On Wednesday 19 November, the European Commission unveiled a wide-ranging series of adjustments to a number of digital laws in an ‘omnibus’ legislative proposal, including relaxations to the General Data Protection Regulation (GDPR), citing the “urgent need to restore Europe’s competitiveness” by “simplifying its administrative burdens”.
While it does not want to weaken citizens’ rights and the European data protection framework (see EUROPE 13752/13), the Commission believes that certain targeted amendments to the GDPR are now necessary and that it was essential to adapt several other texts relating to data management, centralising them in a single ‘Data Act’.
In July 2024, however, a report published by the Commission presented the implementation of the GDPR overall as a success, with “broad consensus” on the “important results” of the regulation for “businesses and individuals” (see EUROPE 13642/13).
The text proposed on Wednesday seeks to revise the definition of personal data, taking into account a recent ruling by the Court of Justice of the European Union. On 4 September, the CJEU confirmed that pseudonymisation of data can indeed reduce its personal nature, as long as it is legitimately anonymised (see EUROPE 13702/24).
On the strength of this ruling, the Commission intends to amend Article 4 of the GDPR on the categorisation of personal data accordingly. If it is determined that the information provided by the data is not sufficient to physically identify the person in question, it may no longer be considered as personal data.
The proposed regulation also introduces a new derogation from Article 9, which prohibits the processing and storage of special categories of personal data.
This derogation establishes that the development and operation of AI systems or models constitute a “legitimate interest” in the use and processing of this type of data, provided that appropriate technical and organisational measures are put in place to prevent it being retained.
This amendment is based on the opinion of the European Data Protection Board, published last December, which did not oppose this use outright, believing that the argument of legitimate interest can be a legal basis for justification (see EUROPE 13549/10).
“I would like to emphasise the term ‘targeted modifications’. We are not reopening the GDPR, its core remains completely intact. We are clarifying certain concepts and principles,” defended Consumer Protection Commissioner Michael McGrath at a press conference.
It did not take long for the announcement of these changes to provoke a widespread reaction. Amnesty International, Noyb, Finance Watch and several European Parliament groups and MEPs have denounced an unprecedented “weakening” of data protection and European citizens, which opens up a huge loophole in the Union’s legislative framework, to the advantage of the American digital giants.
On the other side of the fence, other digital sector organisations such as BusinessEurope, the Business Software Alliance and the CCIA are satisfied with the “pragmatic adjustments” presented.
The Commission also intends to combat “consent fatigue” by revising the rules on cookies and the proliferation of “banners”. It wants to give consumers the opportunity to save their preferences directly in the browser or in a third-party application, so that they do not have to repeat the process every time they open a new website.
See the GDPR proposals: https://aeur.eu/f/jj3 (Original version in French by Isalia Stieffatre)