EU Regulators Reject Numerous Proposed GDPR Amendments in Digital Omnibus
The European Commission’s proposed amendments to the General Data Protection Regulation (GDPR) and ePrivacy Directive, termed the Digital Omnibus, have faced significant scrutiny from key regulatory bodies. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have expressed serious concerns over the potential impact of these proposals on data protection for EU residents.
Key Concerns Over the Digital Omnibus
- Narrowing Definition of Personal Data: The EDPB and EDPS have rejected the proposed changes that would limit the definition of personal data in Article 4(1) of the GDPR. They argue that such modifications exceed merely technical changes, affecting fundamental data protection rights.
- Expanded Powers for the Commission: The proposal to allow the European Commission to determine what constitutes pseudonymised personal data has also been critiqued. This could potentially provide businesses with loopholes to bypass GDPR compliance.
- AI Training Legitimacy: The new Article 88c related to AI training does not provide adequate clarity regarding the legal basis for processing personal data under legitimate interests. The EDPB and EDPS emphasize that companies must still undergo a thorough three-step assessment for any AI-related data use.
- Restricting Right of Access: Current proposals in Article 12(5) would limit individuals’ rights to access their personal data. Critics indicate that this move could violate existing CJEU case law, as it restricts access for various legitimate purposes beyond mere data protection.
- Concerns Over Complexity: While acknowledging that the intentions behind some amendments are valid, the authorities have pointed out that many proposals lack practical clarity. This could lead to increased complexity, potentially benefiting large tech firms at the expense of small and medium-sized enterprises (SMEs).
Next Steps for Regulatory Bodies
Looking ahead, the European Parliament and the Council are expected to take the EDPB and EDPS’s joint opinion into account. There is hope that legislators will eliminate problematic changes and enhance other elements of the proposal to ensure the protection of EU residents’ data rights.
This situation highlights the ongoing tension between regulatory agencies, technology companies, and civil society organizations as they navigate the complexities of data protection in the digital age. The impact of these proposed amendments on future data protection practices will be closely monitored by stakeholders across Europe.
