New theme: AI literacy
Explore here
As part of the Digital Package, the Digital Omnibus proposal of the European Commission includes a set of amendments to a large corpus of digital legislation, including the GDPR. The European Commission aims to simplify and to make the legal framework more efficient without weakening the GDPR’s original objectives. The key changes of the European Commission’s Digital Omnibus Proposal to the GDPR are outlined below.
What: Commission proposal
Impact score: 1
For whom: governments, policymakers, companies and citizens
URL: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal
Before diving into the key changes of the European Commission’s Digital Omnibus Proposal to the GDPR, it is important to bear in mind that this remains only a Commission proposal, which will now enter the legislative process. Both the European Parliament and the Council are expected to introduce their own amendments, meaning that it will likely take some time before a final version is adopted.
Definition of personal data
With regard to the definition of personal data in Article 4.1 a) GDPR, the GDPR would now explicitly include the relative approach to the concept of personal data following the EDPS v. SRB case law of the Court of Justice. Therefore, it should be assessed on an individual basis whether the controller has or may have the means reasonably likely to be used to identify the data subject, for example through the combination of different (external) data sets.
Specifically regarding pseudonymisation, the proposal foresees that the Commission may together with the EDPB specify means and criteria relevant for the assessment whether pseudonymisation constitutes personal data. This is remarkable since the GDPR has so far maintained a position of technological neutrality.
Purpose limitation
Under the purpose limitation principle, the proposal deems further processing for archiving in the public interest, scientific or historical research, or statistical purposes automatically compatible. As a result, a compatibility test would be no longer required when data collected for an initial purpose is reused for these purposes.
Sensitive data
In principle, processing sensitive data is prohibited unless one of the Article 9.2 GDPR exceptions applies. The proposal adds two new exceptions offering more flexibility in the processing for the below mentioned purposes.
First, an exception for the processing of sensitive data for developing and operating an AI system is included. The proposal clarifies that controllers must implement organisational and technical measures to avoid collecting or processing sensitive data, and any sensitive data that is nevertheless processed must be removed. However, if removal of those data requires disproportionate effort, the controller shall in any event effectively protect such data from being used to produce outputs, from being disclosed or otherwise made available to third parties.
Second, the proposal allows the processing of biometric data necessary for verifying a data subject’s identity where the biometric data or verification tool is under the sole control of the data subject.
Processing in the context of the development and operation of AI
For processing in the context of the development and operation of AI systems, the proposal explicitly recognises legitimate interest as a valid legal basis, provided appropriate safeguards are in place.
Controllers are required to:
- ensure respect of data minimisation during the stage of selection of sources and the training and testing of an AI system/model;
- protect against non-disclosure of residually retained data in an AI system/model;
- enhance transparency to data subjects; and
- provide data subjects with an absolute right to object, allowing data subjects to oppose such processing without the controller being able to balance interests.
Information obligation under Article 13 GDPR (when data is collected directly)
The GDPR already provides that the information obligation under Article 13 GDPR does not apply if the data subject already has the relevant information. The proposal further refines this exception by specifying that the obligation does not apply where there are reasonable grounds to assume the data subject already knows the controller’s identity and the purposes of processing. This is subject to strict safeguards: it only applies where data is collected within a clear controller-data subject relationship, is not data-intensive, involves no disclosures to recipients or transfers outside the EEA, and does not pose a high risk to individuals’ rights.
Furthermore the proposal removes the information obligation under Article 13 GDPR for research purposes where providing information is impossible, requires disproportionate effort, or would make the research impossible or seriously undermine its objectives. Article 13 applies to situations where data is collected directly from the data subject. A nearly identical exception already exists in Article 14 GDPR when data is collected indirectly.
Abuse of rights
The proposal explicitly incorporates the abuse-of-rights doctrine in the context of the right of access. Controllers may refuse requests where data subjects abuse their GDPR rights. However this argument has already been invoked frequently before courts and national data protection authorities without being explicitly included in the GDPR, as the prohibition of abuse of rights is a general principle of law.
Automated individual decision-making
With regard to automated individual decision-making, the proposal no longer formulates a “right not to be subject to automated decision-making” with exceptions, but instead outlines the conditions under which such decisions are permitted. That said, the circumstances in which automated decision-making is allowed remain unchanged. The proposal clarifies that, in situations where automated decision-making is necessary for entering into or performing a contract, ‘necessity’ must not be understood to mean that the decision can only be carried out through automated means.
Data breaches
The proposal also introduces a number of simplifications in the context of data breaches. First, the threshold for notifying a personal data breach is raised: a notification will only be required where the breach is likely to result in a high risk to the rights and freedoms of natural persons, rather than merely a risk. Second, the notification deadline is extended from 72 hours to 96 hours. Third, an EU-wide common template for data breach notifications will be introduced. Finally, a single entry point will be established for submitting notifications, that will also be used across other digital regulations, such as eIDAS, NIS2 and DORA.
Data Protection Impact Assessment
In the context of Data Protection Impact Assessments (DPIA's), the proposal seeks to harmonise by introducing EU-wide lists of processing activities that either require or do not require a DPIA. This measure is intended to simplify compliance, particularly for organisations operating across Member States.
ePrivacy
Lastly, the proposal incorporates the ePrivacy rules into the GDPR when personal data are processed. As a result, the ePrivacy Directive would apply only where no personal data are involved, while the GDPR would apply where they are. Based on the proposal text, the two regimes would differ: the GDPR would allow for two additional exceptions to the consent requirement for storing or accessing information on a user’s device, namely creating aggregated usage data for audience measurement and ensuring service security. These additional exceptions were also discussed in the context of the long-awaited ePrivacy Regulation, which is currently off the table. The proposal also introduces automated, machine-readable signals of user choices that website providers must respect once standards become available, aiming to reduce consent fatigue.
Julie Mannekens
