EU Privacy Regulators Criticize Digital Omnibus

The European Commission’s recent proposal to amend tech regulations, framed as a measure to enhance competitiveness across the continent, has sparked significant criticism from privacy advocates. The proposed changes could dilute existing EU privacy protections, raising concerns about their implications for personal data security.

The commission introduced a series of amendments in its “Digital Omnibus” package, aiming to streamline tech regulations. This bill is currently on a fast-track route, although it still requires negotiation with the European Parliament and the Council of the EU, which is comprised of member state representatives.

Among the changes, while some have been received positively—such as the removal of intrusive cookie consent banners and simplified protocols for reporting data breaches—digital rights groups have expressed alarm over proposals affecting the General Data Protection Regulation (GDPR). A central concern is the narrowing of what constitutes personal data. Under this proposed definition, data that organizations cannot directly associate with identifiable individuals may no longer be governed by GDPR, thereby potentially allowing third parties, like advertising brokers, to exploit such data without regulatory oversight.

In a strong public statement, the European Data Protection Board and the European Data Protection Supervisor advised lawmakers against these proposed changes, emphasizing that fundamental rights should not be compromised in the name of simplification. EDPB chair Anu Talus underscored the necessity of safeguarding individual data protection while enhancing EU competitiveness, advocating against any modifications to the definition of personal data.

The watchdogs also contested the commission’s assertions that the amendments would align with the jurisprudence of the Court of Justice of the European Union (CJEU). They contended that the commission misinterpreted the relevant case law to support its agenda, arguing that the proposed changes would erode legal certainty rather than bolster it.

Max Schrems, head of the privacy advocacy group Noyb, echoed this sentiment, labeling the revisions as more than mere technical adjustments. He criticized the implications of these changes for EU residents’ rights to data protection, particularly highlighting a proposal that could limit individuals’ access to their data unless specifically requested for data protection purposes. Schrems argued that the existing provision serves to protect fundamental rights and freedoms, a principle already backed by prior CJEU rulings.

In relation to the proposed legal basis for interpreting the “legitimate interest” parameter, Schrems expressed skepticism, pointing to a lack of legal clarity around AI development and operation. He noted that prior deliberations by data protection authorities had already determined that no amendments to the GDPR were necessary, but the current proposal complicates matters without adding clear legal frameworks.

The Digital Omnibus proposal also suggests raising the threshold for notifying supervisory authorities about personal data breaches. Currently, organizations must report breaches within 72 hours, but if this amendment passes, notifications would only be required for breaches deemed likely to significantly impact the data subjects’ rights and freedoms, extending the deadline to 96 hours. While this change may reduce administrative burdens, it also raises critical questions about maintaining robust data protection standards.

Ongoing pushback from regulatory bodies highlights the need for a responsible approach to updating data protection laws. As discussions evolve, business owners and stakeholders in the cybersecurity landscape should remain vigilant about the potential ramifications of these amendments, particularly regarding their responsibilities under current data protection laws and the importance of maintaining high standards of data privacy in the face of regulatory changes.