The Quiet Expansion in the May 2026 Omnibus Deal

While headlines focused on the EU AI Act’s new deepfake bans and transparency deadlines, negotiators slipped a more nuanced change into the provisional agreement reached between the Council presidency and European Parliament: an expansion of the right to process sensitive personal data specifically for bias detection and mitigation purposes.

This amendment appears targeted and limited in scope, but it fundamentally reshapes how Irish and European AI builders can operationalize fairness testing—one of the most critical compliance requirements for high-risk AI systems.

What Changed and Why It Matters

The original AI Act already permitted processing of special category data (race, ethnicity, political opinion, religious belief, trade union membership, genetic data, biometric data, health data, sex life data) under narrow exemptions. The May 2026 amendment carves out a new, clearer pathway: bias detection and mitigation now explicitly qualify as a lawful basis for sensitive data processing.

For Irish enterprises building or deploying high-risk AI systems—particularly in hiring, credit assessment, or healthcare—this is operationally significant. It means you can:

  • Conduct bias audits on sensitive attributes without navigating complex GDPR Article 9 exemptions
  • Test for fairness across protected characteristics as part of your Article 34 risk assessment
  • Process historical data to identify and remediate discriminatory patterns

But there’s a critical caveat: the amendment doesn’t define what constitutes legitimate “bias detection” or “mitigation.” It doesn’t specify data minimization thresholds, retention limits, or oversight mechanisms.

The Compliance Grey Zone

This is where the practical problem emerges. Under Article 9 GDPR, processing sensitive data requires explicit consent, a legal basis, or one of the strict exemptions. The AI Act amendment creates a new exemption category—but the interaction between this exemption and GDPR’s existing legal bases remains unclear.

Questions Irish compliance teams should be asking now:

  • Scope: Does “bias detection” extend to exploratory analysis, or only to documented fairness issues?
  • Proportionality: What’s the permitted scale of sensitive data processing? Can you process entire datasets or only representative samples?
  • Retention: How long can you hold sensitive data after bias detection is complete?
  • Oversight: Does the AI Office’s expanded powers (also part of the omnibus deal) include audit rights over sensitive data processing?

Practical Implications for Builders

If you’re preparing for the August 2026 high-risk AI deadline, the amendment suggests:

  1. Document bias testing as a core compliance function, not an optional audit
  2. Prepare data processing agreements that explicitly reference bias mitigation as the lawful basis
  3. Expect scrutiny from data protection authorities, who may interpret this exemption narrowly until guidance emerges
  4. Plan for the December 2026 transparency deadline by ensuring bias detection processes are auditable and explainable

What’s Still Missing

The European Commission’s implementation guidelines—published on 7 May 2026 for Article 50 transparency obligations—don’t yet address this sensitive data exemption. Expect further clarification from the AI Office by summer 2026, likely in the form of detailed guidance on Article 10(6) processing (the provision governing bias detection).

For now, Irish enterprises should treat this expansion as permission to act—but with documented caution. Bias mitigation is non-negotiable for high-risk AI compliance. The omnibus deal just gave you more legal room to do it. Use that room carefully, and keep detailed records of your processing rationale.

The regulatory landscape is still settling. The next 16 months will be critical for translating this amendment into operational standards.

Source: European Council & European Parliament