The European Commission has released a proposal for a Regulation, known as the “Digital Omnibus”, aimed at simplifying the digital legislative framework. The proposal includes the most significant changes to EU data protection law since the passing of the GDPR.
This article explores the most significant aspects of the Commission’s proposals, including a new definition of personal data, new data breach reporting requirements, and additional conditions for processing special category data.
Clarification of the ‘personal data’ definition
The proposal amends Article 4 to embed a “relative” nature of personal data into EU law. Information will not be considered personal data for a specific entity if that entity does not have the means reasonably likely to be used to identify the natural person.
This test applies even if another entity could identify the person from the information. The assessment must consider the means reasonably likely to be used by the specific entity holding the data.
This change aims to provide legal certainty for entities handling pseudonymized or encrypted data where they lack the decryption key.
Cookies and terminal equipment rules moved to GDPR
The rules regarding the storage of and access to information on terminal equipment (currently in the ePrivacy Directive) are moved to the GDPR via a new Article 88a.
Storing or accessing data on terminal equipment generally requires consent where personal data is involved. The proposals would introduce two new exceptions to the ePrivacy Directive’s exceptions to consent:
- Audience measurement carried out by the controller for their own use.
- Maintaining or restoring the security of a service.
To combat consent fatigue, if a user refuses consent, the controller cannot request it again for the same purpose for at least six months.
Controllers must respect automated machine-readable signals (such as browser settings) indicating a user’s choice to consent or object.
New thresholds for data breach notifications
The proposal amends Article 33 to align the threshold for notifying supervisory authorities with the threshold for communicating with data subjects.
Controllers will only be required to notify the supervisory authority if the breach is “likely to result in a high risk” to the rights and freedoms of natural persons (as opposed to the current “risk” threshold). The deadline for notification is also extended from 72 hours to 96 hours.
Notifications must be submitted via a new “single-entry point” established by ENISA, streamlining reporting obligations across different legal acts (such as NIS2). The European Data Protection Board (EDPB) will develop a common template for notifications and a list of circumstances considered “high risk”.
Exceptions for AI and biometric data
New points are added to Article 9(2) to facilitate specific processing activities involving special category data:
- Biometric data: Processing is permitted for identity verification (authentication) where the data or the means of verification are under the sole control of the data subject.
- AI training: This condition allows for the processing of special category data that residually exists in AI training, testing, or validation sets, provided appropriate measures are taken to avoid collection and the data is removed or protected against disclosure.
Harmonization of DPIAs
The proposal aims to harmonize the requirement for Data Protection Impact Assessments (DPIAs) across the EU.
The current system of national lists is replaced by a single EU-wide list of operations requiring a DPIA. A corresponding EU-wide list of operations not requiring a DPIA will be established. The EDPB will develop a common methodology and template for conducting DPIAs.
Modifications to data subject rights
Amendments to Articles 12 and 13 aim to reduce the burden on controllers regarding access requests and information obligations.
- Right of access: Controllers may refuse requests or charge a fee if the request is “abusive” (used for purposes other than data protection) or excessive. The burden of proof for “excessive” requests is lowered for controllers.
- Information obligations: Controllers are exempted from providing Article 13 privacy notices in non-data-intensive relationships (e.g., small associations, craftsmen) where it is reasonable to assume the data subject already has the information.
- Scientific research: Specific exemptions apply where providing information would be impossible or involve disproportionate effort, provided the information is made publicly available.
Automated decision-making clarification
Article 22 is amended to clarify the “necessity” exemption for entering into a contract.
A decision based solely on automated processing is considered necessary for a contract even if the decision could technically be taken by a human. This confirms that controllers can rely on the contract exception for efficiency reasons, provided other safeguards are in place.
Pseudonymization standards
A new Article 41a empowers the Commission to adopt implementing acts specifying criteria to determine when pseudonymised data no longer constitutes personal data.
This will consider the state of the art of available re-identification techniques. Criteria will be developed for controllers to assess the risk of re-identification.
Legislative status and next steps
This text remains a Commission proposal and is subject to the ordinary legislative procedure. It must be amended and adopted by the European Parliament and the Council before becoming law.
- Do not update compliance frameworks based on this draft. Current GDPR and ePrivacy Directive obligations remain fully enforceable.
- Negotiations may alter the final text significantly.
- Once adopted, the Regulation will enter into force three days after publication in the Official Journal.
- Transitional periods will apply, including six months for the new terminal equipment rules and up to 24 months for the single-entry point reporting mechanisms.
