Europe’s data protection supervisors warn over plans to ‘narrow’ privacy rights

Proposals 'go beyond' European law

Although the proposals had been welcomed by many data protection practitioners as a way to simplify compliance with data protection and privacy regulations, the regulators have sounded a warning bell.

They “strongly urge” legislators not to adopt the proposed changes to personal data, arguing that they “go far beyond a targeted or technical amendment” and go far beyond EU case law by “significantly narrowing the concept of personal data”.

The regulators also raise concerns about proposals that could water down individual’s rights not to be subject to automatic decision-making by AI or software through a proposed “exhaustive list” of cases where automatic decision making would be allowed.

Another proposal that would allow the European Commission new powers to determine whether pseudonymized data should no longer be classed as personal data, has also sparked calls for clarification.

The regulators warn that proposals to restrict the right of people to make subject access requests to people motivated by ‘data protection’ concerns is not compatible with EU law.

If implemented, this proposal is likely to exclude access requests made by journalists, academics or policy makers, for non-data protection purposes, such as journalistic or academic research.

They also call for the Commission to fine-tune proposals that would allow organisations to use special categories of data - including data on political opinions, religious beliefs, trade union membership, health and sexual orientation - when they are used in “incidental” and “residual” way to train our use AI systems.              

Reporting data breaches simplified

The EDPB and the data protection supervisors support many of the EU’s proposals, including plans to make reporting data breaches less painful for companies.

The European Commission proposes raising the threshold of risk before companies need to make a notification and extending the deadline to file a notification from 72 to 96 hours.

“This change is not expected to substantially affect the level of protection for data subjects but would significantly reduce the administrative burden for controllers, given that they would only have to notify data breaches that are likely to result in a high risk to the rights and freedoms of data subjects,” they said.

Another proposal to offer alternative ways for people to consent to cookies to avoid “consent fatigue” and a “proliferation of cookie banners,” for example by consenting to cookies once on a particular computer, have also been welcomed.

However the regulators remain concerned about the proposed changes to the definition of personal data.

The European Data Protection Supervisor, Wojciech Wiewiórowski said, “These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data.”

Anu Talus, chair of the European Data Protection Board, said any changes to EU Data protection law must bring legal certainty while maintaining a high level of protection of individual rights and freedoms.

“We strongly urge the co-legislators not to adopt the proposed changes to the definition of personal data. These changes are not in line with the Court’s case law and would significantly narrow the concept of personal data,” she added.

Isabelle Roccia, managing director for Europe for IAPP, a professional association with 90,000 members, said that privacy and data protection professionals were in favour of the EU’s proposals.

“The Commission proposal to narrow the scope of personal data definition was welcomed by many practitioners as a sign of pragmatism in the interpretation of the GDPR. If adopted, it would have consequential impact in easing many friction points across contractual obligations and data transfer rules among others,” she said.

“With this joint opinion, EDPS and EDPB are signaling that they want to preserve the conservative and data-subject-first approach they have established in the past decade,” she added.

She said that business leaders would also welcome legal certainty around the legal basis for when developers can use “legitimate interest” to process personal data to train AI models.

Commission proposals benefit US big tech 

The campaign group, noyb, said that the “Digital Omnibus” proposed sweeping changes to the GDPR and the ePrivacy Directive that were disguised as simplification measures.

The group claims that the changes would not help EU businesses that have to complete “useless” paperwork to comply with data protection laws, but would mainly be useful to big US tech companies.

Max Schrems, privacy lawyer and honorary chair of noyb, said, “the independent authorities have called out key changes for what they are: neither ‘technical change’ nor ‘simplification’, but limitations of the right to data protection for EU residents”.