What changes does the Digital Omnibus make to the EU GDPR?

Major changes to the EU’s data protection regime are included in the European Commission’s Digital Omnibus package, launched on 19 November (which we discuss more generally in this blog). According to the Commission’s accompanying notes, the proposals aim to “harmonise, clarify and simplify GDPR provisions, without affecting the core principles”. They include for example, relaxations to the current data breach notification regime, a clearer definition of personal data and a new exemption to data subject access requests (DSARs). The changes also aim to make it easier for organisations to use personal data in connection with AI. However, the proposals are already facing vocal criticism, with an open letter from 127 civil societies suggesting that while being presented as technical streamlining, the package really involves the GDPR being “reopened and hollowed out”. There is undoubtedly going to be intense lobbying on both sides of this debate.

What are the proposed changes to EU data protection law? 

The Omnibus package includes a number of potential changes to the EU GDPR. Some of the most significant proposals are: 

• Updated breach notification threshold, extended deadline and streamlined procedure:  significant liberalisation of the current breach notification regime to reduce the administrative burden on controllers and data protection authorities (DPAs). The threshold for breach notification to the DPA increases from those breaches which are not unlikely to result in a risk to data subjects to the current “high risk” threshold for notification to data subjects. The deadline for breach notification is also extended from 72 to 96 hours, with the report to be made to a new ‘single-entry point’ allowing notification under multiple regimes at once (e.g. NIS2 and DORA too) (discussed in this blog).
• Update to definition of personal data (codifying SRB): amendment of the definition of personal data to codify the recent CJEU SRB judgement (discussed in this blog) and to make clear that information is not personal data for the entity holding it if it doesn’t have the “means reasonably likely to be used to identify” the underlying individual.
• New DSAR exemption: an exemption to allow controllers to refuse or charge for answering an individual’s request if “the data subject abuses the rights”, i.e. where it is not used for the purposes of protecting personal data. It is unclear how broadly this would apply and whether it would in practice help organisations address DSARs being used to circumvent disclosure rules in litigation.
• Clearer privacy notice exemption: an exemption from providing privacy information where the data is obtained directly from the data subject and there are reasonable grounds to assume the data subject already has the information. This would be subject to restrictions on what the controller can do with the data, for example, it won’t apply to processing as part of a data-intensive activity.
• New processing condition  for special category data (SCD) in AI: a new processing condition to allow the processing of ‘residual’ SCD in AI development and operation.
• Legitimate interest in processing for AI: clarification that legitimate interests can be relied on for processing personal data in the context of AI development or operation where the processing is necessary and it satisfies the usual balancing test.
• Cookie consent and uplifted fines: an exemption from the need for consent for audience measurement and security maintenance or restoration cookies. New cookie-banner requirements are also proposed to guard against ‘dark patterns’ driving consent rates.  Cookies must be able to be rejected with one click and, once rejected, must not be requested again for 6 months. The proposals also include mechanisms to drive the adoption of consent being set by internet browsers or mobile apps. Significantly from a risk perspective, the maximum fines for cookie infringements would be aligned with those under the GDPR (€20 million or 4% annual worldwide turnover, whichever is higher), in comparison to the existing national variation.

What does this mean for organisations’ privacy compliance? 

These changes are proposals only at this stage and will be subject to debate and amendment by the EU Parliament and Council, so may well be watered down (as the UK reforms were). Looking at the potential impact of the proposals as they stand, most of them clarify or relax the current position to enable businesses to make greater use of their data, notably around AI, or to address current headaches, such as DSARs. As such, for the most part they shouldn’t require any major reopening of GDPR compliance programmes but organisations should keep a close eye on developments as the liberalisations may provide opportunities.