What does the EU Council’s draft Presidency compromise text on the GDPR & ePrivacy Digital Omnibus tell us?
(1) The Council (for now) seems to recognise the need to clarify the concept of “personal data”. As a Recital 27a would provide:
The identification of a natural person should be assessed *ex ante and in concreto*, considering the actual technical, organisational and legal capabilities of the controller.” (emphasis mine)
This echoes my calls for foreseeability and the dangers of overinterpreting the Scania judgment. *Actual* means of (re)identification are relevant, not *hypothetical* ones.
The draft continues to stress the need for EDPB Guidelines – more on that below.
(2) The bit about “scientific research” and the EDPB’s new Guidelines on that are (still) not 100% aligned, which could lead to some interesting changes to the EDPB’s Guidelines. Incidentally, though, those Guidelines raise the question of just how political the EDPB has become – issuing Guidelines on that topic in the middle of a political debate is noteworthy. Will the EDPB do the same with pseudonymisation in the coming weeks?
(3) On AI training & special categories of data, the notion of *intent* has crept in. I have long advocated for introducing intent in the assessment of the nature of processing – and now Recital 33 states that incidental processing of special categories of data for AI training is permitted if “the controller has not intended to process such data and has taken the appropriate technical and organisational measures to avoid such processing”.
(4) The Council’s views on the processing of biometric data for identification purposes appear to continue to mirror the EDPB’s own view expressed in the “facial recognition in airports” Opinion – one I find overly restrictive.
(5) On data subject right limitations and “abuse”, the draft text highlights various examples, notably “when the exercise of a right is made with the intention to adversely affect a judicial procedure” (a frequent occurrence in my experience).
(6) A new addition to the data protection by default rule (Art. 25(2) GDPR): “such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”.
(7) The Council draft introduces an obligation for supervisory authorities to update existing guidance, basically making Guidelines… binding upon them! Hello litigation & CJEU!
(8) Art. 5(3) of the ePrivacy Directive might finally get clearer exceptions. Plus, bye-bye “strict” necessity for the service exemption (opening the possibility to more than pure technical delivery).
(9) The “privacy signals” obligations would apply to browser providers + *all* providers of “other types of online interfaces allowing for the storing or gaining access to personal data in [terminal equipment]”. Yet the underlying problem remains – unless we accept universal purpose-driven consent.
Interesting times ahead.
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