On January 20, 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) (together, the “Authorities”) adopted Joint Opinion 1/2026 on the European Commission’s proposal to amend the EU AI Act (hereafter the “Proposal”, summarized in our previous blog). Overall, the Authorities acknowledge the complexity of the AI Act and agree that targeted simplifications can support legal certainty and efficient administration. However, they warn that simplification should not result in lowering the protection of fundamental rights, including data protection rights. This blog outlines some of the Authorities’ main recommendations as expressed in their Joint Opinion.
Clear boundaries for the processing of sensitive data for bias mitigation
The Proposal envisages expanding the legal basis under the AI Act to allow the processing of special categories of personal data for bias detection and correction in AI models and systems. The Authorities accept that some bias mitigation may require sensitive personal data, but insist such processing should meet a “strict necessity” threshold (not just a “necessary” threshold as proposed). They further recommend clearly circumscribing the use of this legal basis, and limiting such processing activity to cases where it would be justified in light of the risk of adverse effects arising from the processing of such data.
Maintaining registration and training obligations for certain AI providers and deployers
Reinforcing institutional coordination for EU‑level AI regulatory sandboxes
Although broadly supportive of EU-level AI regulatory sandboxes maintained by the Commission, the Authorities recommend clarifying that competent national data protection authorities should be involved in the operation of such EU-level sandboxes, along with the EDPB – who, according to the Authorities, should also be granted the status of observer on the European Artificial Intelligence Board. The Authorities also call for a clear distinction to be made between AI sandboxes for EU bodies set up by the EDPS, and EU-level AI sandboxes established by the Commission’s AI Office.
Clarifying rules on supervision and enforcement
With regard to supervision and enforcement mechanisms under the AI Act, the Authorities underline the need for strong cooperation among the various authorities and bodies that may be involved, including the AI Office, national market surveillance authorities, and national data protection authorities. They further highlight the need to clarify the competence and powers of these various stakeholders. Some of the requested clarifications concern, for instance, (i) the types of general-purpose AI systems that would trigger the AI Office’s exclusive competence, or (ii) the role of market surveillance authorities as a mere administrative point of contact.
Warning against postponing high‑risk obligations
- maintaining the original timelines for obligations with direct rights‑protective effects, such as transparency;
- limiting any delays in timelines to what is strictly necessary; and
- avoiding prolonged legal uncertainty that could undermine both compliance planning and public trust.
* * *
The Covington team regularly advises the world’s top companies on their most challenging technology regulatory, compliance, and public policy issues in the EU and other major markets. Please reach out to a member of the team if you need any assistance.