Executive Summary
On May 7, 2026, the EU Council and the European Parliament reached a provisional agreement on the "Digital Omnibus," the first package to amend the AI Act. Among the changes that cleared the Parliament vote on June 16, the quietest yet most fundamental one sits in Article 10. For the first time, the law spells out a legal basis for processing special-category personal data — race, health, biometrics, sexual orientation — that GDPR had in principle forbidden, provided the purpose is to detect and correct bias in AI. It is the strange sight of a law written in the name of fairness quietly unsealing the very data it had locked away.
Behind it lies a paradox. To confirm whether an AI discriminates against a particular group, you need the very data that identifies that group. You cannot fix what you cannot measure. Yet GDPR Article 9 keeps data like race and health under seal, and as a result bias testing itself has often been blocked. In the United States, one survey found that 21 of 25 federal agencies could not carry out equity assessments because they lacked demographic data. The EU's amendment unblocks this — but opens the door only through a narrow gate of five conditions.
For Pebblous readers, what makes this shift matter is that it draws a line around data rights themselves, not around a compliance calendar. Where the August transparency duties and the delayed hiring-AI deadline we covered earlier were questions of "by when must this be met," this one is a question of "which data are you even allowed to feed it." Beyond clean data, the text now decides which data the law recognizes as permissible to feed a model.
21 / 25
Agencies unable to assess
U.S. federal agencies that could not run equity assessments for lack of demographic data (Stanford HAI)
Art. 9 → 10
From seal to exception
Special-category data GDPR forbade now gets a processing path for bias detection
5 conditions
Gates to clear
All must be met to use sensitive data for bias testing
2026-05-07
First amendment deal
The Digital Omnibus provisional agreement — the first revision to the AI Act since its 2024 adoption
To catch bias, you must know its target
Suppose a hiring AI is quietly filtering out women applicants. To prove that bias, you have to split the pass and fail outcomes by gender and compare them, which means you need the applicants' gender data. To test for racial discrimination you need race data; to test for disability discrimination you need data on disability status. Checking for fairness always begins by holding the most sensitive information in your hands. "You cannot fix what you cannot measure" works here in the most literal sense.
The problem is that the law has sealed that very data away. GDPR Article 9 prohibits, as a matter of principle, the processing of special-category personal data such as racial or ethnic origin, health, biometrics, and sexual orientation. A provision meant to protect the individual has, paradoxically, also blocked the work of checking whether that individual is being discriminated against. In practice, the more faithful a privacy team is to the data-minimization principle, the more likely it has been to tell the bias-testing team, "you're not allowed to collect that data."
That this deadlock is not an abstract worry is shown by a Stanford HAI survey: of 25 U.S. federal agencies, 21 could not perform equity assessments of the systems they use because they had not secured enough demographic data. The synthetic or anonymized data often floated as an alternative frequently fails to reproduce the fine-grained patterns of statistical bias, so its limits become clear precisely when the goal is to catch real discrimination. This is exactly where fairness and privacy collide head-on over the same data.
The narrow door the EU opened, in five conditions
The Digital Omnibus is the first amendment package to touch the body of the AI Act since it was adopted in June 2024. Most of it simplifies various provisions and pushes back some effective dates, but for data practitioners the most tangible change is that Article 10 now recognizes bias detection and correction as an explicit ground for processing. High-risk AI providers may now process special-category personal data solely for the purpose of detecting and correcting bias. Work that had kept getting stuck with legal and privacy teams finally has a clear basis.
The door is not thrown wide open, though. It is a narrow passage you can only clear by passing all five of the conditions below. Fail even one, and the ground for processing does not hold.
| # | Condition | What it means in practice |
|---|---|---|
| 1 | No substitute | Allowed only where synthetic or anonymized data cannot detect the bias effectively. |
| 2 | Technical safeguards | State-of-the-art security and privacy-preserving measures, including pseudonymization, plus reuse limits. |
| 3 | Access control | Strictly limit access to authorized personnel only, and document that control. |
| 4 | No transfer | The sensitive data collected must not be transmitted or transferred to third parties, nor may they be granted access. |
| 5 | Duty to delete | Delete the data immediately once bias correction is complete or the retention period ends. |
These five interlock into a single principle: handle only as much as is strictly necessary to correct the bias, with the fewest people, inside a sealed environment, and erase it once the purpose is served. The structure is closer to a regulation that opens the door to data while fitting that same door with an automatic lock.
