European Commission's GDPR Proposals Emerge to Mixed Reactions
BRUSSELS -- The European Commission's digital omnibus, published Wednesday, tweaks the GDPR without affecting its core as it tries to bring the regulation more in line with current practices, Hogan Lovells privacy attorney Eduardo Ustaran said at the IAPP Data Protection Europe Congress. The tech sector called for broader change, while digital rights and consumer groups accused the EC of harming individuals.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The package, which still needs approval from the EU Council and European Parliament, amends several EU laws. For the GDPR, it modernizes cookie rules, allowing users to control who can access their device via a one-click consent, and offers preference settings for how they want their data to be shared and processed, according to EC FAQs. Updating cookie rules will "alleviate cookie banner fatigue" and let users make real choices, the EC said.
The new rules also give businesses more legal clarity and cut compliance burdens, the EC said, offering companies additional opportunities to create value on top of personal data while retaining core GDPR principles. The measure simplifies some obligations for businesses and organizations. For example, it clarifies when they must conduct data protection impact assessments and when and how to notify supervisory authorities of data breaches.
The omnibus makes "tweaks to procedural aspects of the law" but doesn't change principles or accountability requirements, Ustaran said. If the original GDPR, which took effect in 2018, had been the same as the one resulting from the simplifications announced now, "no one would have blinked an eye."
The digital omnibus is a "promising first step towards simplifying EU tech rules," said Alexandre Roure, the Computer & Communications Industry Association's head of policy, in a statement. However, "its narrow scope leaves much of the EU's patchwork untouched." A key improvement, he said, are clearer rules on the interaction between AI and data protection under the GDPR.
IAPP Director of Research and Insights Joe Jones said in an emailed statement that the EC "has set into motion the likely tortuous and impassioned legislative process to reopen, unpick, and reform the one-time poster child of EU regulation and the 'Brussels effect.'"
European Digital Rights accused the EC of rewriting "essential parts of the GDPR" via a "new recital that allows companies to mark their own homework, allows the unchecked use of people's most intimate data for training AI systems, and reshapes automated decision making, leading to discriminatory impacts to allow wider use with fewer limits."
The European Consumer Organisation said simplifying digital rules will help "mainly large companies at the expense of consumers."
'Pandora's Box'
During a Future of Privacy Forum (FPF) webinar later on Wednesday, European privacy experts mostly panned the GDPR proposal. The EC is “opening Pandora’s box,” said Paul Breitbarth, a member of the Jersey Data Protection Authority. “This will not be done in six months.”
"I can't say I'm a big fan of the fact that the European commission will adopt implementing acts instead of leaving it through the supervisory authorities,” Breitbarth added. “Given our history ... to adopt an opinion on a technical topic like this within eight weeks of the European commission presenting a draft, reaching agreement between all data protection authorities ... is ridiculous.”
Among multiple specific concerns with the proposal, Breitbarth said he isn’t sure the EC “fully thought through” a “very confusing” proposed change that would narrow the definition of personal data. “From a business perspective, I would say, ‘Yay!’ ... because the GDPR applicability and therefore compliance requirements go down.” At the same time, “this makes [companies’] world a lot more complex” because it impacts “all their existing approaches to privacy and data protection.”
Narrowing the definition of personal data “would be counterproductive,” said Sophie Stalla-Bourdillon, co-director of the Brussels Privacy Hub. Some covered entities already tend not to include certain data under the current definition, so narrowing it might not be “exactly the right signal that you want to be giving.”
Also, Stalla-Bourdillon said “any attempt to reduce the effectiveness of the right to access is a mistake.”
Breitbarth agreed. The EC’s goal is probably to stop the “weaponization of individual rights” under GDPR, he said, but here “the text is too vague.” Gabriela Zanfir-Fortuna, FPF vice president for global privacy, noted that access to one’s personal information is essential to data protection.