EU Digital Omnibus Bill – how will it change data, privacy and AI regulations?

The EU has published a new bill that would amend existing regulations covering data, privacy and AI including the GDPR and the EU AI Act. This article looks at the changes and how they might affect organisations. 

Changes affecting data 

The main EU laws covering data are the EU Data Act, the Open Data Directive and the Data Governance Act. These are designed to provide a framework for unlocking the value from data, which they do by, for example, giving users access to data and setting rules to prevent services and their users being locked into specific cloud services. 

The changes proposed will: 

• Make the rules more coherent for public sector use and reuse
• Add some narrow exemptions for some cloud services and smaller organisations
• Permit data holders to refuse Internet of Things data sharing requests where there is a substantial risk of unlawful disclosure to third countries
• Relax rules for data intermediaries, to clarify the conditions for portability and reuse.

Changes affecting data protection 

The main laws covering data protection and cyber security are the General Data Protection Regulation (GDPR), the Network and Information Security Directive (NIS2), and the Cyber Resilience Act. These are designed to ensure that personal data is secured so that European citizens have confidence to interact with digital services, and to limit potential negative consequences such as reduced privacy. 

The changes proposed will: 

• Change the definition of personal data to consider whether the relevant data controller can identify the individual
• Change cookie rules, by requiring website operators to honour browser or operating preference signals
• Introduce a new EU portal run by ENISA to collect cyber breach reports, raising the reporting threshold and extending the reporting deadline to 96 hours
• Allow controllers to refuse access requests if the request is not made for data protection purposes (though the burden of proof will sit with the controller, so this may be difficult to use in practice)
• Remove the requirement for privacy notices in low risk situations where the information should be obvious to the individual
• Change the DPIA process, including a new template to be issued by the EDPB
• Adjust sandboxes and real-world testing to remove duplication.

Changes affecting AI 

The main laws affecting AI are the GDPR and the EU AI Act. These are designed to ensure that AI developers consider the risks associated with the tools they build and mitigate unacceptably high risks. 

The changes proposed will: 

• Introduce Legitimate Interest exceptions for AI development and operations
• Allow sensitive data to be retained within AI datasets where removing it would be disproportionately difficult
• Move responsibility for AI literacy from providers and deployers to the EU Commission and EU member states, while still requiring high risk system deployers to provide trained oversight
• Add proportionality measures for smaller organisations
• Delay the application of measures for high risk systems by up to 24 months, reflecting delays to guidance
• Phase in synthetic content labelling until February 2027
• Enhance the EU AI Office and give this central responsibility for enforcing against sensitive AI systems, coordinating obligations for systems built on the same general purpose model and carrying out pre-market testing for those systems.

What will happen next? 

The Bill will now need to progress through the EU Council and Parliament and it’s likely that it will be amended during its passage. Talan recommends that organisations operating in Europe look at the changes currently proposed and decide whether any of them are likely to have a material impact. If so, we recommend monitoring the progress of the Bill and carrying out an impact analysis once the final text is available. If the impact would be very significant, organisations should consider discussing this with their MEP or trade association.