The EU’s landmark data-protection law is set to be amended with targeted updates as part of its digital simplification drive. In its proposals, set to be published Nov. 19, the European Commission aims to ease compliance, especially for smaller companies. The proposal would narrow key definitions, relax some privacy rules and allow personal data use for AI training. Civil society has already warned that the changes are going too far.
The EU’s General Data Protection Regulation, or GDPR, will be refined as part of the European Commission’s digital simplification package, according to a draft proposal seen by MLex on Thursday.
While, according to the text, the law is still viewed as being broadly balanced and effective, the commission plans targeted amendments to ease compliance for smaller companies and clarify how the GDPR applies to emerging technologies such as artificial intelligence.
The plans are part of a broader package of measures known as the digital omnibus, which the commission says will simplify rules, provide legal clarity and cut red tape. The proposal is due to be published Nov. 19.
— Personal data —
Some small businesses and associations with limited or low-risk data-processing activities have struggled with the law’s administrative requirements, the text says.
The proposal therefore aims to clarify key definitions — including “personal data” and “special categories of data” — and to streamline information and notification duties, for instance, around data-breach reporting.
The draft would also exempt controllers from providing privacy notices where there is a clear, limited relationship and it can reasonably be assumed that individuals already have the information, unless data are shared, transferred abroad or used for profiling.
The draft appears to narrow the definition of “personal data” under the GDPR, introducing a “subjective approach” that would limit the law’s scope to situations where an individual can be identified by a specific company.
The change builds on the Court of Justice of the EU’s ruling in EDPS v. SRB, which confirmed that information counts as personal data only if the entity in question has the means to identify the individual, a principle now reflected in the draft’s revised definition.
Under this reading, data would fall outside the GDPR if the controller itself cannot identify the person concerned. The text also seems to suggest that data labeled with pseudonyms or user IDs, such as tracking cookies, might no longer be treated as personal data, potentially exempting large parts of the online advertising and data-broker sectors from the regulation’s reach.
— Sensitive data —
The draft would also narrow the scope of protections for sensitive personal data, limiting coverage to cases where such information is “directly revealed” rather than inferred. That change would overturn the Court of Justice’s broader interpretation, which currently extends safeguards to data from which health, sexuality or political beliefs can be deduced.
“Precisely those people who do not want to share sensitive information, such as sickness or sexual orientation, would lose their protection under the proposal, while people who openly share such information would keep it,” said Max Schrems, founder of the Austrian data privacy NGO Noyb.
This is because the revision could leave individuals more exposed to profiling, particularly in AI and big-data contexts, where sensitive traits are often inferred rather than explicitly stated.
The draft also refines the definition of data concerning health, limiting it to information that directly reveals a person’s health status to avoid overly broad interpretations seen in past case law.
— AI training —
The draft would also amend the GDPR to permit the processing of personal and sensitive data for AI training and development. The change could give companies a clearer legal basis to use personal data in developing and operating AI systems.
While the text refers to principles of data minimization and the need for unspecified safeguards, it sets no technical standards for these protections. The only concrete safeguard appears to be a right to object, which privacy advocates argue would be largely impractical to exercise given the scale and opacity of AI training data.
Critics warn that the proposal could create a double standard by treating AI-based data processing more leniently than traditional databases or surveillance systems, effectively giving high-risk AI applications a “green light” under the GDPR.
On Tuesday, MLex already reported that the commission is close to presenting an amendment to the GDPR that would codify “legitimate interest” as the legal basis for training AI systems with personal data, which the draft document also points out (see here).
The commission argues that these adjustments will help ensure consistent application of the GDPR while maintaining high standards of protection for individuals.
For low-risk processing or user-requested services, the draft would relax rules on tracking technologies and prepare for automated, machine-readable consent signals in browsers and apps.
– More changes –
The draft would also expand the legal grounds for accessing or storing data on users’ devices, extending beyond cookies to purposes such as security or aggregated statistics, and aligning those operations with the GDPR’s lawful bases.
It would also merge the GDPR and ePrivacy regimes, making the GDPR the single framework for both cookie placement and subsequent data processing (see here).
Moreover, the commission proposes to introduce a single-entry point for reporting cybersecurity incidents and data breaches under various EU laws, including NIS2, GDPR, and the Digital Operational Resilience Act (see here).
The draft further clarifies that automated decisions can rely on a contractual basis even if the same decision could be made manually, aiming to remove uncertainty around when such processing is allowed.
— Amending or reopening? —
The draft of the package circulated on Thursday morning, but the parts of the GDPR had already attracted controversy.
While the digital omnibus’ aim is to propose targeted amendments to existing law, civil society has said in a first reaction that the proposed changes for the EU’s data protection law are going beyond that, as the commission suggested changes to core concepts of the law.
“If successful, this would have a significant impact on people's fundamental right to data protection,” Schrems said.
This is despite the fact that in the past, member states, industry and civil society asked the commission not to reopen the law (see here).
“This is not just a reopening in disguise… It’s even worse, because it rewrites core safeguards without evidence, without impact assessment, and without democratic scrutiny,” said Itxaso Domínguez de Olazábal, policy advisor at EDRi, a network of NGOs and specialists working to defend digital rights.
The commission, “instead of fixing enforcement, it’s dismantling what already protects people’s data,” she said.
“If this reform goes through, Europeans’ data will no longer be safe. Instead, we are giving more power to large non-European companies, allowing our data to be used for their profit, not ours,” said Agustín Reyna, director-general of the European Consumer Organisation, or BEUC, which represents national consumer groups across the EU.
“Citizens were promised that the simplification agenda was not going to lead to a deregulation wave, he added, saying that "the upcoming digital omnibus proves the opposite.”
If the European Commission proposes the changes through the “omnibus package,” the process would be faster than reopening the entire GDPR, which would require a full legislative revision and lengthy negotiations between the European Parliament and the Council of the EU.
However, not everyone sees the amendments as a reopening of the law.
“These targeted changes are not a reopening of the GDPR, but a series of small improvements to it,” Peter Craddock, partner at the law firm Keller and Heckman LLP, told MLex.
The proposal “is a very well thought-out attempt to take into account case law while bringing tweaks to ensure abusive interpretations are avoided,” said the lawyer, who represented tech companies, such as IAB Europe.
“There are still several aspects of the GDPR that merit consideration and are not tackled here, but this proposal appears to be a solid attempt at striking the balance between improvements, simplification and an overall limitation of the scope of changes,” he said.
The controversy is also about how quickly the draft came to be.
“It is highly undemocratic to ask the public for input and then circulate a draft of an entirely different draft law a week later,” Schrems said, also criticizing that the commission seems to have followed the German stance.
Germany called for further simplification of the data-protection law at the end of October (see here). The German paper urged the commission to adopt a two-stage approach: first, to make targeted adjustments through the Digital Omnibus initiative in the short term, and later to launch a broader discussion on a potential data protection reform.
“The commission should also respect the calls for targeted and reasonable reforms from other member states,” said Schrems.
For the omnibus to become law, the amendments would need to be adopted by EU governments and the European Parliament.
Source: MLex
Write a comment