Commentary on the Digital Omnibus: Can the EU manage the van Damme split?
Is the EU eroding the GDPR with the Digital Omnibus package, or merely simplifying excessive regulations? Dennis-Kenji Kipker sees the truth in the middle.
(Image: heise medien)
- Prof. Dennis-Kenji Kipker
The The Digital Omnibus is polarizing: some warn that little will remain of European data protection in the end. Others wave it away, pointing out that Brussels is only concerned with simplification and reducing bureaucracy. But one is alarmism and the other is mere appeasement – yet a sober look at what the draft for new European data protection and digital law actually provides is worthwhile.
Among other things, the Open Data Directive, the Regulation Free Flow of non-personal Data, Data Governance Act, and Data Act are to be bundled into a revised Data Act. The goal is understandable: fewer redundancies, lower compliance costs, especially for small and medium-sized enterprises, and a clearer structure of requirements. Given the previous fragmentation with overlapping responsibilities and not always clear distinctions in terminology in European data law, such consolidation can indeed lead to greater clarity and legal certainty.
When "legitimate interest" becomes a data flat rate
However, the price of this standardization lies in the details. The planned expansion of "legitimate interest" under Article 6 GDPR as a legal basis is particularly controversial. In the future, this broadly defined interest – at least according to the draft – should be sufficient to legitimize cookies and the training of AI models with personal data. This would be a break from the previous approach, where often explicit consent from the data subjects is required. At the same time, pseudonymized data should no longer be considered personal data under data protection law.
At first glance, this seems consistent, as the ECJ has long focused on whether a specific entity can realistically be re-identified. In practice, however, this re-evaluation would significantly lower the threshold for processing personal data – with noticeably increased risks for the data subjects.
Data-driven methods already allow sensitive personal profiles to be derived with high accuracy from behavioral data and meta-information. If such data is no longer considered personal data in the future, and at the same time "legitimate interest" serves as a gateway for extensive AI training, the core of the GDPR is called into question: transparency, purpose limitation, data minimization, and real choices for individuals affected by data processing. The danger of a de facto unbounded data processing and a weakening of informational self-determination is therefore by no means mere scaremongering.
Problematic proposals not included
At the same time, it would be an oversimplification to claim that the omnibus is purely a wrecking ball for data protection. Because it is positive to at least highlight that particularly problematic proposals from previous draft versions are no longer included. Originally, the definition of sensitive data under Article 9 GDPR was to be narrowed and limited to information that directly reveals sensitive characteristics.
Data from which, for example, health, political beliefs, or sexual orientation can only be indirectly inferred would thus have fallen out of special protection – an entry point for far-reaching profiling and new discrimination risks. The fact that this redefinition no longer appears in the official omnibus draft is an important corrective.
Patchwork of rules
The proponents of the digital omnibus also have their arguments: innovation, especially in the field of AI, requires large amounts of data and clear, as uniform as possible, rules. Companies – especially start-ups from the European Union – rely on legal certainty and are currently struggling with a patchwork of different legal acts and interpretations that have grown over the years with massive technological disruptions.
The attempt to harmonize terms, bundle obligations, and make digital processes more predictable is therefore not an attack on fundamental rights per se. First and foremost, it is an organizationally and economically policy understandable project that also holds potential for securing our digital sovereignty in the EU technically.
Videos by heise
The real litmus test is yet to come
The crucial question is therefore not whether innovation or data protection wins, but whether it succeeds in cleverly combining both. A digital omnibus that reduces complexity, sharpens terms, and clearly defines technical and organizational minimum standards can even facilitate innovation. Especially if it strengthens data-saving AI methods, privacy-by-design, and robust transparency mechanisms according to European regulations and Made in Europe. However, it becomes dangerous where simplification is bought by lowering protection standards, without this being absolutely necessary for innovation.
Ultimately, political fine-tuning will determine how far-reaching the digital omnibus actually intervenes in the fabric of European data protection. It is neither certain that "nothing will remain of data protection," nor can we assume that everything will remain as it is in the end.
(axk)
