Top 10 EU Data Privacy Changes in the Digital Omnibus Proposal

What Is the Digital Omnibus Regulation Proposal?

Maybe you’ve heard–the EU has a bit of a reputation for excessive regulation.

That’s doubly true for digital space. Between the GDPR, ePrivacy Directive, EU AI Act, DMA, DSA, Data Governance Act, Digital Directive, Data Act, and more, compliance is a herculean feat for many businesses subject to EU rules. In fact, there are so many regulations in the EU, we bet you can’t tell which one in the previous list that we made up. 

(It’s the Digital Directive–no such directive exists, so no need to frantically research its requirements.)

That’s why EU legislators have put forth the Digital Omnibus, a proposed regulatory package to consolidate, streamline, and simplify the requirements in the EU’s many digital regulations. 

Normally, we wouldn’t cover proposed legislation due to the uncertainty in their passage and how they might transform over time. However, the proposed changes in the Digital Omnibus would be transformative for data privacy in the EU and for the GDPR. The GDPR served as the inspiration for data privacy regulations around the world–if it’s to be amended, legislators around the world may take the cue and make corresponding changes to their data privacy regulations.

Furthermore, the Digital Omnibus exemplifies a growing trend: Privacy regulation is being simplified for both businesses and consumers alike. Even if what eventually becomes law differs from the current proposed package, there will still certainly be something that updates the EU’s data privacy landscape. Understanding what’s on the table currently can help you be prepared for what comes next.

The Digital Omnibus’s Proposed Changes

1. Some Data Would No Longer Be Subject to the GDPR

If you’ve dug into what constitutes personal data under the GDPR, you may have been surprised at its scope. The Digital Omnibus proposes to limit the definition of personal data only to that which could be reasonably likely used to identify a person. Pseudonymized data would therefore be exempt, unless you possessed the means of re-identifying the pseudonymized data. To determine whether certain data is non-personal, you’d have to conduct a risk assessment.

Why Does This Matter?

• GDPR requirements around consent and other legal basis for processing, notices, subject rights requests, and more apply only to personal data.
• Businesses engaged in certain processing activities could have significantly reduced compliance burdens as a result.

2. No More Redundant Breach Reports

Currently, businesses subject to EU regulations must report data breaches under the NIS2 Directive, the GDPR, the Digital Operational Resilience Act (DORA), and more. Under the proposed changes, businesses would be able to report incidents in a single portal managed by ENISA (European Union Agency for Cybersecurity). 

The Digital Omnibus would also require businesses to notify individuals only if it posed a high risk to their rights and would extend the reporting deadline from 72 hours to 96 hours.

Why Does This Matter?

• Saves time and avoids confusion with reduction in duplicative reporting
• Reduces potential reputational harm over current requirements requiring businesses to inform individuals for minor incidents
• May increase harm to consumer if businesses delay notification after a breach, when rapid risk mitigation measures may be merited (e.g., if a breach resulted in identity theft)

3. Legitimate Interest, Sensitive Data Okay for AI Processing

The Digital Omnibus would permit the use of the “legitimate interest” basis for developing and operating AI systems. The organization, however, must conduct and document an assessment balancing their legitimate interests against the rights and freedoms of the data subject, minimize their use of data, provide data subjects an unconditional right to object to processing for this purpose, and more. 

The proposal would also permit the use of “residual” sensitive data for AI development and testing–that is, sensitive data accidentally included in the large datasets required for AI training. The proposal would require developers to try to avoid collecting this data, remove it from datasets or models if discovered, and prevent its use in outputs when removal is disproportionately burdensome.

Why Does This Matter?

• Simplifies large-scale training of AI
• Strengthens documentation expectations for AI developers
• Unconditional right to object to processing may be challenging to implement

4. Broad Changes to Consent in Various Contexts

The data subject’s consent is a rock-solid legal basis for data processing, but it’s not always easy to secure and operationalize for the business or the consumer. The Digital Omnibus proposes changes to how consent operates in several contexts:

• Consent would no longer be needed for biometric verification, (e.g., unlocking your device with a fingerprint) so long as the data remains solely under user control
• Website and apps must accept and honor consent signals (e.g., browser settings, potentially including the Global Privacy Control), cutting down on the proliferation of cookie banners.
• Consent for cookies would still be required under the ePrivacy Directive, but with some exemptions. Specifically, businesses would not need to secure consent when 1) The user explicitly requests the service; 2) cookies are used for security purposes; and 3) cookies are used for first-party audience measurement. Other than that, cookies would still require consent, even if they happen to fall outside of the GDPR’s definition of personal data.

Why Does This Matter?

