Digital Omnibus: European Commission Position on Changes to EU Digital Rules

Posted
By , and

The European Commission has published its regulatory proposal for the EU Digital Omnibus, a package of amendments seeking to streamline EU rules on data protection, artificial intelligence and digital regulation in an effort to improve EU competitiveness. For more information on the background to the Digital Omnibus, see our earlier briefing here. The Digital Omnibus is split into two regulations, one targeting the AI Act and another targeting other EU digital regulations.

This post considers some of the key changes proposed by the Digital Omnibus but is not intended to be exhaustive.

EU-Wide Portal for Reporting Data Breaches

  • The Digital Omnibus proposes a single-entry point for cybersecurity and data breach notifications, established under the NIS 2 Directive and operated by ENISA (the EU Cybersecurity Agency). This entry point will be used for data breach notification submissions where required under other laws (e.g., GDPR, DORA, etc.), streamlining and simplifying breach requirements.
  • Changes are also proposed to the GDPR’s breach reporting requirements, extending the timeframe to 96 hours (from the current 72 hours) and harmonizing the threshold for mandatory reporting to supervisory authorities with that for reporting to data subjects (i.e., circumstances in which the breach is likely to result in a high risk to the rights and freedoms of natural persons).

Cookie Consents

  • Exemptions to the consent requirements are proposed where cookies (and similar technologies) are used for: (i) providing a service explicitly requested by the data subject; (ii) creating aggregated usage information for analytics by the website operator (which would therefore exclude cross-website tracking tools); and (iii) maintaining or restoring security.
  • The proposed regulation also prevents website owners from seeking consent for at least six months after it has been rejected.
  • Further, organizations must expressly ensure their online interfaces allow for cookies to be declined through automated and machine-readable means, potentially paving the way for cookies to be dealt with at the browser level, instead of a website-to-website basis (and browsers that are not Small and Medium Enterprises (SMEs) must provide the technical means for this).

Key Changes to the GDPR

  • Processing data for AI. Two key changes are introduced that seek to clarify the lawfulness of processing personal data (including special category personal data) for training AI.
    • A new Article 88c GDPR is proposed, which confirms that the development and operation of an AI model may generally be pursued as a legitimate interest where appropriate. (Note that this is not carte blanche and the usual consideration of necessity and a balancing test would need to be applied.) This is in line with published EDPB guidance and is subject to some exceptions.
    • Further, a new Article 9 condition is proposed which would allow processing of a limited amount of residual special category data for the purposes of development and operation of an AI system or model where appropriate measures were implemented to prevent special category data, but removal of all such data would require a disproportionate effort and there are other means to protect the data.

There are also clarifications relating to when automated decision-making can be deployed.

  • Rejecting data subject access requests (DSARs). Controllers can currently refuse to respond to DSARs where the request is manifestly unfounded or excessive. Under new proposals, this is clarified to apply “in particular because of their repetitive character or also, […] because the data subject abuses the rights conferred by this regulation for purposes other than the protection of their data.” It will be particularly important here as to what guidance is provided regarding what constitutes “abuse” and how that must be determined. The proposal also indicates that “overly broad” requests could be regarded as excessive, which may be welcome to many depending on how this is interpreted.
  • Definition of personal data. Proposed updates to the definition of personal data would introduce an express element of subjectivity relating to the specific entity holding the relevant information. Data will only be “personal” where the entity holding it has the means reasonably likely to be used to identify the individual (in line with recent case law). This could allow, for example, pseudonymized data to be treated as outside of scope of the GDPR when transferred to an entity that does not have the means to re-identify it.
  • Updated privacy notice exemption. Article 13(4) GDPR currently includes an exemption from the requirement to provide a privacy notice where the individual already has the information they are entitled to in a privacy notice. It is proposed that this be extended to situations where the data is: (i) collected in the context of a clear relationship with the controller where there are reasonable grounds to assume the data subject knows the controller’s identity and the purpose of the processing; (ii) collected for an activity that is not data-intensive, does not involve automated decision-making, and is not high risk; and (iii) the data is not transferred to a third party or internationally.
  • Biometric identification. A new Article 9 basis has been included to allow the processing of biometric data where necessary for confirming the identity of a data subject, provided that the biometric data or the means needed for the verification is under the sole control of the data subject.

Changes have also been introduced relating to data processing for scientific research, and with an aim at a centralization of guidance on data protection impact assessments.

Changes to the AI Act

  • Delayed implementation. One of the key impacts for the AI Act is the extension of various deadlines, including from:
    • August 2, 2026, to December 2, 2027, for compliance requirements for systems deemed to be high-risk by virtue of falling within one of the listed high-risk use cases (or earlier if the European Commission determines that the necessary compliance support measures are available);
    • August 2, 2027, to August 2, 2028, for compliance requirements for systems deemed to be high-risk by virtue of being a safety component in a regulated product (or earlier if the European Commission determines that the necessary compliance support measures are available); and
    • August 2, 2026, to February 2, 2027, for AI watermarking requirements applicable to AI systems placed on the market before August 2, 2026.
  • AI literacy. The AI Act currently includes an arguably broad obligation on providers and deployers of AI systems to ensure a sufficient level of AI literacy of their staff. The proposal reframes this as an obligation on the EU Commission and member states to “encourage” providers and deployers to take such measures.
  • No registration requirement for high-risk systems. Currently the AI Act includes an exemption applicable to AI systems that are used for a high-risk use case but that meet certain criteria (e.g., where it performs a narrow procedural task or improves the result of an activity previously completed by humans). Notwithstanding that such systems are exempt from various high-risk obligations; they must still be registered on the EU database of high-risk systems. The Digital Omnibus proposes removing this registration requirement.
  • Bias detection and mitigation. The AI Act includes a provision that enables high-risk AI systems to use special category personal data to detect and mitigate bias in the systems (subject to a number of safeguards). A new article has been introduced which would extend this ability to AI systems that are not high-risk.
  • Simplified compliance for SMCs. The AI Act includes simplified compliance measures for SMEs and it is proposed that these will be also extended to Small Mid-Caps (SMCs), namely enterprises that employ fewer than 750 persons and have either: (i) an annual turnover not exceeding EUR 150 million; or (ii) an annual balance sheet total not exceeding EUR 129 million.

Changes to the Data Act

  • Data processing services. A lighter-regime is introduced for cloud switching in relation to pre-existing contracts for certain custom-made products and in relation to smaller vendors.
  • Government data sharing. Mandatory business-to-government data sharing is narrowed from a broad “exceptional need” basis to more narrowly defined “public emergencies”.
  • Trade secret protections. Data holders can refuse disclosure of trade secrets where there is a high risk of unlawful acquisition, use, or disclosure to jurisdictions with weaker protections for such trade secrets than in the EU.
  • Regulatory consolidation. Provisions previously included in other laws (such as the Data Governance Act) will be moved to the Data Act to consolidate overlapping legislation.

Next Steps
Now that the European Commission has published its proposal, the formal legislative process can begin, which includes a negotiation—a process called a trilogue—between the three main EU institutions: the European Commission, European Parliament and Council of the European Union.

RELATED ARTICLES

Digital Omnibus: European Commission Seeks Evidence to Streamline EU Digital Rules