The comfortable story in Westminster goes like this: the EU regulates, Britain builds, and Brexit handed the UK a lighter rulebook to win the AI race with. That story is now out of date. Brussels is quietly unpicking its own data protection regime through a package called the Digital Omnibus, and a leading UK research institute has just warned that the changes, taken together, would hollow out the very protections the EU once held up as its strategic export. The headline matters for Britain in a way that is easy to miss: the EU is not getting tougher on AI. It is getting looser, and that changes the calculation behind the UK’s regulatory bet.
What the Digital Omnibus actually is
The Digital Omnibus is a European Commission proposal to amend several existing digital laws at once, including the General Data Protection Regulation (GDPR) and the AI Act. It is being sold as simplification: fewer overlapping obligations, less friction for companies building with data. Much of the public debate has picked over the amendments one article at a time, asking whether each individual change is reasonable on its own.
The Ada Lovelace Institute, a UK think-tank focused on data and AI, has taken a different and more useful view. Drawing on legal analysis by Professor Philipp Hacker, its researchers argue that the right question is not whether each amendment is sound in isolation, but what the amendments achieve in combination. Their answer is uncomfortable. Five changes to the GDPR, read together, narrow the scope of data protection law and open routes for actors to sidestep duties they would rather not meet.
Strategic Reality: Regulation is read holistically by courts and gamed holistically by companies. A package can be defensible article by article and still produce a worse outcome than the sum of its parts. That is the lesson Britain should take from this, whatever it thinks of the EU.
The real story: deregulation by accumulation
The Ada Lovelace analysis lands on a distinction worth holding onto. The concern is not that a well-meaning company applies the new rules badly and protection slips by accident. The concern is the opposite: a company motivated to minimise its obligations now has more lawful room to do so. Lower protection becomes a design choice, not a mistake.
| Mechanism in the Omnibus | What it changes | Cumulative effect |
|---|---|---|
| Relative definition of personal data (Art 4(1)) | Data is not “personal” for an organisation that lacks the means to re-identify someone | Entire networks, such as the advertising industry, could fall outside GDPR even if other firms in the chain can re-identify people |
| Security duties tied to that definition (Art 32) | Protection obligations fall away when data is deemed non-personal | ”Anonymised” data can be stored in less secure environments, against a backdrop of rising cyber-attacks |
| Broadened “scientific research” (Art 4(38)) | Accentuates the permissibility of commercial interests | Commercially motivated AI training can claim research privileges and relaxed purpose limits |
| Sensitive-data AI carve-out (Art 9(2)(k), 9(5)) | Residual sensitive data may stay in a model if removal needs “disproportionate effort” | Safeguards are bypassable via the separate research route in Art 9(2)(j) |
| Commission power over pseudonymisation (Art 41a) | The Commission decides by implementing act what is no longer personal data | Removes that judgement from independent supervisory authorities |
What’s really happening: three routes around the rules
The institute illustrates the cumulative effect with three worked examples, and they are worth understanding because they show how circumvention emerges from interaction rather than from any single permissive clause.
The first is the relative definition of personal data. If information is not “personal” for an organisation that cannot itself re-identify someone, then a recipient of nominally anonymised data is no longer compelled to guard it against attack, even if a partner organisation could de-anonymise it. In an era of frequent, serious breaches, that is a security regression dressed as a definitional tidy-up.
The second is a workaround for sensitive data through scientific research. The Omnibus adds safeguards for sensitive data that ends up “residually” inside an AI model. But a controller who labels their processing as scientific research can invoke a separate legal basis that sidesteps those very safeguards. The protection exists, and a motivated actor can route around it.
The third example is the most striking because it requires several articles working in concert. A platform collects personal data under legitimate interest, repurposes it for AI training under the broadened research definition, skips notifying people by claiming disproportionate effort, and trains on sensitive data through the research route that avoids the new safeguards. No single provision authorises this. The outcome emerges only from the interaction of all of them: people browse the web, their data trains a model, and they never know.
