European digital law has been undergoing constant change since the introduction of the General Data Protection Regulation (GDPR). With the AI Act, the Data Act, and additional regulatory frameworks, complexity has continued to increase. The European Commission has now launched a comprehensive legislative package that is intended to provide noticeable relief for companies without weakening the protection of fundamental rights. The focus is on the so-called “Digital Omnibus”, which aims to simplify existing rules. In this article, you will learn what you need to know about the new initiative of the European Commission.
Part 1: The “Digital Omnibus”: Targeted Simplification of the GDPR
The Digital Omnibus aims to make compliance easier, particularly for small and medium-sized enterprises (SMEs), and to eliminate existing regulatory overlaps. In the area of data protection law, some of the most notable changes currently under discussion include the following:
1. Easing and extending reporting obligations in the event of data breaches
The obligation to report personal data breaches under Art. 33 GDPR often represents a major challenge for companies, especially due to the short 72-hour deadline. The planned changes provide for significant relief:
• Raising the reporting threshold: In the future, the obligation to notify supervisory authorities is intended to apply only if there is a “high risk” to the rights and freedoms of natural persons, instead of the previous standard of mere “risk.”
• Extension of the reporting deadline: The reporting period is to be extended from 72 to 96 hours.
• These adjustments significantly reduce the immediate pressure on incident response teams and make it possible to focus resources more specifically on serious incidents.
2. Strengthening legitimate interest for AI applications
The use of artificial intelligence (AI) in business has increased rapidly, but the data protection legal basis has often been unclear, particularly when personal data is processed for training purposes. The Commission proposes explicitly recognizing AI development and AI operation as a legitimate interest within the meaning of the GDPR. This creates urgently needed legal certainty for companies that use and train AI-supported processes.
New legal bases are also to be created for the processing of special categories of personal data for the development and testing of AI systems.
3. Simplified handling of data subject rights
A recurring problem in practice is manifestly unfounded or excessive requests from data subjects, such as repeated requests for access. In the future, controllers are to be permitted, in such cases, either to charge a fee or to refuse to comply with the request. The same is intended to apply if the request is made for “data protection purposes.”
According to the current state of affairs, however, the fundamental obligation to process data subject requests will not change. What these obligations include, and how you can respond to data subject requests at the push of a button, is shown in our blog posts on data subject rights management: What are data subject rights? Meaning & overview – PLANIT // PRIMA Was sind Betroffenenrechte? Bedeutung & Überblick – PLANIT // PRIMA
4. Harmonization and single entry point
The Digital Omnibus aims to eliminate duplicate structures and simplify processes for companies.
The European Data Protection Board (EDPB) is to create EU-wide uniform lists for required data protection impact assessments (DPIAs). This is intended to end the currently fragmented practice and create greater clarity across Europe.
For incidents under the GDPR, the NIS2 Directive, and the Digital Operational Resilience Act (DORA), a central reporting portal at ENISA (single entry point) is to be introduced to avoid multiple notifications (“report once, share many”).
5. Abolition of the cookie banner?
Another key point of the Digital Omnibus is the planned re-regulation of the handling of cookie banners and other terminal equipment information, which is to be anchored in the new Art. 88a GDPR. This change aims to reduce the complexity between the GDPR and national ePrivacy legislation (in Germany, the TDDDG) and to reduce so-called “consent fatigue.” Specifically, clearly defined, low-risk processing purposes – such as purely technical reach measurement for one’s own purposes or security functions – are to be exempt from the strict consent requirement in the future.
In addition, the Commission aims to strengthen the acceptance of browser settings and “do-not-track” signals in order to establish a more user-friendly alternative to click-intensive cookie banners. One of the most important implications of Art. 88a GDPR is the introduction of an obligation to remember objections for controllers: if the processing of data on a terminal device is rejected once (for example via a browser setting or an objection), this rejection must be explicitly respected over a defined period of time. This is intended to prevent the endless reappearance of banners. This would enable companies to dispense with complex consent mechanisms for these specific applications and thus take a more pragmatic approach to digital communication, but it requires technical upgrades to reliably detect and comply with these user signals.
Part 2: Amendments to the AI Act: Greater Practical Applicability
The AI Regulation (AI Act) has already entered into force, but the Commission has recognized that adjustments are necessary to make its application more practical. The modifications of the so-called Digital Omnibus on AI focus on the high-risk area:
1. Extension of deadlines and relief for high-risk systems
The implementation of the complex requirements for high-risk AI systems is to be facilitated through extended deadlines until uniform standards are finalized. This is intended to give companies more time to meet the high requirements for accuracy, robustness, and transparency.
2. Relief for small and medium-sized enterprises (SMEs)
The proposals include targeted relief for SMEs in order to promote acceptance and innovation:
• Simplified documentation: Easing of extensive documentation obligations.
• Easier access to sandboxes: Improved access to so-called regulatory sandboxes.
• Longer implementation periods: Extended deadlines for implementation.
Conclusion and outlook
The planned legislative changes are the clearest signals to date from Brussels that the phase of pure regulation is being replaced by a phase of pragmatic simplification and harmonization. While the innovations in the Digital Omnibus promise concrete relief with regard to reporting obligations and data subject rights, the adjustments to the AI Act lay the foundations for a more efficient and secure digital business environment.
However, the European legislative process is still at an early stage. Whether the European Commission will be able to push its proposals through against the EU Council and Parliament remains to be seen. Until then, the following applies: clean data protection and AI documentation is mandatory and also helps with the transition to new legal bases.
| With PLANIT // PRIMA, your documentation is always up to date. Schedule a consultation now! |
