EU wants to weaken GDPR – for AI and cookie banners

Contents

Drafts by the EU Commission for the so-called Digital Omnibus and related extensive changes to the General Data Protection Regulation (GDPR) fuel critics' fears of a "clear-cutting" and a "massive trimming" of civil rights. Primarily, the Brussels government institution pursues the goal with the extensive legislative package to simplify digital regulations and thus reduce administrative effort and costs for companies. This is intended to strengthen Europe's competitiveness. However, indications are now increasing that this could come at the expense of existing data protection standards.

The biggest bone of contention in the regulation proposals published by Netzpolitik.org is the intended expansion of the application of "legitimate interest" from Article 6 GDPR as a legal basis for the processing of personal information. The GDPR only allows this if there is a legal basis for it. Legitimate interest is one such basis, but it requires a balancing of interests between the controller, such as a company, and the fundamental rights and freedoms of the data subjects.

The draft outlines extensive changes for online tracking and the use of cookies, which would further weaken the protection of user data, currently already perceived as insufficient. The focus is on the legal basis for storing and reading non-essential cookies on users' devices. Previously, EU laws such as the E-Privacy Directive have required explicit and informed consent from users via opt-in for this.

Old-new approach against cookie banner flood

The Commission's proposal would lift this strict consent requirement and instead open up the entire range of legal bases offered by the GDPR. This also includes the legitimate interest of website operators and tracking companies. This would allow tracking cookies to be stored and read based on corporate objectives. In this case, users would only have the option of a subsequent objection (opt-out), which would represent a significant shift in the burden of proof and the level of protection in favor of companies.

At the same time, the Commission wants to counteract the flood of cookie banners and the associated user consent fatigue. It envisions paving the way for automated and machine-readable specifications of individual preferences and their consideration by website providers as soon as corresponding standards are available. This is intended to function technically via signals sent from browsers or operating systems to websites, for example, which transmit the user's individual decision on accepting or rejecting cookies. Website operators would thus be obliged to automatically observe default settings.

A significant exception to this planned adjustment is to apply to media providers. The Commission intends to exempt them from the automated consideration of user settings "given the importance of independent journalism in a democratic society and in order not to undermine its economic basis." This would continue to allow news portals to require stricter consent rules to secure revenue from personalized advertising. The EU has been working on a relevant solution for years.

Touching the AI Act

At the same time, according to the papers, the Commission wants to enable the training of AI systems with personal data in the future based on the legitimate interests of tech corporations. This would also eliminate the currently often necessary obtaining of consent from data subjects and facilitate data consumption for the development of artificial intelligence. The EU data protection authorities warned last year: The much-invoked legitimate interest is not a panacea.

The executive body also brings "targeted simplification measures" into play, which are intended to ensure timely, smooth, and proportionate implementation of the AI Regulation. One concrete measure is the bundling of supervision over AI at the so-called AI Office. This is an authority directly attached to the Commission. Very large online platforms would primarily benefit from this centralized control structure, as their AI systems are considered particularly critical after the AI Act due to their reach and influence.

Protection of sensitive data weakened

The draft also provides for a significant redefinition of particularly sensitive data, which currently enjoys enhanced protection under Article 9 of the GDPR. The Commission argues that for most of the data types listed there, no significant risks to the fundamental rights of data subjects arise if they do not directly reveal sensitive information. The latter applies, for example, if a person's sexual orientation or health status can only be inferred through "an elaborate intellectual process" such as comparison, cross-referencing, or logical conclusions.

Even in situations where the sensitive information cannot be definitively attributed to a specific natural person, the Commission sees no significant risks. For this "indirectly sensitive data," the general protection of Articles 5 and 6 of the GDPR should therefore suffice, without the fundamental prohibition of processing in Article 9 having to apply.

"Nothing will remain of data protection"

In this sense, the scope of Article 9 is to be adjusted. In the future, enhanced protection will only cover data that directly relates to a specific data subject and directly reveals their ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sex life, or sexual orientation. The particularly strict protection of genetic and biometric data, however, is to remain untouched due to their unique and specific characteristics.

The former Commission director and one of the GDPR founding fathers, Paul Nemitz, raises the alarm considering the initiative: "Nothing will remain of data protection." In his opinion, the initiative would lead to "people's lives, expressed in personal data, being made the subject of general machine collection." He sees this as a violation of the EU Charter of Fundamental Rights. The Commission intends to present its final draft in mid-November.

(nen)