EU policymakers are signaling potential GDPR and AI Act revisions that could make synthetic data a more practical path for AI development with sensitive data. At the same time, market forecasts and funding rounds suggest synthetic data is moving from “privacy workaround” to standard infrastructure for testing and model development.
EU ‘Digital Omnibus’ tees up GDPR and AI Act changes with synthetic data implications
The European Commission is expected to announce amendments to the GDPR and the EU AI Act as part of a “Digital Omnibus” package slated for November 19, 2025. The proposal, as described, could ease restrictions on processing sensitive personal data for AI development—creating more room for synthetic data generation as a compliance-oriented option.
For teams building or buying synthetic data tooling, the key issue is not whether synthetic data is “allowed,” but what regulators will consider sufficient evidence that a synthetic dataset meaningfully reduces privacy risk. If rules loosen, scrutiny often shifts from blanket prohibitions to proof: documented controls, re-identification risk testing, and governance that shows synthetic data isn’t being used to sidestep protections.
- Compliance strategy may shift from “avoid” to “demonstrate.” If sensitive-data processing pathways expand, expect higher expectations for defensible privacy proofs (risk assessment methods, audit trails, and controls) around synthetic pipelines.
- Faster iteration for regulated AI—if governance is real. Data teams could accelerate training, validation, and testing workflows using synthetic data, but only if they can show the synthetic data is fit-for-purpose and not trivially linkable back to individuals.
- Vendor due diligence gets harder, not easier. Buyers will need to compare synthetic data providers on measurable privacy and utility claims—especially around re-identification risk, leakage, and how sensitive attributes are handled.