Digital Omnibus: Recent EU Proposal, Reviewed by LegalBison

Role of the GDPR and Proposed Changes

The lineage of data security laws in the EU has evolved across three generations of legislation:

• Data Protection Convention (Convention 108), enacted in 1985 by the Council of Europe, focused primarily on harmonizing standards for automated data processing;
• Data Protection EU Directive (DPD) of 1995, which was motivated chiefly by the goal of economic efficiency, aiming to remove diverse national standards that obstructed the free flow of personal data within the internal market;
• General Data Protection EU Regulation (GDPR), which represents the most significant shift, maintains data flow harmonization while upholding data protection as a fundamental right.

Understanding this legislative evolution in personal data protection is crucial when assessing the motives behind the latest GDPR Digital Omnibus proposal.

Recent Introductions for the GDPR Change Proposal

The GDPR Change Proposal by the European Commission introduces a number of draft amendments for processing personal data across Member States. The key considerations for data collection and data privacy involve:

• Cookie Framework Simplification: The proposal introduces pre-set, user-defined privacy configurations as the standard, intended to replace continuous cookie banners;
• Expanded Consent Exceptions for Tracking: New exceptions in the deployment of cookies and tracking technologies cover purposes such as ensuring security, conducting audience measurement, and providing user-requested online services;
• AI Training as a Legal Basis: AI operation and training are established as a standalone legitimate basis (under Art. 6(1) GDPR) for processing personal data, removing the requirement for data subject consent for using personal data in AI training;
• Processing of Special Categories of Data for AI: Article 9(2) of the GDPR will be expanded with a derogation allowing the processing of special categories of personal data for developing AI systems;
• AI Act Harmonization: Targeted amendments to the AI Act are foreseen to ensure consistency within the broader digital regulatory framework;
• Unified Incident Reporting: A one-stop-shop reporting framework will be established to allow companies to fulfil all incident-reporting obligations through a single interface;
• Refined Personal Data Definition: The definition of personal data will be refined, and the scope of sensitive data will be narrowed;
• Introduction of European Business Wallets: European Business Wallets will be introduced, providing companies with a platform to digitally sign, timestamp, seal, store, and exchange verified documents securely across borders.

Key Objectives of the EU Digital Omnibus Proposal

The proposal primarily focuses on personal data as an asset in the modern economy. Its considerations introduce three basic purposes:

1. Streamlining a “bloated” regulatory framework across the EU member states to reduce compliance costs for entrepreneurs and investors.
2. Removing barriers to using high-quality data for AI training, which will unlock new possibilities for data processing and deployment.
3. Achieving greater economic efficiency and market effectiveness through, among other things, lowering operational costs and simplifying compliance burdens for businesses, notably SMEs.

Notably, the approach described in the proposal is similar to the one introduced in the Data Protection Directive (DPD) of 1995. For now, we can assume that the future Digital Omnibus changes will be centred around businesses and business owners.

Community Perception of the Proposed GDPR Changes

The community perception of the Digital Omnibus proposal is largely negative, claiming that it will be a significant backslide of EU digital protections, specifically regarding the fundamental rights to privacy, data protection, and transparency. As for the key concerns, they include:

• Deregulation: Critics claim the proposal leads to deregulation rather than simplification of the EU’s digital rulebook;
• Wrecking the GDPR’s Core: Organizations like Noyb argue that the new proposal could “wreck the very core of GDPR”, which was established with strong ethical motives centered on personal data protection;
• Serving Corporate Interests: The proposal is alleged to cater primarily to the interests of large technology corporations and certain industry-focused member states, rather than the public or small businesses;
• Lobbying Influence: Some stakeholders allege that industry lobbying has exerted an outsized influence on the drafting process, noting that several proposed changes align with long-standing demands from large technology and data-intensive sectors.

As a result, an opposition to the proposal has been formed when 127 international organizations signed an open letter to the European Commission arguing against the proposal. It appears that a heated public debate is about to unfold, involving the advocates and opponents of these regulatory shifts.

LegalBison is Closely Monitoring All GDPR Changes

While the EU’s Digital Omnibus proposal is still in its consultation stage, LegalBison keeps monitoring all the regulatory changes and their impact on business owners across the EU. Just like with any new regulatory initiative, our lawyers will make sure to promptly inform readers of the latest developments in the EU’s data processing policies.