Digital Omnibus package

This will have an impact on organisations across the EU.

What is an Omnibus?

An omnibus is an EU regulatory update that consolidates multiple legislative changes into a single package. Preparation can take months or years and involves stakeholder consultations, impact assessments, and internal reviews to identify necessary amendments.

It is important to remember that these two omnibus are at the proposal stage and are not yet law. They must follow the EU's standard legislative process, which means going through review and negotiation by both the Parliament and Council before adoption. This process typically takes 18 to 24 months, although an urgent procedure can shorten it to 12 to 18 months. Sometimes, certain parts of a proposal may be approved separately and take effect immediately.

The two omnibuses cover a range of regulations and directives; however, most businesses will be more concerned with the impact of the proposed changes to the GDPR and the AI Act.

Impact on the GDPR

Seen as the poster boy for data protection and privacy laws globally, the GDPR has been in force since 2018 following its enactment in 2016. Its impact and reach have been extensive; however, it is not free of criticism, much of which is addressed in the proposed changes. We find that these are the most impactful proposals:

1. An update to the definition of personal data to give more clarity on pseudonymisation. Where an organisation does not have the means reasonably likely to be used to identify the individual, then the GDPR will not apply. This is to be accompanied by criteria that can be used to assess whether the data can be used to identify someone or not.
2. Managing subject access requests will become easier where the right of access is being abused for purposes other than the protection of their personal data. This will come as good news to many organisations. It provides additional clarity on when the refusal (or charging of a fee) can be applied.
3. Transparency obligations are updated, although in practice, these were already in place for many organisations. It involves reducing the obligations to inform data subjects where a controller has received the data from a third party. In addition, the obligations under Article 13, which mainly governs privacy notices, do not apply where basic processing takes place¹ that is not data-intensive and it is assumed that data subjects already have the information. This means that, for example, when someone signs up for a newsletter, organisations will no longer be required to provide them with a privacy notice unless the data is shared with other recipients.
4. Breaches are getting a mini-overhaul to bring them in line with other EU-level notification requirements. This means extending the reporting timeline to 96 hours, from the current 72 hours, and requiring that the EDPB create a common template for breach notifications. In addition, a single entry point is to be established that will allow for coordinated breach reporting, in that an organisation that suffers an incident will only have to report in one location, as opposed to with multiple authorities, as is currently the case. Finally, for breaches, the need to report will be reduced to only those breaches that may result in a high risk to the rights and freedoms of the data subject that need to be reported.
5. ePrivacy becomes officially squeezed into the GDPR with a brand new article that sets out the consent requirements for cookies and other similar tracking technologies. Meaning that consent and refusal must be easy for users, i.e., a single click. It also means that consent will no longer be needed for first-party cookies used to create aggregated information about the usage of a website, or other electronic service, the transmission of an electronic communication over an electronic communications network, a service explicitly requested by the user, or for the security of a service or terminal equipment used for the provision of such service.
6. DPIAs are going to change. At the moment, many of the supervisory authorities have their own template, most of which are based on guidance from the EDPB plus their own national obligations; however, this is going to be replaced by a single DPIA template and methodology. This will increase standards of DPIAs across the board.
7. One that covers both the Digital Omnibus and the AI Act Omnibus is the lawful basis for processing data to train AI models and the lawful basis for using special category data to test models for bias and unfairness. This offers more clarity to organisations involved in AI, and will assist DPOs in their assessment of such systems.

Impact on the AI Act

The AI Act is the world's first comprehensive AI regulation; however, it has not yet come into force (except for a small number of obligations). Due to the complexity and rapid advancement of the technology, as well as a shortage of skills, potentially, some of the obligations of European institutions to provide guidance, codes of conduct, and other key information have been delayed. This is having a knock-on effect, evidenced by the delay in the enforcement of other key obligations under the Act.

Here are our main takeaways:

• AI literacy is no longer an obligation for providers and deployers of AI systems and is now instead at the member state level. However, this does not mean that organisations should abandon their literacy programs; these are essential to enabling the organisation's adoption of AI.
• The majority of requirements related to high-risk AI systems have been delayed to December 2027 for Annex III systems and August 2028 for Annex I systems. There is more uncertainty here, though, as it means other obligations will apply before then, such as transparency obligations under Article 50.
• Most of the remaining changes relate either to the implementation of the AI Continent action plan or governance (i.e., notifying bodies, the AI Board, etc.). This includes the introduction of Small and Medium Enterprises (SMEs) and Small and Mid-Cap Enterprises (SMCs) and provides more clarity on the obligations of the commission and member states to support businesses.

There is a commitment to provide a range of guidance to help organisations comply with the Act, and to generally improve AI governance more generally:

• Guidelines on the practical application of the high-risk classification.
• Guidelines on the practical application of the transparency requirements under Article 50 AI Act.
• Guidance on the reporting of serious incidents by providers of high-risk AI systems.
• Guidelines on the practical application of the high-risk requirements.
• Guidelines on the practical application of the obligations for providers and deployers of high-risk AI systems.
• Guidelines with a template for the fundamental rights impact assessment.
• Guidelines on the practical application of rules for responsibilities along the AI value chain;
• Guidelines on the practical application of the provisions related to substantial modification.
• Guidelines on the post-market monitoring of high-risk AI systems;
• Guidelines on the elements of the quality management system that SMEs and SMCs may comply with in a simplified manner.
• Guidelines on the AI Act’s interplay with other Union legislation, for example, joint guidelines of the Commission and European Data Protection Board on the interplay of the AI Act and EU data protection law, guidelines on the interplay between the AI Act and the Cyber Resilience Act, and guidelines on the interplay between the AI Act and the Machinery Regulation.
• Guidelines on the competences and designation procedure for conformity assessment bodies to be designated under the AI Act.

Conclusion

While these are just proposals, it is unlikely that we will see much divergence from them; organisations can start preparing for them to come into play over the next few months.   For the GDPR, most organisations will not feel a big change initially, with most of the changes being a tidying up of existing practices. The AI Act will have a similar impact, although it is fair to say that there are still many relevant questions about complying with the relevant obligations; the guidance cannot come quickly enough. However, most organisations, those that are not providers or deployers of high-risk AI, will feel little to no impact and should continue on their AI journeys as is.

¹Actual wording is important here: “Paragraphs 1, 2 and 3 shall not apply where the personal data have been collected in the context of a clear and circumscribed relationship between data subjects and a controller exercising an activity that is not data-intensive and there are reasonable grounds to assume that the data subject already has the information”