Proposed EU Updates to GDPR

As part of a broader EU simplification agenda, the European Commission has published proposed amendments to the GDPR. While the proposals do not go as far as many businesses might wish, they contain reasons to be somewhat cheerful regarding a reduction in the operational burden imposed by the GDPR.

Abuse of DSAR Rights

One of the biggest sources of frustration for businesses regarding the GDPR is the way in which data subject rights, and particularly the right of access, can be weaponised by individuals, especially in the context of disputes relating to more than data protection issues.

A key proposed change is that the circumstances in which an organisation may reject a data subject access request, or charge a fee for dealing with it, will be extended to include where the individual making the request is “abusing” the data access right for purposes other than the protection of their personal data.

Other Proposed Changes

Other significant proposed changes include the following:

• Transparency: There will be no obligation to provide an individual with information regarding the processing of their personal data (e.g. in a data protection notice) if their data is collected and used by an organisation in circumstances where (a) the relationship is clear; (b) the organisation is ding something that is not data-intensive and (c) there are reasonable grounds to assume that the individual already has the main information that might otherwise be required to be included in a data protection notice, subject to certain exceptions. This proposed change to transparency requirements is similar to one that formerly applied under the pre-GDPR regime, where it was unnecessary to provide information to an individual regarding the processing of their personal data where they already had that information.
• Security Incident Notification: It is proposed that:
  • The threshold for the obligation to notify a data protection authority of the occurrence of a personal data breach will be raised, so that it will be the same as the threshold for the obligation to notify the affected individuals i.e. notifying of a DPA will be required where there is a “high risk” to the affected individuals.
  • The current 72 hour timeframe for notifying a data protection authority of a notifiable personal data breach will be extended to 96 hours.
  • Once a ‘single point of entry’ for notifying security incidents is established under the NIS2 Directive, notifiable personal data breaches may be notified to that single point of entry (rather than the current system whereby some multinational organisations might be required to make multiple notifications in respect of the same incident).
• Definition of Personal Data: The definition of ‘personal data’ will be updated to reflect recent court decisions. In particular, the ‘relative’ concept of personal data (which envisages that data can be pseudonymised personal data in the hands of one organisation, while being anonymous data in the hands of another organisation) will be incorporated into the GDPR.
• Training AI Systems and Models: There will be express recognition that organisations may rely on ‘legitimate interests’ as their legal basis for using personal data to train AI systems and models. In addition, the use of ‘special category personal data’ (e.g. personal data relating to health, racial or ethnic origin, sexual orientation, etc.) to train, test or validate AI systems or models will be permitted in specific circumstances, including that removing such data from the dataset used for training, testing or validation would involve disproportionate effort.
• Interaction between the GDPR and ePrivacy Laws: The interaction between the GDPR and ePrivacy laws will be clarified, to simplify the legal requirements regarding matters such as the use of cookies.

It had been anticipated that the proposed amendments might include further changes that have not been included. For example, a leaked version of the proposed amendments included proposed changes to the concept of ‘special categories of personal data, which have been dropped. Also, requests for SMEs to be made exempt from certain obligations have been rejected.

The publication of these proposed amendments (in the form of a draft regulation) is the first major step in the EU legislative process. There are a number of further steps to be navigated before the amendments are finalised and brought into effect. If they are adopted substantially in their current form, they are expected to result in welcome clarifications and fine-tuning of certain aspects of the GDPR but they will not introduce a major overhaul.

This article is the view of the author(s) and does not necessarily reflect IoD Ireland’s policy or position.