EU Digital Omnibus proposals to reform data and AI laws – the official version

(5 min read)

On 19 November, the EU published its “Digital Omnibus”, meaning its proposals to reform data and AI laws, which are made within a broader context of simplification and with the aim of enhancing the competitiveness of EU companies. The proposals have caused concern for some privacy activists, but more positive reactions from AI developers and SaaS providers. Read our overview of the key proposals.

This is an updated version of our previous article about the leaked version of the Digital Omnibus.

It has been rumoured for some time that the European Commission was proposing to amend the EU AI Act, either by “stopping the clock” on entry into force or enforcement, or by simplifying some of its provisions. In addition, the ePrivacy Directive was due to be replaced by a new regulation at the same time as the GDPR became law, but the EU institutions were unable to reach consensus on the changes.

Although transposition of some of the EU new laws is still underway in the Member States, the Commission now proposes to pass a “Digital Omnibus” to reform these laws, but also go further, reforming related EU legislation, including making significant changes to the GDPR. The two proposals, one to reform the data and cyber laws (the GDPR, ePrivacy Directive, Data Act, Data Governance Act and the NIS2 Directive) and the other to amend the EU AI Act, have beenwere published on 19 November.

Some of the more significant proposals are as follows:

GDPR

Personal data: The definition of personal data will be amended to reflect recent case law of the EU Court of Justice. The relevant factor would be whether a specific entity can identify an individual, taking into account the means that entity is likely to use.
Scientific research: The proposal adds a new definition of scientific research and relaxes some of the rules for processing data for this purpose, including in relation to transparency and responding to DSARs.
Special category data: The most controversial proposal in the leaked version has been deleted – this limited the scope of special category data to data that directly reveals information about an individual’s sensitive characteristics. This would have meant that data from which sensitive characteristics can be inferred would not be special category data.
The published proposal adds new conditions that permit the processing of special category data:
- development and operation of an AI system or model (subject to safeguards); and
- use of biometric data to prove identity under the user's sole control.
DSARs: The proposal extends the circumstances in which a controller may reject a data subject access request (DSAR) or charge a reasonable fee to where the data subject is abusing their GDPR rights for purposes other than protecting their data.
Privacy notices: In certain limited situations where a controller collects data directly from a data subject, the controller will not be required to provide the individual with a privacy notice if there are reasonable grounds to believe that the individual already knows the controller's identity and the purpose of, and lawful basis for, the processing.
Automated decision making: Solely automated decisions which have a legal or similarly significant effect on an individual can be taken when necessary for entering into or performing a contract with the data subject, regardless of whether the decision could be taken otherwise than by solely automated means.
Breach reporting: Controllers will only be required to report to the Data Protection Authority (DPA) personal data breaches posing a high risk to data subjects. Reports must be made via a new platform (see the proposed NIS2 amendments below), and the reporting deadline is increased from 72 hours to 96 hours. The European Data Protection Board (EDPB) must prepare a reporting template.
DPIAs: The EDPB must develop lists setting out the processing operations for which data protection impact assessments (DPIAs) are required and not required, plus a template and methodology for conducting DPIAs.
Cookies: To avoid the so-called “consent fatigue”, consent will not be required where cookies and similar technologies are used for aggregated audience measurement and security purposes. Note that the cookie rules are currently contained in the ePrivacy Directive, but the draft proposales insertsing this amendment into the GDPR.
Controllers must ensure that their online interfaces allow users to give or refuse consent to cookies and exercise their right to object through automated and machine-readable means.
Where consent is required for cookies and an individual refuses to give consent, the controller must not make a new request for consent for the same purpose for at least six months.
Training AI models: Legitimate interest can be used as the lawful basis to process personal data to train AI models (subject to a right to opt out), unless other EU or national laws explicitly require consent.
Anonymisation and pseudonymisation: The proposal gives the Commission the power to make new rules to specify the means and criteria to determine whether pseudonymised data no longer constitutes personal data for certain entities.
Record-keeping: A separate proposal extends the exemption from the obligation to keep a record of processing activity to organisations employing fewer than 750 persons (the current threshold is 250) unless their processing is likely to result in a high risk to the rights and freedoms of data subjects.

NIS2

Data Act

Data Governance Act

EU AI Act

The changes set out in the proposal go further than expected and have provoked strong reactions from privacy activists. On 11 November noyb (Max Schrems’ privacy organisation), the Irish Council for Civil Liberties and European Digital Rights published a joint open letter to the European Commission expressing concern about the impact that these proposals would have on individuals’ privacy.

However, the changes would be welcome to many, as they would make some aspects of GDPR compliance less onerous, in particular the rules on using personal data to develop and operate AI models. In addition, the Data Act’s rules on cloud switching fees have caused serious concerns for SaaS providers, so the proposed relaxation of the rules for certain services will be welcome to relevant businesses.

The changes set out in the proposals will need to go through a public consultation and the EU legislative process before they become law, and are likely to be amended in the course of that process. We will monitor developments and provide updates in further articles.