The Digital Omnibus proposed by the European Union, along with recent developments in the GDPR and the introduction of the AI Act, aims to modernize and harmonize digital regulations to address the challenges of an increasingly globalized digital market, where Artificial Intelligence (AI) is playing an ever-growing role. The European Commission’s proposal introduces major changes that directly impact companies operating in the EU, including U.S.-based companies with a presence in the region.
The proposal does not seek to impose more regulatory burdens but aims to simplify, update, and harmonize existing rules, particularly in the areas of data governance and the use of emerging technologies like AI. These changes are especially important for companies that rely on collecting and processing personal data and are using AI systems, due to new requirements for transparency, explainability, and accountability when using these technologies.
The Digital Omnibus and Its Impact on the GDPR
The Digital Omnibus introduces significant changes to the GDPR, aiming to align data protection rules with new technological realities, particularly in the use of AI. While the GDPR has been a cornerstone of data protection in Europe, rapid technological advancements, especially in AI, require adjustments to compliance practices. The Digital Omnibus not only clarifies but also refines several obligations, aiming for greater harmonization and increased transparency in data governance practices.
1. Refinement of Consent and Transparency Rules
Although the GDPR already requires businesses to obtain explicit consent for processing personal data, the Digital Omnibus refines these requirements, with a special focus on how companies using AI handle consent. The AI Act, currently under discussion, requires companies to provide clear explanations of how their AI technologies work and how automated decisions affect consumers.
For U.S. companies using AI, this means ensuring that algorithms and AI systems are transparent, with clear explanations about how data is used to train models and generate automated decisions. This is directly tied to the GDPR, as transparency is key to ensuring that user consent is informed and understandable, without ambiguity.
2. Corporate Responsibility and AI Governance
The Digital Omnibus also increases responsibility for companies using AI, particularly in the case of automated decisions. Businesses using AI in critical areas like credit, insurance, or hiring need to provide not just detailed explanations of their algorithms, but also clear justifications for how those decisions are made, as outlined in both the GDPR and the AI Act.
The impact for U.S. companies will be significant. They’ll need to ensure that their AI processes meet the new requirements for responsibility and governance, including explainability of AI decisions and providing consumers with resources to challenge automated decisions that affect their rights, such as credit decisions, personalized offers, or any other consumer interaction.
3. Data Security and AI: Enhanced Protection
The Digital Omnibus doesn’t change the core data security obligations under the GDPR, but it does emphasize data security as a priority in today’s increasingly digital world. The use of AI on digital platforms that process personal data increases the need for protection against fraud, cyberattacks, and other types of data breaches. The proposal strengthens the obligation to ensure security throughout the lifecycle of personal data, from collection to deletion, with special attention to data processed by AI.
For U.S. companies operating with AI, it’s crucial to ensure that their AI systems and models comply with the GDPR’s security standards, implementing security measures and rigorously controlling data access. Transparency in security processes and regular audits will be vital to ensure compliance with the Digital Omnibus and avoid significant penalties for data breaches.
4. AI Governance: Transparency and Explainability
The AI Act, along with the Digital Omnibus, broadens the obligations for transparency and explainability of AI technologies. While the GDPR already requires that consumers be informed about how their data is used, the Digital Omnibus goes further, particularly in relation to automated decisions. Companies using AI must ensure that consumers understand the logic behind automated decisions and the data that influences these processes.
For U.S. companies, the impact is clear: they’ll need to put significant effort into making sure that their AI systems are explainable in an accessible way, especially when those systems are directly involved in decisions that affect consumer rights. The need for algorithmic explainability and access to challenge automated decisions will be one of the biggest hurdles to overcome.
5. Increased Transparency of Personal Data and AI Decisions
The Digital Omnibus strengthens transparency rules, ensuring that consumers have clear information about how their data is collected, processed, and used, especially when AI is involved. Transparency around AI use must be explicit, and businesses must ensure that consumers know how their interactions with digital platforms are being influenced by algorithms.
Companies using AI on digital platforms will need to update their privacy policies and terms of service to make sure consumers are properly informed about how their data is being used by AI. This not only ensures GDPR compliance but also safeguards consumer rights in the context of technologies that might otherwise seem opaque or intrusive.
6. International Data Transfers: Clear Rules for AI and Data Protection
While the GDPR already requires clear rules for international data transfers, the Digital Omnibus strengthens these obligations, particularly when personal data is processed by AI systems. U.S. companies that transfer data to the U.S. or other regions will need to ensure that adequate legal mechanisms, such as standard contractual clauses, are in place to protect data privacy.
This directly impacts companies relying on cloud services or AI solutions provided outside the EU. They’ll need to ensure that international data transfers involving consumer data comply with legal data protection guarantees, particularly when AI technologies are involved.
7. Sanctions and Fines: Implications for AI Use
Although the Digital Omnibus doesn’t drastically alter the sanctions under the GDPR, it strengthens enforcement and penalty application, particularly regarding the use of AI. Companies that fail to provide transparency in automated decisions or that don’t implement mechanisms for contesting automated decisions may face heavy fines.
How to Prepare for the Digital Omnibus and AI Act
U.S. companies operating in Europe need to take the following steps to adapt to the Digital Omnibus and the GDPR and AI Act:
1. AI Compliance Audits: Conduct audits to ensure that AI systems are explainable and comply with the required transparency and accountability standards.
2. Review Privacy Policies and Consent: Update privacy policies to ensure that consumers are properly informed about how their data is collected, processed, and used by AI.
3. Implement AI Governance: Set up AI governance processes to ensure that automated decisions are transparent, auditable, and reviewable, providing consumers with access to challenge harmful automated decisions.
4. Strengthen Security Practices: Invest in cybersecurity and data protection to ensure security practices meet GDPR and Digital Omnibus standards to protect consumer data.
5. Train Internal Teams: Train teams responsible for data governance and AI development to ensure they understand the new regulatory requirements and can implement them effectively.
Conclusion
The Digital Omnibus represent a significant evolution of digital regulations in the European Union, especially in terms of personal data protection and the use of Artificial Intelligence. For U.S. companies operating in Europe, these proposals will require careful adaptation to ensure compliance with the new rules. The key will be ensuring that AI systems are transparent, accountable, and secure, in line with both GDPR and new European regulations.
Talk to an expert with proven experience who can help you identify your company’s data privacy needs.
Taking the first step is important. Right from the beginning, the expert can help you identify what data privacy project would be the best for your company’s needs and what methodology should be applied, avoiding the risk of losing money and wasting time.
