The Digital Omnibus: A New Step in the European Union’s Digital Governance

The Main Amendments to the GDPR Introduced by the Digital Omnibus

Currently, the GDPR^[1] defines personal data as any information relating to an identified or identifiable natural person, directly or indirectly.

The Digital Omnibus refocuses this notion on the existence of “reasonable means” of identifying the data subject.^[2] Pseudonymised data could thus, for certain recipients, no longer be regarded as “personal data” and, therefore, fall outside the scope of the GDPR where those recipients have no reasonable means of re-identifying the data subjects.

The objective is to ease the conditions for the use of pseudonymised data, in particular for the development and training of AI systems.

The Digital Omnibus provides for the possibility for the Commission to adopt implementing regulations in order to specify the applicable criteria.

The GDPR^[3] requires the controller to inform the data subject at the time of direct collection of their data (in particular regarding the identity of the controller, the purposes of processing, the recipients, the retention period, etc.), unless the data subject already possesses that information.

The Digital Omnibus proposes to extend this exemption from the information obligation in the following situations:

• within the framework of a “clear and circumscribed relationship” between the controller and the data subjects: where there are reasonable grounds to assume that the data subject already has that information, where the controller’s activity is not complex, involves the collection of a limited amount of personal data and is unlikely to give rise to a high risk (examples: artisan–customer relationships; sports club–member relationships, etc.). This exemption would not apply in the event of disclosure of the data to third parties or transfer outside the European Union;
• where processing takes place “for scientific research purposes”: where the provision of the information is impossible, would require disproportionate effort, or would be likely to seriously impair the research.

The GDPR^[4] provides that any person has the right of access, free of charge, to their data where it is being processed. Where access requests are “manifestly unfounded or excessive”, the controller may nevertheless require the payment of “reasonable fees” or refuse to act^[5].

The Digital Omnibus proposes to clarify:

• the situations in which the right of access is exercised abusively or excessively, that is to say for purposes other than the protection of personal data (examples: requests made in order to seek compensation, or with the intention of causing harm to the controller, overly broad or generic requests, etc.);
• the conditions for demonstrating that an access request is abusive or excessive.

This clarification would reduce the burden of proof borne by the controller.

The GDPR in principle prohibits the processing of special categories of data such as data revealing racial or ethnic origin, health data and biometric data, subject to strictly defined exceptions^[6].

The Digital Omnibus introduces several targeted relaxations:

• with regard to biometric data: processing would be permitted where it is strictly necessary to confirm identity and where the data and the means of verification remain under the exclusive control of the data subject;
• in the context of the development and operation of an AI system or model: residual processing of special categories of data could be tolerated, subject to the implementation of appropriate technical and organizational measures aimed at preventing their collection and processing, deleting them if detected, or protecting them to prevent disclosure.

Processing of personal data carried out in the context of the training, development and operation of an AI system or model could rely on the legal basis of legitimate interests, except where the law requires the consent of the data subject, and provided that the controller implements appropriate technical and organisational measures.

This proposal aims to encourage the development of innovative artificial intelligence solutions within the European Union.

The Digital Omnibus provides for a simplification of the notification mechanism to the competent authorities in the event of a personal data breach:

• such notification would only be required in cases of a “high risk” for the data subject;
• and would have to be carried out within 96 hours (instead of 72 hours currently).

Cookies are currently governed both by the directive on privacy and electronic communications^[7] and by the GDPR.

For the sake of simplification, the Digital Omnibus proposes:

• to integrate into the GDPR part of the directive on privacy and electronic communications concerning consent to the storage of and access to personal data on the data subject’s terminal equipment;
• to improve user experience by facilitating consent via a single-click button;
• to broaden the situations in which no consent would be required, in particular where the processing is strictly necessary for the transmission of electronic communications, or for the provision of a service requested by the user.

The Main Amendments to the AI Act Introduced by the Digital Omnibus

The Digital Omnibus provides in particular for:

• a postponement of 16 months of the application of certain obligations applicable to high-risk AI systems, in order to allow the availability of harmonised standards necessary for their implementation and practical compliance tools. The new date of application would be set at 2 December 2027 (instead of August 2026);
• the extension of regulatory simplification measures provided for SMEs to mid-sized undertakings, in particular lighter technical documentation requirements applicable to high-risk AI systems;
• the introduction of a single notification procedure for conformity assessment bodies;
• the easing of post-market monitoring requirements for AI systems.