Protecting EU data and privacy rights in the Digital Omnibus

The EU’s simplification agenda is an opportunity to streamline processes, improve the application and enforcement of digital rules and make it easier for consumers to exercise their rights. However, simplification should not be a cover for deregulation. Despite earlier assurances, the EU's Digital Omnibus proposal on the GDPR goes far beyond “targeted modifications”.  Instead, it weakens longstanding consumer protections regarding data and privacy by reopening the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

If implemented, these changes will make it more difficult for consumers to protect their data from unlawful processing and to challenge possible violations. Strong safeguards and clear definitions are essential to ensure that consumer rights are protected. Moreover, despite the claims that the present reform aims to increase European competitiveness, it actually risks undermining it. The proposal compromises the compliance efforts made by responsible businesses while favouring dominant companies who can consolidate their dominance of the EU market at the expense of European consumers, SMEs and startups. 

BEUC welcomes certain elements of the proposal, such as the Single-Entry-Point for incident reporting to improve information sharing and make enforcement more efficient. We also cautiously welcome the provision on browser signals to strengthen consumer consent. However, several aspects still require clarifications to ensure that both a high level of protection for consumers’ data and privacy rights and a regulatory level playing field for EU businesses remains in place. 

BEUC RECOMMENDATIONS

1. The unduly restriction the definition of personal data should be rejected.
2. The empowerment of the Commission via implementing acts to define the concept of personal data is disproportionate and should be rejected.
3. Reject the new definition of “scientific research” or, at the very least, clearly redefine it to avoid misuse.
4. The use of ‘legitimate interest’ for authorising AI systems to process data should not be allowed.
5. The processing of sensitive data for AI development should not be allowed.
6. The restrictions on consumers’ right to access data should be rejected.
7. The use of automated decision making should be allowed only when necessary.
8. Support the single-entry point for data breaches and similar incidents, provided it does not result in lower reporting requirements.
9. Ensure the requirement for consent remains applicable to cookies, and better clarify the applicable criteria for exceptions.
10. Support and clarify the new approach of introducing browsers signals into the GDPR.