union (ECJ) on 10 February 2026 in WhatsApp Ireland v European Data Protection Board (Case C-97/23 P) represents a significant development in EU data-protection litigation.

The ECJ addressed a systemic question concerning the effectiveness and the challengeability of binding decisions adopted by the European Data Protection Board (EDPB) within the GDPR cooperation and consistency mechanism. By recognizing that certain EDPB decisions constitute acts open to challenge under Article 263 TFEU, the ECJ strengthened procedural safeguards for undertakings affected by multi-authority enforcement under the GDPR.

The case

The dispute originated from complaints submitted to the Irish Data Protection Commission concerning WhatsApp’s compliance with GDPR transparency and information obligations. This led the Irish authority, in December 2018, to open an ex officio investigation into the company’s data-processing practices.

Following that investigation, and in accordance with the GDPR cooperation mechanism, the Irish supervisory authority circulated a draft decision in December 2020 to the other concerned supervisory authorities. Disagreements emerged regarding key aspects of the draft decision, including the interpretation of some GDPR provisions and the corrective measures to be imposed. As no consensus could be reached, the matter was referred to the EDPB pursuant to Article 65 GDPR.

The EDPB subsequently adopted Binding Decision 1/2021, resolving the dispute between national authorities. In that decision, the Board found that some GDPR provisions had been infringed and required the Irish supervisory authority to amend its envisaged corrective measures, including the level of administrative fines. On the basis of that binding determination, the Irish authority issued its final decision imposing fines totalling EUR225 million on WhatsApp.

WhatsApp then sought to challenge the EDPB decision directly before the EU Courts by bringing an action for annulment before the General Court.

The judicial decisions

By order of 7 December 2022, the General Court dismissed the action as inadmissible, holding that the EDPB binding decision didn’t constitute a reviewable act under Article 263 TFEU because it represented merely an intermediate step in the administrative procedure. According to the General Court, only the final decision of the Irish supervisory authority produced legal effects vis-à-vis WhatsApp, which could therefore seek judicial protection before national courts by challenging that national decision.

On appeal, the ECJ adopted a markedly different approach, placing particular emphasis on the legal effects and binding nature of EDPB dispute-resolution decisions, recognising that the decisions constitute acts open to challenge before the EU Courts.

The ECJ’s reasoning centres on the binding nature of EDPB decisions vis-à-vis national supervisory authorities. The decisions definitively resolve the issues submitted to the Board and bind national authorities without leaving them any discretion as to the findings of infringement or the corrective measures to be implemented.

By binding national supervisory authorities, EDPB decisions ultimately affect the undertakings concerned, since – although the final enforcement measure is formally adopted by the national authority – its legal basis is shaped by the EDPB’s interpretation and determinations. Accordingly, EDPB decisions don’t constitute an intermediate act, but rather an act fully open to challenge.

The ECJ set aside the General Court’s order and referred the case back to it for examination of the merits, including the underlying GDPR infringement findings.

Conclusions

The judgment provides an important clarification on a matter that has been widely debated since the GDPR entered into force and is likely to have significant practical implications for the enforcement architecture of EU data protection law. By confirming the challengeability of EDPB binding decisions, the ECJ strengthens judicial protection for undertakings subject to cross-border enforcement procedures, ensuring that companies may challenge not only national decisions issued by local data protection authorities but also the EDPB determinations that form their legal foundation.

The forthcoming judgment of the General Court on the merits will determine the substantive implications of the case. In any case, the ECJ has already delivered a key procedural clarification: EDPB binding decisions aren’t merely internal coordination measures, but reviewable acts capable of directly affecting regulated entities.

Author: Federico Toscani

 

Intellectual Property

SME Fund 2026: EU incentives supporting the protection of intellectual property

The 2026 edition of the SME Fund has been launched by the European Union Intellectual Property Office (EUIPO), with the support of the European Commission and in coordination with the national intellectual property offices. The program is addressed to small and medium-sized enterprises (SMEs) established in the EU.

The initiative is designed to support SMEs in accessing and managing intellectual property protection tools, which are increasingly recognised as strategic assets for business competitiveness and growth. The fund operates through a voucher-based system, allowing eligible SMEs to recover a significant portion of the costs incurred in relation to intellectual property.

