Privacy activists warn proposed EU privacy law changes could breach case law and let Big Tech exploit Europeans’ data for AI training, undermining GDPR
The European Commission's planned revisions are part of an effort to streamline a number of recent legislation pertaining to technology, the environment, and finance, which have been met with resistance from businesses and the US government.
On November 19, EU antitrust chief Henna Virkkunen will introduce the Digital Omnibus, which consists of ideas to reduce red tape and redundant laws including the Data Act, the Artificial Intelligence Act, the General Data Protection Regulation, and the e-Privacy Directive.
The plans allow Google, Meta Platforms, OpenAI, and other tech companies to train AI models based on legitimate interest by using the personal data of Europeans.
"The draft Digital Omnibus proposes countless changes to many different articles of the GDPR. In combination this amounts to a death by a thousand cuts,"
Austrian privacy group noyb said in a statement.
Noyb is well-known for bringing allegations against US corporations including Apple, Alphabet, and Meta, which have led to multiple probes and fines totaling billions of dollars.
"This would be a massive downgrading of Europeans' privacy 10 years after the GDPR was adopted,"
noyb's Max Schrems said.
A plan to incorporate the ePrivacy Directive also referred to as the cookie law into the GDPR, which led to the spread of cookie consent pop-ups, was criticized by European Digital Rights, an association of civil and human rights organizations throughout Europe.
"These proposals would change how the EU protects what happens inside your phone, computer and connected devices,"
EDRi policy advisor Itxaso Dominguez de Olazabal wrote in a LinkedIn post.
Before the suggestions could be put into effect, they would need
to be discussed with EU member states and the European Parliament in the
upcoming months.
How would the changes affect consent and lawful basis for data
processing?
The proposed changes to EU sequestration laws could significantly affect the conditions around concurrence and the legal base for processing data.
Presently under GDPR, concurrence must be unequivocal, specific, informed, and freely given for data processing conditioning, with individualities having the right to withdraw concurrence at any time. Organizations must choose and validate a legal base for processing (e.g., concurrence, licit interest, contractual necessity) before beginning data conditioning and can not simply switch bases retrospectively without potentially violating fairness, translucency, and responsibility conditions.
The developments being proposed may loosen these precise concurrence conditions by allowing broader immunity, similar as processing grounded on "licit interest," security needs, or fraud discovery, without inescapably taking unequivocal and informed concurrence each time.