European Union data protection authorities have pushed back on several proposed changes to the General Data Protection Regulation (GDPR), urging lawmakers to implement significant safeguards around artificial intelligence, scientific research, and data breach notifications.
In a joint opinion, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) provided detailed feedback on the European Commission’s proposed “Digital Omnibus Regulation,” signaling a cautious approach to modernizing the landmark privacy law.
The EDPB and EDPS, collectively referred to as the Authorities, published a joint opinion responding to a legislative proposal aimed at amending the GDPR. While agreeing in principle with some of the goals, such as reducing compliance burdens and clarifying rules, the Authorities rejected proposals they believe would weaken fundamental data protections. Specifically, they opposed narrowing the definition of personal data and rejected giving the European Commission new powers to decide when pseudonymized data is no longer considered personal.
The joint opinion addresses seven key areas of the proposed regulation, offering partial agreement contingent on significant amendments. The Authorities’ primary recommendations include:
- AI Development: While accepting that “legitimate interests” could be a legal basis for AI training, they insist this is possible under the current GDPR and requires stricter conditions, enhanced transparency, and a clear right for individuals to object. They support a narrow exception for processing special category data for AI training only when deletion is impossible and robust safeguards are in place.
- Scientific Research: The Authorities support a single EU-wide definition of “scientific research” but recommend it be more precise, focus on systematic and verifiable methods, and move commercial interests out of the core definition and into the recitals.
- Data Subject Rights: They cautiously support clarifying how to handle misuse of data access rights but warn that the term “abuse” should be based on objective bad faith, not a person’s motives. They oppose language that would treat broad requests as inherently excessive.
- Cookie Consent: The Authorities welcome efforts to reduce “consent fatigue” but call for stricter rules on new exceptions like audience measurement, clearer boundaries between the GDPR and the ePrivacy Directive, and explicit enforcement powers for regulators.
- Data Breach Notifications: They agree with raising the notification threshold to only “high risk” breaches and extending the reporting deadline from 72 to 96 hours. However, they strongly recommend that the EDPB, not the Commission, should control the breach notification template to ensure regulatory independence.
- DPIA Harmonization: The regulators support harmonizing the lists that determine when a Data Protection Impact Assessment (DPIA) is necessary but again insist the EDPB should prepare and approve these lists, not the Commission.
The joint opinion is a formal part of the EU’s legislative process. The EDPB and EDPS are providing their expert guidance to the European Parliament and Council as they begin to negotiate the final text of the Digital Omnibus Regulation. The Authorities’ stated goal is to ensure that any updates to the General Data Protection Regulation maintain its high standards for protecting individuals’ fundamental rights while adapting to new technological realities like the rapid development of AI.
The specific timeline for the legislative negotiations between the European Parliament, Council, and Commission remains fluid. It is also unclear how much weight the non-binding recommendations from the EDPB and EDPS will carry in the final compromise text of the regulation. The full extent of the initial proposed changes that the Authorities are reacting to was not detailed in their opinion.
The legislative process will now move forward with the European Parliament and Council establishing their respective positions on the proposed regulation. Rapporteurs have already been appointed in key parliamentary committees to lead the file. Once both bodies have adopted their positions, they will enter into “trilogue” negotiations with the Commission to finalize the law. The joint opinion from the EDPB and EDPS is expected to heavily influence these discussions.
For organizations operating within the EU, this is a critical legislative development to monitor. Key actions include:
- Follow the progress of the Digital Omnibus Regulation through the EU legislative process.
- Review internal data processing activities, particularly those involving AI model training and scientific research, against the potential changes highlighted by the Authorities.
- Assess current procedures for handling data subject access requests and data breach notifications, as these rules may soon be altered.
- Consult with data protection officers or legal counsel to understand the potential compliance impact of the proposed amendments.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
