The European Commission may amend the definition of personal data, ease data breach reporting burdens and introduce legitimate interest as a legal basis for AI training as a part of a controversial GDPR simplification package.
Shutterstock.com/Ivan Marc
The commission’s draft regulatory proposals for the simplification of the EU digital rulebook, first reported on by MLex on 4 November, include key changes to the bloc’s longstanding data protection rules. If confirmed, the proposals are expected to be formally published as a part of the commission’s Digital Omnibus package on 19 November.
The commission had earlier this year set out its plans to streamline EU’s digital legislation as a part of a wider agenda to boost competitiveness in Europe, in line with recommendations set out in Mario Draghi’s landmark report. It said its digital omnibus package will include targeted modifications to the GDPR to cut compliance costs and provide legal certainty.
Among other aims, the commission highlighted an ambition to reduce reporting burdens by at least 25% for all companies and 35% for SMEs; it has since proposed changes to the GDPR’s application to small mid-cap companies. The commission on 16 September further opened a consultation to collect feedback on how to best approach simplifying data, AI and cybersecurity rules to create a more “innovation-friendly rulebook”.
The draft GDPR amendments include changes to the definition of personal data and special category data, a centralisation of data breach notification, and clarification on the application of the regulation to AI training and development. The commission noted that its targeted amendments address a “clear call” from stakeholders for streamlining the data acquis and consolidating the rules.
“The changes contained in the leaked document go well beyond the simplification of the provision on the registry of processing activities previously announced by the commission,” Linklaters partner Guillaume Couneson told Lexology PRO. He noted that many of the changes, which touch on “core elements of the GDPR”, appear aimed at incorporating key decisions from the European Court of Justice, and to tackle well-known concerns with the implementation of the GDPR.
“While well-intentioned, the proposed changes will need to be carefully scrutinised and may require amendments to ensure that they do not trigger unintended consequences and result in new questions being raised, rather than old ones resolved,” Couneson added.
Privacy groups have already raised concerns that the proposals go beyond simplification, and instead amount to deregulation.
In an open letter sent to the European Commission today, noyb, the Irish Council for Civil Liberties and European Digital Rights warned that the changes would significantly reduce established protections and potentially conflict with the EU Charter of Fundamental Rights. They noted that the introduction of substantial changes through Omnibus procedures – which compress parliamentary timelines and restrict scrutiny by MEPs – “risks bypassing democratic oversight” and weakens EU governance.
Key proposals
The European Commission suggests that the GDPR definition of personal data should take into account European Court of Justice case law to provide further clarity on when data subjects are considered identifiable.
It proposed clarifying that entities which do not have the means “reasonably likely” to be used to identify the natural person to whom the information relates are not considered to be processing personal data. Such data would not become personal for those entities only because potential subsequent recipients have the means to identify the data subject – such as by cross-checking with other data at their disposal.
The proposal also suggests only extending enhanced protection to personal data which “directly reveals” sensitive information about a specific data subject, such as their racial or ethnic origin, political opinion or health status. The commission noted that for most types of special categories of data listed under the current GDPR article 9(1), “there are no such significant risks where the personal data are not inherently sensitive but are only indirectly liable of revealing sensitive information, for example where an individual’s sexual orientation or health status can be inferred only by means of an intellectual operation involving comparison, cross-referencing, collation or deduction.”
On AI training, the commission’s draft mulls allowing the processing of personal data in the context of developing and operating AI systems under the legal basis of legitimate interest. It says controllers must ensure all conditions of the legal basis would have to be met, including conducting a balancing test to weigh whether their interests override those of data subjects whose data is processed.
“Perhaps most controversial is the proposal to allow companies to rely on legitimate interest to use personal data for AI training, subject to an opt-out,” said Fieldfisher partner Tim Van Canneyt. “This would clearly benefit AI developers, but whether EU citizens will accept this is another matter.”
Van Canneyt noted that when LinkedIn revealed similar plans to use personal data for AI training, users quickly circulated opt-out instructions, noting that this could be viewed as “an early sign of resistance.”
Morrison Foerster partner Alex van der Wolk noted that it is likely that some proposals will not ultimately be adopted – “once the commission officially publishes, it will still have to go through the legislative process (before Parliament and Council) and will thus be subject to negotiation.”
Van der Wolk said he is “most optimistic about the AI provisions making into the final instrument as these don’t really change the regulatory requirements that much”. He noted that legitimate interest for AI training will still require a balancing test, meaning “data protection authorities will thus still have the power to evaluate the legitimacy on a case-by-case basis.”
The commission has further proposed adding “processing in the context of the development and operation of an AI system” under the list of permitted derogations from the prohibition on processing special category data under article 9. It noted that such protected data may residually exist in the training data sets for AI systems and that such an exception should be allowed “in order not to disproportionately hinder the development and operation of AI”.
Controllers would have to implement appropriate measures to try and avoid the processing of special categories of personal data and, once they identify any such data, effectively remove them from training datasets or AI models. “If removal of those data requires disproportionate effort, the controller shall in any event effectively protect without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties,” it said.
Notably, the commission also suggests easing controllers’ data breach notification requirements to better facilitate compliance. The commission wants to extend the current 72-hour breach notification deadline to 96 hours, and create a “single entry point” that would receive reports and avoid duplicative reporting across national data regulators in cross-border cases.
Another key provision would narrow subject access request rights. The GDPR currently only allows controllers to charge a fee or issue refusals only when requests are manifestly unfounded or excessive, in particular because of their repetitive character.
The proposal suggests adding that such refusals can also take place where data subjects exploit the rights for purposes other than the protection of their data. It noted that such an abuse of the right of access could rise when data subjects intentionally seek a refusal in order to subsequently demand payment of compensation, or where data subjects make excessive use of this provision to cause harm to the controller.
Freshfields lawyers Christoph Werkmeister and John-Markus Maddaloni noted that the leaked proposals “mark only the beginning.”
“Given the attention already generated by the leaks, the negotiations on the Digital Omnibus proposals will likely intensify throughout 2026, and the final text may diverge significantly from the current drafts,” they said.