Presented by the European Commission on November 19, the Digital Omnibus aims to relax a GDPR deemed too restrictive for European economic growth. It must be examined by the European Parliament.
JDN. Why is the European Commission proposing to amend the GDPR?
Marc-Antoine Ledieu. The GDPR, which is a great ethical step forward, has been set up as an indestructible totem. But the European Commission has found that the GDPR often overapplies. It therefore decided to restrict the scope of provisions interpreted too extensively in certain member states in order to harmonize the application of the text throughout the European Union (EU).
Also, by adopting very restrictive positions in terms of data protection, the EU realizes that it is falling behind in the competition for AI. This is why the European Commission is qualifying the GDPR so that Europeans stop stabbing themselves by prohibiting what others, like the Americans, are doing. The revision of the GDPR proposed by the European Commission helps stimulate innovation in AI and research. That’s a good thing.
What are the important changes to the GDPR proposed by the Digital Omnibus?
It proposes to modify the definition of personal data by specifying that information relating to a person is not necessarily personal. For example, information that does not allow the natural person to whom it relates to be identified is not personal data. With this modification, the European Commission reinterprets the definition with common sense.
Also, the text proposes exceptions to the ban on the processing of sensitive data. These data are, for example, a person’s racial or ethnic origins, political opinions, genetic or biometric data. The Commission specifies, in fact, that the processing of biometric data is necessary, and therefore legitimate, to verify the identity of a person. This can for example be the case in airports. This is a common sense exception allowing us to stop asserting that the verification of a biometric identity, in certain legitimate cases, is an attack on people’s fundamental rights.
The Commission also proposes to make it possible to collect and process sensitive data to train AI. However, a person whose data is processed can object and ask the AI provider to remove it from the dataset, unless this requires disproportionate effort. Again, this is common sense. If AI suppliers are prohibited from such processing, the Americans and the Chinese will do so, including on Europeans’ data.
Other modifications are proposed to qualify the GDPR. For example, if a person whose data is collected requests excessive information regarding this collection, then the data controller may refuse to comply with their request. Today there are a lot of people who spend their lives making excessive requests for access rights, rectifications, etc. This therefore makes it possible to stop abuses and rebalance things.
Does the Digital Omnibus propose to modify the institutional organization of the GDPR?
Yes. Under the current GDPR, the entity that suffers a data breach must notify the National Commission for Information Technology and Liberties (Cnil) within 72 hours. Now, the commission is proposing 96 hours. Also, if this project is validated by the European Parliament, it is no longer the CNIL which will have to be informed, but the National Information Systems Security Agency. Finally, the Commission proposes to provide the European data protection board, the body which brings together all national data protection authorities, with more powers to harmonize the application of the GDPR across the EU.
Does the Digital Omnibus propose to strengthen certain rights of Europeans?
Yes, there is an important change which concerns cookie banners. From now on, users will be able to indicate to the web browser their consent, refusal and preferences in one click and once and for all for cookie deposits.
The text contains another novelty which is a real earthquake. From now on, the storage of personal data or access to personal data already stored, in a user’s terminal, is only authorized when the person has given explicit consent. However, the online press is exempt from this new obligation.
