For over six years, the General Data Protection Regulation (GDPR) has shaped the reality for European entrepreneurs. Although its foundations remain untouched, practice has shown that some provisions have become a source of legal uncertainty, and for many entrepreneurs – a difficult bureaucratic barrier to overcome. The European Commission, recognizing the scale of the challenges, presented the draft Digital Omnibus regulation. It should be emphasized that this is not an attempt to dismantle privacy protection, but an ambitious plan to adapt it to the requirements of a modern, digital economy.

Planned changes

One of the most anticipated changes is the clarification of the very definition of personal data. Over the years, the interpretation of what makes a person "identifiable" has become increasingly broad, covering almost every digital footprint. The Digital Omnibus, drawing on the latest rulings of the Court of Justice of the EU, introduces a key distinction – data will not be considered personal from the perspective of a given entity if that entity does not have means that are reasonably likely to be used to identify a person. This is a fundamental change in perspective. It means that the same set of information can be personal data for one entity, and for another – a collection of technical data not subject to GDPR. This approach removes a huge compliance burden from companies operating with anonymized and pseudonymized data, giving them the clarity they previously lacked.

Going a step further, the Commission proposes mechanisms to increase legal certainty in the area of anonymization techniques. Until now, entrepreneurs, especially startups and small businesses, have been operating in a certain vacuum, fearing whether their methods of personal data protection would be considered sufficient by supervisory authorities. The Digital Omnibus envisages the introduction of EU criteria and implementing acts that will specify concrete standards for considering data as non-personal. Although controllers will still bear ultimate responsibility, these new guidelines will become a safe haven for them, allowing for freer innovation without constant fear of sanctions.

The development of artificial intelligence and scientific research occupies a special place in the reform. Europe wants to become a technological leader, which requires access to vast data sets. The project clarifies that the training and operation of AI models can be based on the premise of the controller's "legitimate interest." Crucially, an exception is provided for so-called special categories of data that may appear in training sets residually, i.e., incidentally. If a company does not intentionally process such data and implements mechanisms for their removal, this process may be considered compliant with the law. Similar facilitations await the scientific sector – the new definition of scientific research and the presumption of compatibility with original purposes are intended to ensure that knowledge and technology develop much more freely in the Union.

What else will change?

The reform will also target a phenomenon that has become a nightmare for controllers – the abuse of the right of access to personal data. Article 15 of the GDPR, created to protect citizens, is now sometimes used as a blackmail tool in consumer or commercial disputes. The Digital Omnibus explicitly states that in cases of abusive requests, the controller may refuse to fulfill them or charge a fee. Additionally, the burden of proof to demonstrate that a request is excessive will be lowered, allowing businesses to manage their resources more efficiently and focus on genuinely serving the true needs of data subjects.

In the day-to-day operations of businesses, the simplification of information obligations will also be noticeable. The Commission recognized that overwhelming customers with hundreds of privacy policies and clauses in obvious and low-risk situations does more harm than good. If the customer relationship is clear and the processing is not intensive, the obligation to provide extensive clauses will be significantly limited. This aims to combat so-called "information fatigue" among citizens and reduce administrative costs for the smallest entities.

Finally, the project streamlines processes related to data breaches and Data Protection Impact Assessments (DPIAs). The current fragmentation is to be replaced by a single, EU-wide list of activities requiring DPIA. The threshold for reporting leaks to supervisory authorities will also change – it will be raised and harmonized with the threshold for notifying data subjects. The project assumes that only incidents posing a "high risk" will require reporting through a single, central reporting point.

Summary

In summary, the Digital Omnibus is an attempt to make the GDPR provisions more adapted to the realities of modern business. For companies, this could mean less bureaucracy, more tools to combat abuse, and most importantly – a clear legal framework for innovation in artificial intelligence. Although the path to adopting these changes is still ongoing, it is already clear that the direction taken by Brussels is a response to real market needs, striving for a balance between privacy protection and economic competitiveness.

Article prepared by Emilia Brzozowa, lawyer at ecommerce.legal