Critical Context: The GDPR was deliberately written as a technology-neutral law. Several Omnibus provisions create rules that apply to AI tools but not to equivalent non-AI software. Health data could be processed for an AI recruitment screen but not for a conventional one doing the same job. That asymmetry is the part Britain should study hardest.
Why this is fragile, not just looser
Loosening rules is a policy choice a government is entitled to make. The deeper problem the Ada Lovelace researchers identify is legal fragility. EU primary law, specifically Article 16 of the Treaty on the Functioning of the European Union and Article 8 of the Charter of Fundamental Rights, establishes data protection as a fundamental right of constitutional rank. Secondary legislation like the GDPR must keep protection in line with that standard.
If the Omnibus lowers protection substantially, the package becomes vulnerable to challenge at the Court of Justice of the European Union (CJEU). There is precedent. In Digital Rights Ireland the court struck down an entire directive not because of one bad clause but because its cumulative effect was an unacceptable interference with fundamental rights. The same cumulative-effects reasoning could put the Omnibus into prolonged legal uncertainty, and the proposed power for the Commission to decide what counts as personal data may itself conflict with the requirement for independent oversight.
Reality Check: A rulebook that is easy to comply with but liable to be overturned is not a stable foundation for investment. Legal certainty is a competitive asset. A deregulation that invites years of constitutional litigation trades one kind of friction for a worse kind.
| Stakeholder | What changes | Strategic implication |
|---|---|---|
| UK firms in the EU market | The EU bar moves down, but unpredictably | Plan for a moving target, not a settled lower standard |
| UK policymakers | The “Brussels Effect” weakens as the EU softens | The divergence advantage narrows; UK rules must earn their keep on their own merits |
| Public and data subjects | Effective protection falls | Trust becomes contestable ground, and a possible UK differentiator |
| AI developers | Looser EU training rules near-term | Short-term ease against long-term exposure to CJEU challenge |
What this means for UK AI governance
For years the implicit UK strategy has leaned on a single idea: the EU over-regulates, so Britain can win by regulating less. The Digital Omnibus complicates that idea in three concrete ways, and each calls for a deliberate response rather than quiet satisfaction.
First, the gap between the two regimes is closing from the EU side, not just because Britain stayed light. As Brussels moves toward a more permissive position, the UK’s regulatory distinctiveness shrinks. We argued in The UK’s AI advantage over Europe is real, and not yet earned that the advantage is a window rather than a moat. The Omnibus is one of the forces closing that window.
Second, the “Brussels Effect”, whereby EU rules become the global default because firms standardise on the strictest regime, runs in reverse when Brussels relaxes. UK businesses that built to the GDPR as a worldwide baseline now face a European standard that is lower in places and uncertain everywhere. Compliance planning gets harder, not easier.
Third, and most usefully, the Ada Lovelace critique is a governance manual the UK can read for free. Britain is still designing how it will govern AI, and the central lesson here is method: assess the cumulative effect of rules, not each clause in isolation, and watch for the interaction effects that let motivated actors route around protections. We made the case for getting this right in What Britain must grasp to seize its AI opportunities.
Strategic Insight: The UK does not need to copy the EU or define itself against it. The smarter move is to take the analytical discipline the EU’s critics are demonstrating and bake it into British rule-making from the start, so the UK avoids both over-regulation and the quieter failure of deregulation that creates loopholes.
Priority actions by where you sit
The right response depends on whether you make policy, run a business across both markets, or build AI products.
For UK policymakers and regulators, the action is to treat cumulative-effects assessment as standard practice. When the UK amends or introduces AI and data rules, model how the provisions interact, not just whether each is reasonable. Preserve technology neutrality so that AI tools are not handed exemptions their non-AI equivalents lack, because that asymmetry is both unfair and legally exposed.