The point is that this provision is not a license to "use sensitive data freely," but a conditional passage that says, "for this narrow purpose of catching bias, and if you keep these five conditions, we will recognize the exception." It draws in the text a middle point that neither surrenders privacy entirely for fairness nor leaves bias unchecked in the name of privacy.
The price of the exception, the wider Omnibus
Taken on its own, the bias-detection exception is a change most would welcome. But this provision sits inside a much larger amendment package, the Digital Omnibus, and that package as a whole comes with a sharp warning from human rights groups. In April 2026, Amnesty International criticized the simplification law as "an unprecedented rollback of rights online."
The concern is not aimed at the bias exception but at the provisions around it: the part that widens companies' discretion to judge the risk level of their own systems, and the part that reworks the definition of personal data under GDPR in ways that could broaden the scope of training-data collection for Big Tech. In other words, provisions that expand data rights and provisions that narrow them are mixed together in one package.
So this amendment is hard to reduce to "the EU loosened privacy." The door to sensitive data for catching bias was opened carefully, with conditions attached, but other doors in the same package are being criticized for opening in the opposite direction. That is why, when you judge a single clause, you have to look at the whole package it sits in.
What data practitioners should check now
The most accurate way to read this amendment is not "you can now use sensitive data" but "when, and how, can you use it." The five conditions are the key that permits the exception and, at the same time, the threshold you must cross to use it. Without the evidence to prove that no substitute exists, the technical apparatus for pseudonymization and access control, and a procedure for managing the deletion timing, the clause can be open and still leave you unable to actually use it.
Translated into a practical sequence, three questions remain. First, does the system whose bias you want to test really need special-category data, or is synthetic and anonymized data enough? Second, if it is needed, do you have the technical and organizational apparatus to handle that data in a sealed environment? Third, have you decided in advance when and how you will delete that data once bias correction is done? The very process of answering these three questions becomes the blueprint for your bias-testing pipeline.
Shift the view to Korea and this is not someone else's problem. Korea's AI Basic Act does not set out a basis for processing the sensitive data needed for bias testing as concretely as the EU does, and the relationship between the sensitive-information rules of the Personal Information Protection Act and fairness assessment is still being worked out in practice. AI that is used in the EU or aimed at EU users falls under this clause directly, and even where it does not, the EU's five conditions are likely to settle into the de facto international standard for handling bias-testing data.
Editor's Note — The Pebblous View
Pebblous works on recording and tracing the origin, quality, and processing history of training and validation data. From that vantage point, the heart of this amendment is not "may you use sensitive data" but "how do you prove you used it, and how do you record when you deleted it." All five conditions can only be demonstrated through records. The judgment that no substitute existed, the log of access control, the timing of deletion — each can only be explained later if there are records left behind while it happened. If fair AI needs the most sensitive data, then the record of having handled that data becomes all the more necessary.
References
Official Sources
- 1.European Parliament and the Council of the European Union. (2024). Regulation (EU) 2024/1689 — Article 10: Data and Data Governance. EU AI Act Official Text.
- 2.Council of the European Union. (2026, May 7). Artificial Intelligence: Council and Parliament Agree to Simplify and Streamline Rules. Council of the EU Press Releases.
Academic & Policy Reports
- 3.Stanford Human-Centered Artificial Intelligence (HAI). (2024). The Privacy-Bias Trade-Off: How Privacy Laws Hinder Efforts to Collect Equitable Data. Stanford HAI Policy Brief.
Legal & Compliance Analysis
- 4.Latham & Watkins LLP. (2026). AI Act Update: EU Resolves to Change Rules and Extend Deadlines. Latham & Watkins Insights.
- 5.DPO Europe. (2026). AI Bias vs. Data Privacy: Can the EU's Laws Find Balance?. DPO Europe.
- 6.ComplianceHub. (2026). EU Digital Omnibus AI Act Deadline Deferral. ComplianceHub.wiki.
Civil Society
- 7.Amnesty International. (2026, April). EU Simplification Laws — A Rollback of Rights Online. Amnesty International Campaigns.