EU Digital Regulations Take Center Stage at Data Protection Conference

Organizers of a key European data protection conference in Brussels were surprised when their event was overshadowed by breaking news: the release of the EU's Digital Omnibus. This legislative package aims to simplify digital laws and reduce red tape for companies. As privacy experts gathered, news of the package spread rapidly, leading to intense discussions about its potential impact on the AI Act, GDPR, Data Act, and e-Privacy Directive. While officials were cautious, behind-the-scenes conversations indicated the omnibus was a significant development for businesses. Privacy activists expressed alarm over potential data protection erosion, while privacy lawyers welcomed a new definition of personal data within the GDPR. US Big Tech representatives reportedly saw it as a shift towards a more business-friendly privacy landscape. Attendees sought answers on whether the EU was acknowledging the limits of its expanding personal data definition and the high costs of GDPR compliance. However, regulators were reluctant to comment officially, as the legislative amendments still required approval from the European Parliament and EU governments. The package includes a proposal to delay obligations for "high-risk AI systems" under the AI Act until December 2227. A commission official clarified this delay would not hinder standardization. Joe Jones of the IAPP noted the proposals are "pro-business" but carry risks for the commission's authority if they fail. A major change is allowing AI systems to use "legitimate interest" for model training, while AdTech firms still require consent, meaning cookie banners will persist. Regulators also commented on omitted changes, with one expressing relief that a draft change to sensitive data treatment was dropped. However, concerns were raised about narrowing the definition of personal data, with calls for careful analysis to align with recent EU Court of Justice rulings. Jones predicted a prolonged battle over GDPR's future and the definition of personal data, with businesses advocating for deregulation and activists defending fundamental rights. The omnibus is seen as a first step in the commission's simplification drive, with further consultation planned. Initial reactions from regulators, including Dutch and Swedish authorities, stressed the need to carefully examine the far-reaching consequences of the proposed changes. The next IAPP data protection conference is expected to be dominated by continued discussions on the omnibus's impact.