The EDPB (combining all independent data proction authorities) and the European Data Protection Supervisor (EDPS) published a joint opinion expressing serious concerns about key elements of the proposed GDPR and ePrivacy changes in the so-called “Digital Omnibus” proposed by the European Commission. Specifically, the authorities strongly oppose the proposed narrowing of the definition of personal data. The opinion also question the need for various key proposals, such as the legal basis for AI training and restrictions on the right of access. Many other provisions are seen as not clear enough. The authorities’ feedback is another major blow for the Commission’s attempt to limit the rights of users.
Highly important input on the Digital Omnibus. With the Digital Omnibus, the European Commission has proposed sweeping changes to the GDPR and the ePrivacy Directive disguised as a “simplification” measure. This could mean, among other things, a restriction of the definition of personal data (Article 4(1) GDPR) and of the right of access (Article 12(5) GDPR), and a free pass to process user data for AI training. Such changes do not help with reducing administrative overhead for normal EU businesses, but are mainly useful for for US big tech companies. Civil society organisations have already sounded the alarm, but now the highly influential and independent European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have put the proposal under new scrutiny: in a joint opinion, the authorities raise serious concerns about some of the most important proposals.
Max Schrems: The indpendent authorities have called out key changes for what they are: neither ‚technical changes‘ nor ‚simplification‘, but limitations of the right to data protection for EU residents.“
Change of personal data definition: rejected. Most notably, the EDPB and EDPS confirm concerns by stakeholders regarding the proposal to narrow the definition of personal data under Article 4(1) GDPR. According to the opinion, this would “go far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence.”
Likewise, the authorities reject the Commission’s proposal to extend its own powers, allowing it to decide what qualifies as pseudonymised personal data. In combination with the new definition of personal data, this could open convenient ways for companies to escape from the application of the GDPR.
AI training based on a legitimate interest? While the opinion doesn’t strictly oppose the Commission’s proposal regarding AI training based on a legitimate interest, the EDPB and EDPS highlight that, in reality, the newly introduced Article 88c does not clarify the matter. Companies would still need to carry out a three-step test to assess whether the use of a legitimate interest as the legal basis is lawful. Many other key issued around the use of personal data in AI training would not be resolved by the proposal.
Restriction of the right of access. In its current form, the Commission’s proposal for Article 12(5) GDPR would restrain the possibility for data subjects to use their right to access to get access to their own data, imposing that this right must be used for “data protection purposes”. This would likely exclude journalistic, research, political, economic, legal or many other purposes to access one’s own personal data. The authorities make clear that such a rejection would violate existing CJEU case law, even if clarification on the existing restrictions for “abuse” of access rights are possible.
Confirmation of earlier criticism. On many other Articles the EDPB and EDPS take the position that the aims of the Commission are understandable, but the way the proposals are drafted are not reaching the level of clarity and depth that they would be useful in practice.
The core findings of the authorities’ assessment concur with those of noyb’s detailed analysis of the European Commission’s proposal. On the other hand, some of the proposed changes seem to be considered acceptable by the authorities, despite the fact that instead of streamlining enforcement and reducing regulatory burden for European SMEs, many of the changes would actually increase the complexity. This would solely benefit US big tech companies and law firms specialised in finding loopholes for their clients to exploit.
Next: Council and EP Position: The European Parliament and Council will hopefully take this joint EDPB/EDPS opinion into account but go further by deleting some of the changes that cannot meaningfully be fixed and profoundly improving other elements.
