The European Commission is gearing up to introduce a comprehensive overhaul of data protection regulations that could significantly reshape how personal data is handled across the European Union. This sweeping reform, organized under the “Digital Omnibus” initiative, aims to update the General Data Protection Regulation (GDPR) with new provisions impacting everything from internet tracking to the development of artificial intelligence systems. According to a draft obtained by German rights group Netzpolitik, the official unveiling of the proposal is scheduled for November 19th.
A Shift in Cookie Regulation
Among the key proposals is a new Article 88a in the GDPR concerning “the processing of personal data on and with terminal equipment.” This change proposes moving the regulation of cookies from the ePrivacy Directive directly into GDPR itself. Currently, Article 5(3) of the ePrivacy Directive requires explicit user consent before placing non-essential cookies. The European Commission argues that the dual functioning of ePrivacy and GDPR creates legal uncertainties, diverse enforcement regimes, and increased compliance costs.
The draft suggests allowing data processed through cookies and similar technologies for a closed list of “low-risk” purposes or based on any legitimate ground of the GDPR, including the “legitimate interest” of businesses. This marks a transition from an opt-in to an effective opt-out model, enabling default user tracking and shifting the onus onto the consumer to object actively.
The amendments include a technical restructuring of the consent mechanism. Under Article 88b, browsers or operating systems would automatically communicate user preferences for data consent, potentially eliminating the need for current pop-up banners. However, an exemption for media companies allows news outlets to continue demanding explicit consent, justified by the Commission as vital to “supporting the economic basis of journalism.”
Implications for Artificial Intelligence
Another critical section of the proposal concerns the training of AI systems. The draft explicitly states that training, testing, and validation of AI systems may be conducted on the premise of “legitimate interest,” subject to conditions such as data minimization, transparency, and the user’s unconditional right to object. The text emphasizes that data use for AI training should benefit both the data subject and society at large, citing examples such as detecting algorithmic biases and ensuring accuracy.
However, data protection lawyers caution that relying on “legitimate interest” might pave the way for extensive data collection and analysis without explicit consent, potentially undermining GDPR’s original goal. The proposal also includes limited allowances for processing special categories of sensitive data if included inadvertently in AI training datasets. Under scenarios where removing such fragments would demand “disproportionate effort,” companies are permitted to retain the data, provided protective measures are applied to prevent misuse or disclosure.
Reactions and Future Developments
European Digital Rights (EDRi) recently criticized the Commission’s approach, accusing it of weakening standards under the guise of combatting “cookie banner fatigue.” EDRi stressed that GDPR, ePrivacy, and the AI Regulation form the foundation of Europe’s “human-centric digital model.” The European Law Institute, in feedback dated October 14, acknowledged that limited GDPR updates might be justified but warned against any reduction in fundamental rights protection.
EDRi also denounced the consultation process as “inherently exclusive” and primarily catering to industry demands. Should the “Digital Omnibus” package be adopted as it stands, it is poised to radically transform data management practices in European businesses. It will reduce reliance on complex tracking consent systems, formalize AI training on personal data, while simultaneously relaxing some existing safeguards.
Illustration: Sora
