Joint Opinion of EDBP and EDPS
European data protection authorities are closely examining proposed updates to digital regulations. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have jointly issued their opinion on the European Commission’s Digital Omnibus Proposal. This review signals potential shifts in how data protection laws are interpreted and enforced.
Navigating the Definition of Personal Data
A key point of contention centers on defining what constitutes “personal data.” The Digital Omnibus Proposal attempted to create an “actor-specific understanding,” based on a ruling in EDPS v Single Resolution Board (C-413/23 P). This proposed wording suggested information wouldn’t be considered personal data if the entity receiving it lacked the means to identify the individual.
However, the EDPB and EDPS argue this approach selectively interprets the Court of Justice of the European Union’s (CJEU) reasoning. They emphasize that the definition of personal data is fundamental to EU data protection law. The Joint Opinion points out that data can become personal when disclosed to anyone capable of identification, impacting both the recipient and the original disclosing entity.
‘Revenge’ Data Requests and User Rights
The Proposal also aimed to address “revenge” data subject access requests (DSARs) – requests potentially made with malicious intent. The EDPB and EDPS expressed caution, stating it’s problematic to link concepts like “abuse” or “revenge” to legitimate requests for data access. They maintain the right to access data isn’t solely for verifying legality, but can serve broader objectives.
Instead, the authorities recommend focusing on demonstrable abusive intent, like a clear intention to cause harm. They also oppose dismissing ‘overly broad’ requests outright, advocating for objective assessments and opportunities for clarification.
AI Development and Legitimate Interest
The Digital Omnibus Proposal recognised AI model development as a potential “legitimate interest.” The EDPB and EDPS insist this must adhere to strict requirements outlined in Art. 6 para. 1 lit. F GDPR, including a thorough balancing test.
They call for proactive and explicit information to data subjects regarding their right to object, especially given the challenges of removing data embedded in AI systems. Mitigating measures to justify legitimate interest must exceed standard transparency requirements.
Streamlining Breach Notifications
One element receiving support is the proposed increase in the notification threshold for data breaches. The Proposal suggested reporting only breaches likely to pose a “high risk” to individuals. The EDPB and EDPS believe this will reduce administrative burdens without significantly impacting data subject protection.
What’s Next?
The Joint Opinion indicates the Digital Omnibus Proposal will face rigorous debate. While simplification is a goal, core GDPR principles and safeguards are likely to remain central. It’s possible co-legislators will revise provisions related to the definition of personal data and the handling of DSARs. A final outcome could involve a compromise between the Commission’s proposals and the supervisory authorities’ concerns.
Frequently Asked Questions
What is the Digital Omnibus Proposal?
The Digital Omnibus Proposal is a set of proposed changes to EU digital regulations, including data protection laws.
What is the role of the EDPB and EDPS?
The EDPB and EDPS are European authorities responsible for data protection. They have issued a Joint Opinion on the Digital Omnibus Proposal, outlining their concerns and recommendations.
What impact could these changes have on organizations?
Organizations may need to maintain existing GDPR-based identifiability assessments and strengthen their data governance frameworks, particularly regarding AI development.
As these regulations evolve, how will organizations balance innovation with the need to protect individual data rights?