In this episode of the Privacy Partnership Podcast, Rob walks you through the most important aspects of the proposed Digital Omnibus Regulation.

 • A new Article 88c states that processing of personal data for the development and operation of AI systems may be pursued for legitimate interests (p85).

• A new condition under Article 9 allows the processing of special category data for AI training if state-of-the-art security is used and the data is subsequently removed or anonymised (p79).

• Article 4 is amended to clarify that information is not personal data for a given person if they do not have the means "reasonably likely to be used" to identify an individual (p78-79).

• The threshold for notifying a DPA about a data breach would be raised to "high risk," the deadline would be extended to 96 hours, and there would be a new Single Entry Point for breach reporting (p81).

• Article 12 is amended to allow controllers to refuse a data subject rights request where the data subject "abuses the rights conferred by (the GDPR) for purposes other than the protection of their data" (p80).

• ePrivacy rules are absorbed into new GDPR Articles 88a and 88b, introducing a 6-month "cookie fatigue" period and mandating respect for automated browser signals (p83-84).

• There are new rules about automated browser signals with a specific exemption for "media service providers" (p84).

• A new Article 9 derogation permits processing biometric data for verification (authentication) purposes if the data remains under the sole control of the data subject (p79).