For UK businesses operating in the EU, the action is to plan for instability. Do not rebuild your data practices around the lowest point the Omnibus might permit, because that point may be litigated away. Hold to a defensible internal standard, document your reasoning, and treat the GDPR baseline as a risk-managed floor rather than a ceiling to push against.
For AI developers, the action is to separate what is currently lawful from what is durable. Training pipelines that depend on the research workaround or the relative-personal-data definition may work today and collapse under a CJEU ruling tomorrow. Build for the protection standard you can defend, not the one you can momentarily exploit.
Implementation Note: A simple test for any data practice you are considering: would it survive a court reading the rules as a whole, with their fundamental-rights purpose in mind? If the answer depends on reading one clause in isolation, you are building on sand.
Hidden challenges most coverage misses
Four issues sit beneath the headlines and deserve attention from anyone setting UK strategy.
The first is the reversal of the Brussels Effect. The convenience of a single global standard disappears when the standard-setter relaxes selectively. Firms lose the simplicity of “comply with the strictest and you comply everywhere”, and that complexity is a cost in itself. The mitigation is to anchor on a stable internal policy rather than the shifting external minimum.
The second is the confusion of deregulation with simplification. The Omnibus is presented as simplification, but the Ada Lovelace analysis shows it adds interaction effects and legal uncertainty. Fewer words in a statute is not the same as less complexity in practice. The UK should resist the same rhetorical trap when it streamlines its own rules.
The third is the erosion of technology neutrality as a precedent. Once a major jurisdiction writes AI-specific carve-outs into general law, others face pressure to match them for competitiveness. The UK should decide deliberately whether it wants technology-neutral rules, rather than drifting into special regimes for AI because the EU did.
The fourth is the trust dividend nobody is pricing. If EU protection genuinely falls and public confidence with it, a UK regime that is pragmatic but credibly protective could attract the firms and the talent that value certainty and reputation. Lower rules are not automatically more attractive rules, and Britain has an opening to compete on trust rather than only on permissiveness.
Competitive Reality: The race is not won by whoever regulates least. It is won by whoever offers the most workable combination of innovation headroom and legal certainty. That is a harder target than “lighter than Brussels”, and a more valuable one.
The strategic takeaway
The Digital Omnibus retires a tidy assumption. The EU is no longer the cautionary tale of over-regulation against which Britain can effortlessly look dynamic, because Brussels is now moving toward permissiveness, and doing it in a way a respected UK institute calls legally fragile. The UK’s regulatory advantage is narrowing from both ends, and the country has to earn its position rather than inherit it by contrast.
Three factors will decide whether Britain comes out of this well. The first is analytical discipline: assessing rules for their combined effect, the exact skill the Ada Lovelace critique demonstrates. The second is durability over short-term ease: designing rules and data practices that survive legal challenge rather than exploiting momentary gaps. The third is the confidence to compete on trust as well as speed, treating credible protection as an asset rather than a tax.
Next steps for anyone setting strategy:
- Map how your data and AI practices depend on specific EU provisions, and flag any that rely on reading a clause in isolation.
- Hold an internal protection standard that is defensible whole, not just compliant clause by clause.
- For policy work, adopt cumulative-effects and technology-neutrality checks as routine.
- Watch the Omnibus through the EU legislative process and any CJEU challenge, because the lawful position may shift more than once.
- Treat the UK’s regulatory window as closing, and decide what distinctively British governance should look like before the gap with Brussels disappears.
Take Action: Stay close to how AI regulation is moving on both sides of the Channel. Subscribe to the Resultsense newsletter for clear analysis of what UK AI policy and the businesses it affects need to understand next.
Source and attribution
This analysis draws on “The EU Digital Omnibus”, published by the Ada Lovelace Institute on 15 June 2026, written by Julia Smakman, Friederike Schüür, Valentina Pavel and Michael Birtwistle, and based in part on legal analysis by Professor Philipp Hacker of the European University Viadrina. The original is available at adalovelaceinstitute.org. The strategic interpretation, UK governance implications and recommendations are Resultsense’s own.