Digital Omnibus: Challenges and uncertainties of the EU data protection reform for artificial intelligence
The European proposal aims to simplify the GDPR to support SMEs and digital innovation, but is meeting with resistance over definitions, legal bases and the management of cookies. Here’s why
On Monday, the Council approved the text of the Digital Omnibus on AI, which will introduce significant amendments to the framework of the European regulation on artificial intelligence as it progresses (starting with the postponement of the entry into force of the obligations for high-risk AI systems), the most important debate at the European institutions is still ongoing and concerns another proposal, known simply as Digital Omnibus. This is the proposed regulation aimed at introducing significant simplifications, particularly in the regulation of personal data, with a view to reducing the costs associated with regulatory compliance – especially for SMEs – and thereby strengthening Europe’s digital competitiveness. The proposal forms part of the wider debate on the economic impact of the GDPR. According to recent analyses, the GDPR is said to have had a negative impact on business profitability. Some estimates suggest an average reduction in profits of around 8.5 per cent for smaller firms.
The proposal has provoked mixed reactions, having been portrayed at times as a plan for deregulation disguised as simplification, and at other times as an insufficient recalibration of the regulatory framework. Last Friday, the Permanent Representatives Committee was due to give the green light to the text drawn up by the Council Presidency for subsequent negotiations with Parliament. In a sign of the deadlock, the item was removed from the meeting’s agenda and it will now be up to the Irish Council Presidency to take the work forward. Meanwhile, the European Parliament’s ITRE and LIBE committees have adopted their Draft Report. The interinstitutional negotiations therefore look set to be complex, and it is worth examining where the most significant points of tension lie.
The first issue concerns the definition of personal data. The Commission’s proposal sought to codify an approach to this concept, limiting the application of the GDPR solely to those entities actually capable of re-identifying the data subject, in line with the Court of Justice’s most recent rulings on pseudonymised data. The initiative was abandoned following a joint negative opinion from the European Data Protection Board and the European Data Protection Supervisor. The Council has taken an alternative approach, delegating to the European Data Protection Board the task of clarifying, through its guidelines, when data may be considered anonymised and therefore outside the scope of the GDPR.
The second area of discussion concerns the legal basis of legitimate interest for the processing of personal data in the development and use of artificial intelligence systems, which has already been recognised as applicable by numerous decisions of data protection authorities and by the European Committee. Here too, legal uncertainty acts as a brake on investment: without explicit recognition in the GDPR, businesses and their investors face a regulatory risk that their foreign competitors do not have to contend with. It is no coincidence that certain artificial intelligence features (ranging from training using European users’ data to applications integrated into major platforms) have been delayed or restricted in Europe compared with other markets, precisely because of the uncertainty surrounding the applicable regulatory framework. Although it had certain specific features, the Commission’s proposal aimed to expressly identify this legal basis within the GDPR. Such clarification may not be essential, but it would be useful in reinforcing the scope of the condition of lawfulness of processing. Yet, the text drafted by the Council Presidency relegates this codification to a mere recital, removing it from the body of the GDPR. Whilst this option certainly does not signify a return to an impractical consent-based approach, an explicit statement would have fostered greater legal certainty.
Finally, the third point under discussion concerns the future of cookies. The main point of contention is the proposal for a centralised consent-collection mechanism, managed at browser level rather than by individual websites. Combined with the ban on seeking consent for a period of six months, this solution could lead to an unintended consequence of the Digital Omnibus: driven by the intention to strengthen European digital competitiveness, it would likely end up undermining it. With a further distortion: shifting consent management to the browser level means entrusting control to the platforms, thereby strengthening the dominant position of those who already hold first-party data, to the detriment of European publishers and SMEs that rely on that advertising model for their livelihood. Whilst the ineffectiveness of cookie banners is well established, the proposed framework – recently called into question by the Council itself – does not appear to offer any significant benefits. Nor is the benefit to consumers clear: the reduction in banners is offset by the loss of free, ad-supported services and the risk that, with fewer trackable users, publishers will step up data extraction from those who have given their consent. The net effect on the end user remains, as things stand, undetermined.

