The European Commission released its long-awaited Digital Omnibus package on Wednesday (19 November), a smorgasbord which includes changes to the AI Act, the General Data Protection Regulation, cookie policies, and EU cybersecurity — but what does it change for users' data and privacy?
The proposal is the latest addition to the multiple simplification omnibus packages proposed by the second Ursula von der Leyen commission; an initiative responding to the EU's lagging productivity and innovation, highlighted by the 2024 European Competitiveness report by Mario Draghi.
The Digital Omnibus was pitched as allowing businesses, especially small-to-medium-sized, to spend more time on innovation and less time on administration, by harmonising overlapping legislation and regulations to make them more business-friendly;
And the package involves amending the GDPR.
"The objective of the targeted amendments to the General Data Protection Regulation (GDPR) is to maintain the effectiveness and integrity of this landmark regulation while also addressing stakeholder calls to clarify, simplify and harmonise the GDPR” Michael McGrath, commissioner for democracy, said, announcing the changes.
The commission insists that the package strikes a balance between innovation and fundamental protections.
However, civil society groups have long been concerned about this proposal, believing it caves to US Big Tech firms whilst deregulating essential online rights.
Most of the omnibus adjustments users won’t directly see; instead, they will be rewiring how personal data flows in the background — but what exactly are the changes, and how does it affect the users' data?
The proposal seeks to adjust how data is protected and processed in the EU and amends the definition of 'personal data' in the GDPR.
How it used to work: the definition of personal data the GDPR currently uses is universal and applies to users’ names, identification numbers, and even information about a user's social or cultural identity; this protection is applied in every situation.
How it works now: the wording in the documents makes the definition of personal data situational.
For example, if a company cannot identify a user from their data, like by anonymising their info, then it could no longer considered personal.
What does this mean: when a user creates an account or stores their personal information on a website, if the data is anonymised and the user cannot be identified by the platform storing it, then it is no longer protected and can be used for training and tracking.
But companies and data controllers can determine for themselves whether the data is anonymous.
Gianclaudio Malgieri, associate professor of digital law at Leiden University, points out to EUobserver, “The identifiability of personal data now depends on what a controller claims to know.”
An important purpose of the omnibus is to make AI development easier across the continent, and the proposal includes measures to that end.
How it used to work: before the GDPR, there was no specific legal framework for companies and scientific researchers to use and process personal data to train their AI model.
How it works now: under the framework of “legitimate interest,” aforementioned entities can now use personal, and in some cases, sensitive user data to train AI.
What does this mean: “Legitimate interest” under the GDPR means a company can process data, for reasons like marketing or fraud prevention, without user consent, as long the reason is real and it does not infringe on fundamental rights — AI-training would be considered a legitimate interest.
For the user, as they surf the web or use AI chatbots, if a company claims a legitimate use for their data, it can be processed into AI models without the company necessarily letting the user know.
“This change creates a much easier environment for AI-model development", but "people will forcibly have their data collected to train AI models regardless of their choice,” explains Don Le, senior programme officer at digital rights NGO Article 19 to EUobserver.
Within the omnibus, there are multiple changes to where and when companies must provide consent for entities to access user data or a device.
How it used to work: before, two different laws dictated privacy and consent online — the GDPR and the 2002 ePrivacy Directive.
Under ePrivacy, for a company to access a user's device, it had to inform the customer, unless it was for sending electronic messages or strictly necessary to access the device to provide the service the customer wanted.
Under the GDPR, a company must explicitly inform the customer how the user's personal data will be processed by the entity, if it is sent to a third party, and where to contact the company if they have a complaint.
How it works now: the commission wants to fold ePrivacy into the GDPR, adjusting consent rules for accessing devices, and changing when companies need to inform users about their data.
The ePrivacy rules will become a new article in the GDPR, requiring companies to inform their customers when gaining access to a device.
However, it adds two new categories beyond messaging and service, where a company can enter without consent — maintaining security and aggregating information.
And now, if a company feels it is reasonable to assume the user knows the how company is processing their data, the entity does not have to inform them, unless they transmit the data to another party.
What does this mean: the rule changes provide new ways for entities to use and gather data without needing to inform the user.
When surfing the internet, people might see fewer and fewer cookie banners or privacy notices; however, their data is still accessed.
But there are fears that the new access will be abused.
“While the general direction of changes is understandable, the wording is extremely permissive and would also allow excessive 'searches' on user devices for (tiny) security purposes,” writes the legal NGO noyb, in their response to the proposal.
The document landed with a thud in Europe, as both civil society and industry have issues with the proposed legislation.
Industry doesn't believe it goes far enough to help.
Big-Tech lobby Computer and Communications Industry Association Europe’s head of policy, Alexandre Roure, said of the omnibus: “Its narrow scope leaves much of the EU’s patchwork untouched.”
“Efforts to simplify digital and tech rules cannot stop here,” he added.
However, experts seeing little competitiveness gains in the universality of the changes.
“The omnibus does not give a comparative advantage to EU companies because also non-EU companies would benefit from more data access in Europe,” says non-resident fellow Mario Mariniello, who focuses on the digital economy at Brussels-based think-tank Bruegel.
And civil society feels their fears are confirmed, and that the proposal is hurting protection.
“The commission keeps saying each change is minor. At this point, the only minor thing left is the protection people get,” said Itxaso Domínguez de Olazábal, policy advisor at the European Digital Rights group, to EUobserver
The omnibus is now off to the European Council and the European Parliament for deliberations.
Every month, hundreds of thousands of people read the journalism and opinion published by EUobserver. With your support, millions of others will as well.
If you're not already, become a supporting member today.
Owen Carpenter-Zehe is a junior reporter from the US at EUobserver, covering European politics.
Owen Carpenter-Zehe is a junior reporter from the US at EUobserver, covering European politics.