For 2026, the support measures available to SMEs are structured as follows:

• IP Scan voucher: reimbursement of up to 90% of the costs for IP pre-diagnostic services, aimed at identifying the SME’s intellectual property needs and supporting the protection and enforcement of IP rights.
• Trademarks and designs voucher: reimbursement of up to 75% of the official fees for the registration of trademarks and designs at national, regional and European level.
• Patents voucher: reimbursement of up to 75% of the official fees related to patent application procedures.
• Plant varieties voucher: reimbursement of 75% of the costs incurred for the protection of Community plant variety rights.

Applications for the 2026 SME Fund can be submitted from 2 February 2026 to 4 December 2026. As the available budget is limited, the call may close earlier than the stated deadline if funds are exhausted.

The 2026 call builds on a well-established program. Since the introduction of the SME Fund in 2021, 100,000 European SMEs have already benefited from the initiative, with total grants amounting to approximately EUR68 million. In 2025 alone, more than 33,000 SMEs received reimbursements totalling around EUR29 million.

A further noteworthy aspect concerns the profile of the beneficiaries: approximately 80% of applying SMEs are engaged with intellectual property protection for the first time. This highlights the role of the SME Fund not only as a financial support mechanism, but also as a key driver in promoting IP awareness and embedding innovation protection within SME business strategies.

The 2026 SME Fund is a concrete opportunity for European SMEs to enhance and protect their intangible assets. Interested SMEs are encouraged to review the application procedures carefully, keeping in mind that resources are limited. For further details, official updates, or guidance on submitting applications, it is advisable to consult the SME Fund page on the EUIPO website or contact a professional specializing in intellectual property.

Application to amend the patent, front-loaded procedural system, new facts and evidence

On 29 December 2025, the UPC Court of Appeal ruled on the limits within which new allegations and new evidence can be introduced where an application to amend the patent is lodged.

The dispute arose from an action for revocation brought before the Paris Central Division, in which the defendant sought dismissal of the claimant’s requests and, in the alternative, lodged an application to amend the patent by way of auxiliary requests.

Pursuant to Rule 43.3 RoP, which requires the claimant to take a position on the proposed amendments, the claimant lodged a defence to the application to amend the patent, accompanied by further submissions and new evidence in support of the alleged invalidity of the patent. The Court of First Instance, finding that the patent lacked an inventive step, revoked the patent.

In the appeal proceedings, the patent proprietor challenged the decision primarily on the grounds that the Court of First Instance had wrongly admitted the facts and evidence introduced by the claimant in the defence to the application to amend the patent. According to the appellant, the Paris Central Division had misapplied the principles governing the front-loaded procedural system by allowing submissions that should have been raised in the initial statement for revocation.

The Court of Appeal reiterated that the defence to the application to amend the patent doesn’t provide an opportunity to introduce new grounds of invalidity in relation to the patent as granted. It stressed that a distinction must be drawn between the grounds, facts and evidence relied on in relation to the patent as granted and those relied on in relation to the proposed amendments.

In defining this distinction, the court recalled the general principles governing proceedings before the UPC. Under the front-loaded procedural system, the parties have to set out their full case as early as possible, as stated in the Preamble to the Rules of Procedure. But the court emphasized that these provisions must be interpreted in light of the principle of proportionality and must not be applied in an overly strict manner.

Referring to OrthoApnea (UPC_CoA_456/2024), the court recalled that specific new arguments may be admitted where the circumstances of the case so justify. Fairness in the application of the adversarial principle may require that a claimant in an action for revocation be allowed to introduce new facts and evidence in response to the arguments raised by the patent proprietor.

This may include evidence intended to prove a point the claimant already relies on, such as the common general knowledge of the skilled person, or evidence aimed at rebutting material submitted by the patent proprietor on that same point.

Applying these principles, the Court of Appeal upheld the decision of the Court of First Instance and confirmed the rejection of the auxiliary requests. The court clarified that allowing new facts or evidence in the context of a defence to the application to amend the patent mustn’t undermine the front-loaded procedural system but must remain confined to what is justified by the proposed amendments and required by fairness and proportionality.

Author: Laura Gastaldi

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.