• These changes will simplify consent management, which can be expensive and complex for businesses and intrusive for users when done poorly.
• Cookie banners will remain an key component of consent management processes, at least for the time being. Increasingly, however, browser-level consent management is emerging as the preferred methodology.
• Consent management platforms (CMPs) will still be an important tool for browser-level consent management–that’s especially true if some users will depend on banners and some will depend on browser settings. Your CMP vendors’ flexibility and willingness to adapt to on-going privacy developments for consent will be key evaluation factors.

5. Scientific Research, Statistics, and Archiving Are Compatible Purposes 

If you rely on consent for your legal basis under the GDPR, you need to secure the data subject’s consent again if you want to use data for a secondary purpose beyond what was disclosed to the data subject. If you rely on other legal bases, such as legitimate interest, then you need to determine whether the secondary purpose is compatible with the original. The Digital Omnibus proposes to classify further processing for scientific research, statistics, or archiving as compatible.

Why Does This Matter?

• Lower barriers for scientific research
• Fewer assessments required

6. New Privacy Notice Exemptions

Controllers do not need to provide privacy notices when they collect minimal data, the data subject reasonably knows the nature of the relationship and processing activities, and the use of personal data is low risk. Also, notices associated with processing for scientific research can be skipped when providing them is impossible, too difficult, or undermines the research.

Why Does This Matter?

• Smaller businesses and those without risky processing have one fewer thing to worry about.
• Research institutions don’t have to worry about compromising their research.

7. Further Clarification on When to Refuse Abusive DSARs

As is the case with the current version of the GDPR, businesses are able to refuse or charge for data subject access requests (DSARs) used for purposes like harassment, litigation pressure, compensation schemes, or bad-faith bargaining. Currently, the GDPR only restricts manifestly unfounded or excessive requests; this change would permit refusal or charging for processing DSARs made by the data subject “for purposes other than the protection of their data.” 

Why Does This Matter?

• Reduces administrative load for excessive DSARs
• Provides greater protection against “fishing expeditions”
• Requires thorough decision-making documentation when rejecting or charging for DSARs

8. Harmonized DPIAs

Currently, data protection impact assessments (DPIAs) differ in each member state of the EU. This proposed change would task the European Data Protection Board with creating a standardized DPIA template and methodology as well as a standard list of activities that do and do not require a DPIA.

Why Does This Matter?

• Reduces the difficulty of conducting assessments for activities in different member states
• Reduces the ambiguity of when a DPIA is or is not required

9. Broad Data Use and Governance Changes

The Digital Omnibus would consolidate and streamline requirements in the Data Act, Data Governance Act, Open Data Directive, Platform-to-Business Regulation, and the Free Flow of Non-Personal Data Regulation. These changes include:

• Relief for certain organizations and services from strict cloud-switching deadlines and fee-phase-out rules for existing contracts
• Stronger protection for trade secrets
• Narrower scope for government access to data
• Removal of smart-contract apps’ need to meet statutory “essential requirements” defined under the Data Act
• Provision of model contractual terms for data access and use and standard clauses for cloud computing contracts

Why Does This Matter?

• Overall, reduced regulatory constraints and risk of proprietary data exposure for cloud, SaaS, and IoT vendors

10. EU AI Act Implementation Changes

The Digital Omnibus proposes a delineation of oversight, cutting down on the overlap between AI and non-AI regulations. It also would ensure that certain AI Act obligations won’t kick in until corresponding resources, standards, and support tools have been put in place by the European Commission. 

AI providers and deployers would be permitted to use sensitive data specifically for the purpose of bias detection and correction. However, they would need to implement appropriate safeguards first.

Small and medium-sized enterprises and small mid-cap companies would have reduced compliance burdens. This includes streamlined documentation requirements and special consideration in the application of penalties.

Lastly, AI providers that technically fall under the high-risk category but only intend to deploy their AI for narrow or procedural tasks would have reduced registration requirements.

Why Does This Matter?

• The EU AI Act will likely influence other global AI regulations
• These changes represent a measured, targeted reduction in compliance burdens, serving to fine tune the AI Act 

When Will This Go Into Effect?

The answer to that question has yet to be determined. The Digital Omnibus isn’t law yet, won’t be for a while, and may not even be enacted. It’s at the very start of its legislative journey and may evolve significantly along the way.

However, it is important to understand the changes it proposes at the outset. The EU’s digital regulations are bellwethers for digital regulation globally. When the GDPR was enacted, dozens of laws were enacted based on its framework. If it should be significantly modified, those changes may propagate to current and future digital regulations as well. Early insight into these changes can ensure you’re managing digital compliance proactively.

We can keep you apprised of the latest developments in the Digital Omnibus, digital regulation writ large, and data privacy specifically. Sign up for Osano’s Privacy Insider newsletter to get the latest news in the world of data privacy.