EU listens to Nordic GDPR proposals, but several questions remain
The European Commission is rapidly proposing regulatory simplifications in the so-called Omnibus proposals. The digital omnibus is an important step towards a more modern and proportionate approach to data protection, but it falls short of the EU’s own simplification targets. The proposals include administrative relief, the use of pseudonymised personal data, exemptions for low-risk processing, and permitted use of sensitive personal data to improve AI training.
The Digital Omnibus proposal has brought renewed attention to GDPR, with data protection now being reviewed in the context of AI development and the EU’s weak competitiveness. A majority of the Nordic employer organisations’ proposals for simplification, clarification, and more effective regulation have been acknowledged — at least to some extent.
The Omnibus proposal clarifies that pseudonymised data are not always considered personal data for all actors. This means that information should not be treated as personal data for an actor who has no reasonable means of identifying the individual. This opens the door to more data processing that is highly necessary in today’s society, particularly for AI development. However, it is concerning that further processing of personal data is allowed for scientific research, but not for corporate R&D. This does not support product and AI development in the desired way.
The processing of personal data in AI development and training has been widely debated. The European Commission now clarifies that legitimate interest can be relied upon, especially to improve representativeness and reduce bias, but no general relief for companies is introduced. A new legal basis for processing sensitive personal data for AI development is proposed, with requirements for additional safeguards, which aligns with the Nordic proposal.
The Omnibus proposal also clarifies when automated decisions under Article 22 GDPR are permitted. An important proposal concerns extended exemptions from information duties, although the scope could have gone further regarding indirect collection and low-risk processing. To prevent abuse and excessive requests for access to records, it is proposed that organisations may refuse or charge for requests from data subjects.
The work to anchor and, hopefully, implement the proposals is now beginning and expected to continue over the next year.
Fully in line with Nordic wishes, it is proposed that incident reporting requirements should apply only in cases of high risk, a standard template should be introduced, and the reporting deadline extended to 96 hours. A common reporting channel across several regulations (NIS2, GDPR, DORA, CER, eIDAS) is suggested, although not with shared content or deadlines, which would have provided real simplification.
Harmonisation of DPIA lists and templates is being introduced, with the EDPB tasked to develop common lists and templates.
A particularly welcome development is that cookie fatigue may finally be addressed through new GDPR rules on cookies and machine-readable consent.
But what remains unaddressed? The European Commission does not go far enough in its simplification proposals to meet its own targets of a 35% reduction in administrative burdens for SMEs and 25% for all companies. Much more risk-based change and reduced documentation requirements could have been proposed. Furthermore, simplification of third-country transfers, which currently imposes significant bureaucracy and costs on businesses, is missing. Hopes now rest on the Council and Parliament’s consideration of the proposals, as well as the upcoming fitness check of current regulations scheduled for 2026.
The work to anchor and, hopefully, implement the proposals is now beginning and expected to continue over the next year. The question remains whether the insights from the Draghi Report on the need for less bureaucracy and more digital regulation will survive the entire legislative process. Let’s hope they do, as the Nordic region’s competitiveness within the EU depends heavily on opportunities at the forefront of digitalisation.