Notes from the IAPP Europe: Digital Omnibus package developments, end to voluntary CSAM detection and more

March ends with the beginning of the next stage in the legislative process for the European Commission's Digital Omnibus on AI, part of the broader digital simplification package. With Parliament's adoption of its report and negotiating position on the file during its latest plenary meeting, interinstitutional negotiations with the European Council are about to kick off. 

It is expected that the trilogues will conclude in the next couple of months, with Parliament's vote on its political agreement with the Council sometime in June. This timeline is speedier than the EU's typical lawmaking process, but it is necessary in order to finalize the law before the full EU Artificial Intelligence Act's 2 Aug. application. 

The wheels of the data counterpart to the AI Omnibus — the Digital Omnibus — are turning slower. It is not yet known when the rapporteurs will publish their reports on this file and what the Council's stance is, but discussions on its contents are ongoing. MLex reports the proposed single-entry-point mechanism for cybersecurity incident reporting has not been received with much enthusiasm in several EU member states. They express the need for better alignment between current national and EU laws before proceeding to setting up such a mechanism. 

While talks between Parliament and the Council are just about to start on the Digital Omnibus on AI, interinstitutional discussions on a different file ended almost as soon as they started. European co-legislators met in mid-March to discuss the proposal to extend the current derogation from the e-Privacy Directive that allows online service providers to voluntarily scan their platforms for child sexual abuse material to help prevent its dissemination. With no agreement reached, it was concluded the derogation will not be extended further. 

The current derogation, set to expire 3 April, was adopted in 2021 and already extended once in 2024 as the Council struggled to reach a common position on the proposal for permanent rules. Since negotiations on the regulation establishing permanent measures for CSAM detection are still ongoing, many believe the approaching expiration of the temporary derogation would result in a legal vacuum. In a last attempt to prevent this legal gap, Parliament held a recent vote to extend the current derogation in its existing form but it was rejected.  

Several significant developments took place in the Court of Justice of the European Union 19 March. The court ruled that a company can refuse a data subject access request if the request is abusive, meaning when it is made with the sole purpose of falsely triggering EU General Data Protection Regulation compensation. The court determined the data subject must prove the existence of damage to receive compensation and that no compensation would be rewarded if damage was caused by the data subject's own conduct. This case is explored in detail in a recent IAPP article by Digiphile Partner Victoria Hordern, AIGP, CIPP/E, CIPT. 

Abusive data subject access requests are also addressed in the Digital Omnibus proposal, where the Commission suggests such requests could be rejected, or an appropriate fee could be charged when "the data subjects abuse them for purposes other than the protection of their data." 

The court also delivered judgment on a case concerning biometric data collection by police in France. It ruled police can collect biometric data, such as fingerprints and photographs, in criminal investigations only if it is strictly necessary and appropriate safeguards are in place. The court clarified that systematic collection of biometric data of anyone suspected of a crime without individual justification is a breach of EU law. 

Lastly, CJEU Advocate General Tamara Ćapeta concluded in a case concerning an Estonian telecommunications provider that EU member states can exclude telecommunications equipment from their networks on national security grounds. This is an interesting development in the wider context of the ongoing European sovereignty discussion and while the advocate general's opinion, which differs from the court's judgment, is not of a binding nature, the court's judgments are often consistent.

On the other side of the English Channel, the U.K. Information Commissioner's Office published updated guidance on the use of the recognized legitimate interest lawful basis for personal data processing as introduced by the U.K. Data (Use and Access) Act, which was adopted last year. Different from the general legitimate interest lawful basis under the U.K. GDPR, this has a narrower scope as it can only be used when personal data processing is needed for five specific public interest scenarios. Also, there is no need for a legitimate interest assessment for the use of this newly introduced legitimate interest lawful basis, but a necessity test is still needed and compliance with the rest of the U.K. GDPR requirements must still be ensured.