European Commission releases draft “Digital Omnibus”

What has happened?

The European Commission has finally released its draft for the so called “Digital Omnibus” which aims to reduce the regulatory burden for companies in Europe in particular for data-driven business. They achieve this by amending several important European “digital” acts such as the GDPR, Data Act or AI Act (see below for more details).

What specific changes may be expected?

The European Commission proposes to amend key digital regulation to provide companies with more freedom to operate in the European Union; in particular through the following proposed amendments:

Data Act

• Administrative burdens on providers of data processing services shall be reduced – in particular when it comes to the customer “switching” to a third-party service provider to reduce barriers to entry and competition
• The protection of trade secrets of affected data holders (who need to provide data to users of connected products and related services – and even third parties) shall be strengthened
• In general, regulatory obligations on so called “small mid-cap companies” (SMC) shall be reduced in order not to burden their business activities disproportionately

General Data Protection Regulation

• The definition of “personal data” is clarified in light of the latest judgments of the CJEU while in particular putting a stronger emphasis on the concept of pseudonymised data
• The scope of legal bases for the processing of personal data is expanded in particular by amending the legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR) as well as specifically providing legal grounds for data usage for AI training purposes
• The facilitation of wide-ranging consent mechanisms in order to deal with browser cookies and comparable technologies adequately
• In general, the idea is to centralise and reduce notification obligations towards authority bodies such as under Art. 33 GDPR

AI Act

• The clarification of the provision on AI literacy within Art. 4 AI Act in order to avoid misinterpretation. The existing provision had led to a huge amount of new “training offers” – which were (wrongfully) said to be required by this regulation
• The introduction of further flexibility to the timeline until when the strict requirements towards high risk AI systems (e.g. within the MedTech sector) shall apply
• Again, SMCs will benefit from a reduced scope of obligations when developing or using AI tools
• For the purpose of bias detection and correction, the legal basis for data usage within AI training shall be extended even further in order to cover those activities and avoid frictions with the GDPR (see above)
• Also, in this regard there shall be specific authority guidance as well as a centralisation of authority surveillance and notification channels

What does this mean for companies providing data-driven services?

This recognition by the European legislator will be welcomed as an attempt to reduce the significant regulatory burdens on innovative data-driven business within the EU. The Commission has not hesitated to amend key digital regulation within this sector such as the definition of “personal data” or the lack of suitable legal bases under the GDPR. This may actually help data-driven businesses to develop and market their innovative services – and stop the EU from being left behind in this important sector.

However, it is yet to be seen how many of those proposals actually remain throughout the legislative procedure to come. Also, there may have been hopes for the Commission to go even further and demand more substantial easements– in particular in terms of other general GDPR restrictions which can hinder efficient and competitive digital services (e.g. limitation of purpose, data minimisation etc.) or severe requirements for “high risk” AI systems making progress in important sectors (such as MedTech) particularly hard to achieve.

What does this mean for companies outside the EU?

As we know, the data and AI industry is globalised.  Businesses operating outside the EU should watch these developments closely to assess the relative benefits of their country of establishment, the likely direction of regulatory travel outside the EU and the consequences of operating in the EU or using EU based data.

Overall, it is good to see that the intense, complex, and multilayered digital regulation within the EU will most likely become more streamlined and pragmatic – we will follow up closely on how much of the above finally makes it into statutory law.