Leaked Draft of GDPR Reform Package Brings Cheers and Jeers
The leaking of several documents Friday that apparently are a draft of the European Commission's digital simplification package, including GDPR reform, prompted mixed reactions from privacy professionals and advocates.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The leaked digital omnibus package remains "an unconfirmed official document subject to change," Isabelle Roccia, IAPP's managing director for Europe, emphasized in a post Monday on LinkedIn. The official version is expected to be announced Nov. 19, she said, adding that it could contain nuances and changes from what's been leaked.
Keller and Heckman data attorney Peter Craddock posted the leaked documents Friday. Noyb privacy advocate Max Schrems posted an initial analysis Saturday, followed Monday with additional comments.
The leaked documents contain two draft regulations. One would propose technical changes to digital laws such as the GDPR, Data Act, AI Act and ePrivacy Directive, as well as a partial repeal of the Data Governance Act, the Free Flow of Non-Personal Data Regulation, the Platform-to-Business Regulation and the directive on the reuse of open data. "Repeal doesn't mean extinction in this context," Roccia said.
The second draft regulation would simplify the implementation of AI rules, some of which haven't yet been put in place, Roccia wrote. It addresses key implementation challenges such as the slow designation of authorities that will enforce AI rules. Moreover, it covers the lack of guidance, tools and harmonized standards to support high-risk AI requirements, and onerous documentation requirements, among others.
The leaked documents include several significant GDPR improvements, Craddock noted Nov. 7. One piece of "great news" would be the incorporation of the European Court of Justice (ECJ) ruling on pseudonymized data in EDPS v SRB, (C-413/23 P) (see Ref:2510060017]). Another "very sensible move" would add a legitimate interest equivalent for AI model training for special categories of data, with a focus on risk mitigation at the level of data outputs.
Craddock also applauded creating a "single-entry point" for data breach notifications, and extending the reporting time to 96 hours (from 72). These changes are "great, as handling international data breaches is a pain now."
The package also includes articles aimed at integrating the ePrivacy Regulation and AI Act into the GDPR, Craddock noted.
Schrems' analysis slammed elements of the proposal. Among other things, he said, its proposed changes to the definition of "personal data" attempt to include the "relative" approach under SRB regarding pseudonymized data but to take only the expansive elements of that judgment, contrary to current ECJ case law, he said. While the GDPR can be made broader, if it's narrowed, there would be a conflict with Article 8 of the Charter of Fundamental Rights, he added.
Schrems accused the drafters of the document of bulldozing the GDPR for the benefit of the "(alleged) AI race." Moreover, he added, it won't help achieve its intended aim of lightening the regulatory burden for small and mid-size enterprises, and it will be a "source of uncertainty for years to come."
When released officially, the rules will need approval from the European Parliament and Council, usually a long process, Roccia said. "The path to simplification is bound to be very complex."