A coalition of 127 civil society organizations and trade unions have banded together to oppose proposed changes that they warn could severely weaken EU data protection and privacy laws like GDPR.
In an open letter released this week, the groups expressed “serious alarm at the forthcoming EU Digital Omnibus proposals, part of a wide deregulation agenda. What is being presented as a ‘technical streamlining’ of EU digital laws is, in reality, an attempt to covertly dismantle Europe’s strongest protections against digital threats.
“These are the protections that keep everyone’s data safe, governments accountable, protect people from having artificial intelligence (AI) systems decide their life opportunities, and ultimately keep our societies free from unchecked surveillance,” the groups added.
Many of the same groups expressed concerns about the Digital Omnibus process earlier this year, but with a comprehensive proposal expected from the European Commission next week and reports that drafts of the legislation would significantly weaken GDPR and other privacy protections, the groups are stepping up their efforts.
GDPR, AI Rules Could Be Weakened in Digital Omnibus Process
Netzpolitik said that GDPR and other protections in several areas would be “significantly reduced to allow for greater data usage” under the Digital Omnibus proposals, including making it easier to train AI systems with personal data.
Online tracking and cookie restrictions would also be weakened. “Storing and reading non-essential cookies on users’ devices would no longer be permitted only with their consent,” Netzpolitik said. “Instead, the full range of legal bases offered by the GDPR would be opened up. This includes the legitimate interests of website operators and tracking companies. Users would then only have the option of opting out retroactively.”
Article 9 of the GDPR concerning special categories of data would also be targeted. Article 9 offers special protection for data that includes “ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.” It also includes the processing of genetic data, biometric data for identification purposes, health data, and data about a person’s sex life or orientation.
“The Commission aims to define sensitive data more narrowly,” Netzpolitik said. “Only data that explicitly reveals the aforementioned information would then be afforded special protection. This means that if, for example, a person indicates their sexual orientation in a selection field, this would still be afforded special protection. However, if a data processor infers a person’s presumed sexual orientation based on perceived interests or characteristics, current restrictions would no longer apply.”
Protections for genetic and biometric data are more likely to remain unchanged “due to their unique and specific characteristics.”
Groups Decry ‘Rushed and Opaque’ Process
The 127 civil society groups and trade unions charged that the Digital Omnibus process “is being done under the radar, using rushed and opaque processes designed to avoid democratic oversight.”
The same approach has been used with other Omnibus proposals with damaging results, they said. “As a result, supposedly minimal changes under the guise of ‘simplification’ have already jeopardised Europe’s core social and environmental protections,” they said.
The Digital Omnibus, they said, will reportedly weaken “the only clear rule that stops companies and governments from constantly tracking what people do on their devices, part of the ePrivacy framework. This will make it a lot easier for those in power to control people’s phones, cars or smart homes, while also revealing sensitive information about where people go, and with whom.”
EU AI rules could also be weakened, the groups said, including guardrails to ensure “that AI is developed safely and without discrimination, as well as delaying key elements like penalties for selling dangerous AI systems.”
Currently, AI tools that could affect important decisions like whether people can obtain benefits must register in a public database. Under the proposed changes, they said, “those providing AI tools could unilaterally and secretly exempt themselves from all obligations – and neither the public nor authorities would know.”
“By recasting vital laws like the GDPR, ePrivacy, AI Act, DSA, DMA, Open Internet Regulation (DNA), Corporate Sustainability Due Diligence Directive and other crucial laws as ‘red tape’, the EU is giving in to powerful corporate and state actors who oppose the principles of a fair, safe and democratic digital landscape and who want to lower the bar of EU laws for their own benefit,” they charged.
They urged the European Commission to stop any attempts to reopen the GDPR, ePrivacy framework, AI Act and other “core digital rights protections.”