The Opinion welcomes the following proposals made in the Digital Omnibus:
• Scientific research: The Digital Omnibus proposes amending the definition and relaxing some of the rules relating to processing personal data for this purpose. However, the Opinion makes recommendations to clarify the definition.
• Special category data: The Digital Omnibus proposes introducing a new condition that permits the processing of special category data for biometric authentication under the user's sole control. However, the Opinion encourages the Commission to add wording to the relevant recital to make it clear that less intrusive verification methods should be used where this is reasonable.
• Data breach notifications: The Digital Omnibus proposes that controllers will only be required to report personal data breaches posing a high risk to data subjects. Reports must be made via a single-entry point ("SEP") for reporting incidents under the GDPR, NIS2, DORA and the Critical Entities Resilience Directive, and the reporting deadline is increased from 72 hours to 96 hours. The Opinion states that there should be greater harmonisation between the deadlines for reporting under the different EU laws (GDPR, NIS2, DORA, CER, etc) and highlights the importance of ensuring the security of notifications submitted via the SEP, as these often include sensitive information.
However, in the Opinion the EDPB and EDPS express concerns about some of the proposals, including the following:
- Personal data: The Digital Omnibus proposes amending the definition of personal data to reflect recent case law of the EU Court of Justice, making the relevant factor whether a specific entity can identify an individual, taking into account the means that entity is likely to use. The Opinion states that the proposed change would narrow the concept of personal data further than the case law, and expresses concern that this would adversely affect the fundamental right to data protection and may induce controllers to seek loopholes to try to circumvent the application of the law.
- Training AI models: The Digital Omnibus proposes an amendment to the GDPR to explicitly provide that legitimate interest can be used as the lawful basis to process personal data to train AI models. The Opinion states that this is unnecessary because the EDPB has already published an Opinion on AI models confirming that this is the case. However, the Opinion suggests that if the amendment goes ahead, the Commission should clarify a number of points, including the requirements to conduct a legitimate interest assessment (LIA), manage the right to object and provide enhanced transparency information.
- Special category data: The Digital Omnibus proposes adding new conditions that permit the processing of special category data for the development and operation of an AI system or model. The Opinion states that amendments are needed to clarify the scope of these conditions and their relationship with the EU AI Act.
- DSARs: The Digital Omnibus proposes extending the circumstances in which a controller may reject a data subject access request (DSAR) or charge a reasonable fee to where the data subject is abusing their GDPR rights for purposes other than protecting their data. The Opinion states that clarifying what qualifies as an abuse of rights is welcome, but it should be linked to abusive intention, rather than the exercise of the right to access for purposes other than data protection, as the GDPR also aims to protect other fundamental rights and freedoms.
- Privacy notices: The Digital Omnibus proposes that controllers will not be required to provide a privacy notice in certain limited situations where they collect data directly from the individual. While the Opinion welcomes simplification and reduction of the administrative burden in specified situations, it suggests some amendments to clarify when this exemption applies and provide that the individual should have the right to request the information from the controller.
- Automated decision making (ADM): The Digital Omnibus proposes amending Article 22 of the GDPR to: (i) change it from a right not to be subject to ADM to a provision setting out when ADM is permitted, and (ii) provide that solely automated decisions which have a legal or similarly significant effect on an individual can be taken when necessary for entering into or performing a contract with the data subject, regardless of whether the decision could be taken otherwise than by solely automated means. The Opinion states that the prohibition in principle on ADM should be retained, with some limited exceptions and clarifications, and the rule on when ADM is necessary for a contract should be clarified.
- DPIAs: The Digital Omnibus proposes that the EDPB must develop lists setting out the processing operations for which data protection impact assessments (DPIAs) are required and not required, plus a template and methodology for conducting DPIAs. The Opinion supports this proposal, but expresses concerns about the proposal to give the Commission the power to modify these documents.
The Data Acquis (this refers to other data legislation, including the Data Act and Data Governance Act)
The Digital Omnibus proposes that the Data Governance Act (DGA) is repealed, and the Data Act amended to add some of the DGA’s provisions. The Opinion welcomes the streamlining of these rules, but recommends clarifications, including in relation to enforcement. It should be noted in particular that the Opinion suggests: i) keeping provisions that clarify public sector bodies are not obliged to allow re-use of personal data, nor does the framework itself provide a legal basis for access; ii) allowing sharing of pseudonymised personal data with public sector bodies during public emergencies, but only when anonymous data is insufficient; and iii) maintaining safeguards for data intermediation services and data altruism organisations to ensure trustworthy, transparent, and well-overseen data sharing.
