*Brussels, 21/04/2026 (Agence Europe)* – In their second compromise on the ‘GDPR’ component of the digital simplification package* (see EUROPE **13813/8* <https://agenceurope.eu/en/bulletin/article/13813/8>*)*, dated 15 April and available to *Agence Europe*, the EU27 continue to dismantle the European Commission’s proposals.
*Member States are taking an explicit stance against the addition of the new Article 88c to the GDPR, which would authorise the use of personal data to train artificial intelligence models on the grounds of “legitimate interest”.* This stance goes beyond the opinion published by the two European data protection authorities, the EDPB and the EDPS, last February. These bodies had said they were in favour, provided that safeguards were put in place *(see EUROPE **13806/17* <https://agenceurope.eu/en/bulletin/article/13806/17>*).* Article 88a regarding the processing of personal data stored on or originating from end-user devices has been deleted. As for Article 88b, which relates to “*consent fatigue*” and revises the rules on cookies, it has been amended. The possibility of making consent automatic has been somewhat modified by the EU27, who specify that this would only apply “*for specific categories of purposes*”. On the sensitive issue of data pseudonymisation *(see EUROPE **13702/24* <https://agenceurope.eu/en/bulletin/article/13702/24>*)*, the EU Council has added an article, replacing Article 41(a), stating that “*personal data that has undergone pseudonymisation, but which could be attributed to a natural person through the use of additional information, must be considered as information relating to an identifiable natural person*”. They also task the EDPB with issuing an opinion, no later than twelve months after the regulation’s entry into force, on “*the application of pseudonymisation and anonymisation, including related technical and organisational measures, and specifying the means and criteria for determining whether the application of pseudonymisation to personal data is such as to effectively prevent persons other than the controller from identifying a data subject in such a way that, for those persons, the data subject is not or is no longer identifiable*”. *Once again, the Commission’s legal justifications on this issue (see EUROPE**13702/24* <https://agenceurope.eu/en/bulletin/article/13702/24>*) do not appear to have convinced the Member States.* *(Original version in French by Isalia Stieffatre)*
