European Commission looks to deregulate data protection: what can SMEs anticipate?

On 19 November, the European Commission launched its “Digital Omnibus”, a legislative proposal that seeks to partially de-regulate the EU’s digital rulebook. One key law set to be revised is the General Data Protection Regulation (GDPR), the EU’s landmark data protection framework.

Faced with potentially missing out on the opportunities of AI innovation – which requires large datasets to train AI models – the European Commission has reversed course on data protection, seeking to reduce the compliance burden on businesses and stimulate the innovation environment.

While the proposed changes have been welcomed by industry voices in Europe, vocal opposition has been expressed by privacy activists, meaning that the Commission’s package is set to be heavily contested in the upcoming legislative negotiations.

What are the main changes?

One of the key changes proposed to the GDPR framework is the narrowing of the definition of personal data. Under the new text, data would fall outside the scope of the regulation if businesses or controllers handling the data cannot identify the person concerned. The text also suggests that pseudonymised data may not constitute personal data. In turn, this would lighten compliance costs for businesses by reducing the categories of people necessary to record in reporting and due diligence obligations.

Similarly, the framework for data breaches has been streamlined with a single-entry point for data breach notifications and cybersecurity incident reporting. Businesses handling personal data would only be required to notify breaches that present a high risk to individuals, while the reporting deadline has been extended from 72 hours to 96 hours.

While businesses may welcome the easing of data breach notification procedures, this should not be mistaken for a relaxation in enforcement and issuing fines. The Commission notes these amendments are designed to enhance data breach reporting and regulators will likely continue to issue hefty fines for businesses improperly handling data or failing to report breaches on time. The case of Vastaamo in Finland – where the psychotherapy service provider was fined EUR 608,000 in December 2021 by the Finnish regulator for not storing data correctly and reporting the breach on time – underlines how this enforcement is not limited to large multinationals.

Under the status quo GDPR, businesses faced legal uncertainty regarding the lawful basis for data processing, often resorting to requesting the explicit consent of data subjects. The new text clarifies that in the case of AI development and scientific research, legitimate interest can be used as a lawful basis, provided businesses’ interests do not override people’s fundamental rights. This is designed to enable AI businesses with access to large scale data collection, necessary for scaling models.

Other changes to GDPR include a commitment by the Commission to implement an anti-leakage toolbox in Q2 2026 to protect personal data in international data transfers, and a merging of the GDPR and ePrivacy frameworks to reduce cookie banners. Interestingly, no changes were proposed regarding Data Protection Officers (DPOs).

Aside from GDPR, the Commission’s Digital Omnibus also proposes amendments to the EU AI Act, adopted last year. These include a delay on implementation until 2027 and reduced technical documentation requirements for SMEs.

What happens next?

The European Commission’s proposed GDPR revisions, which form part of the Digital Omnibus proposal, must now go through the ordinary EU legislative process. The European Parliament and Council of the EU will undertake concurrent negotiations on the proposal after which trilogue negotiations between the Commission, Council and Parliament will produce the final legislative text.

However, many of the parties in the Parliament have already voiced strong opposition to the Commission’s text. This criticism is echoed by prominent privacy activists such as Max Schrems, who contend that the Digital Omnibus would even go against the EU's Charter of Fundamental Rights. With this in mind, one can expect a possible litigation battle, in addition to protracted legislative negotiations.

These complications mean that, in spite of the Commission’s aim of increasing regulatory certainty for businesses, uncertainty over policy outcomes persists. Businesses should stay tuned and closely follow developments.  

Emmet Maginn, Partner at Caldwell & Robinson commented:

“This is an issue that will be of interest to all our clients. Whilst many Irish SMEs will welcome any reduction in the regulatory burden imposed under GDPR that may flow from these proposed changes they will nevertheless need to bear in mind that the main compliance requirements will remain in place. A matter of particular concern will be whether there is a shift in how robust perceived non-reporting of breaches is going to be policed by national regulators going forward should these changes come into effect”.

Author: Rory Gilliland, Brussels-based EU Policy Consultant