The General Data Protection Regulation (GDPR) is facing calls for fundamental modification

Overview 

The European Commission has proposed major amendments to the General Data Protection Regulation under its Digital Omnibus programme. The goal is to modernise data protection rules to fit the realities of artificial intelligence and digital innovation. The Commission believes this will simplify compliance, reduce burdens on smaller businesses, and make Europe more competitive in AI development.  

Changes in Definitions and Scope 

A key part of the proposal is the revision of how personal and sensitive data are defined. Information will no longer automatically qualify as personal data merely because another organisation could identify the individual. Instead, a company may treat data as non-personal if it cannot reasonably identify the person using its own means. Sensitive data would also be restricted to material that directly reveals traits such as health condition or sexual orientation, and only if it relates to a known individual. Inferred data created through profiling or analysis would fall outside this category, a shift that many privacies advocates fear could allow more intrusive forms of data processing without adequate protection. 

 Legal Basis for AI Development and Processing 

The draft introduces a new lawful ground for processing personal data when developing or running AI systems. This would fall under the legitimate interest clause, allowing companies to use data unless individual rights clearly outweigh that interest. The proposal also creates a narrow path for using sensitive data in AI projects, provided technical and organisational safeguards are applied. These changes aim to give developers more flexibility, but they also raise concerns about oversight and fairness in the growing use of automated systems. 

 Individual Rights and Automated Decisions 

The proposal would make it easier for data controllers to refuse or charge for access requests they believe are excessive or made in bad faith. Such narrowing of rights could reduce transparency and limit individuals’ ability to challenge unfair processing. The rules governing automated decision-making would also be relaxed. Businesses could rely more freely on AI tools to make decisions, including contractual ones, without needing to prove human involvement or that automation is the least intrusive method. This could expand the role of AI in routine decision-making, though at the cost of reduced human oversight. 

 Reporting, Transparency and Oversight 

The threshold for data breach reporting would rise so that only incidents likely to cause high risk to individuals must be reported. The reporting deadline would extend from 72 to 96 hours, giving companies more time to respond. Transparency requirements would be relaxed in cases where data use is straightforward and not intensive, on the assumption that users already understand how their information is being used. Oversight of data protection impact assessments would move from national authorities to the European Data Protection Board, which would set unified lists of high-risk processing operations. National regulators would still play a role through the creation of regulatory sandboxes, where companies can test new data-driven projects under supervision. 

 Implications 

If adopted, these reforms could change the landscape of data governance in Europe. The Commission argues that the amendments intend to strike a balance between innovation and protection, allowing companies to explore AI’s potential while maintaining essential safeguards. Critics fear that narrowing definitions and relaxing rights could chip away at the GDPR’s original spirit, making it harder for individuals to understand or control how their data is used. As the proposals are still under discussion, organisations operating in or serving the EU will need to monitor the debates closely, since the final law could significantly reshape how personal data is processed in the age of artificial intelligence. 

 Source: https://ppc.land/european-commission-proposes-major-gdpr-changes-for-ai-and-data-processing/ 

 News Of the Week 

1. Major cyber attack attempt on an Indian municipal body highlights systemic risk 

The Nagpur Municipal Corporation faced a major cyberattack on October 28 when its servers recorded over two thousand hacking attempts within a single day. The targeted systems included essential civic services such as property tax payments, water billing, and birth and death certificate records. Reports state that over 900 of the attacks were considered serious and over a thousand were considered major. Hackers attempted to take advantage of well-known flaws, such as the Apache Log4j vulnerability and security flaws in the Sonatype Nexus and Atlassian Confluence systems. 

 There were also attempts to access sensitive system files like the “etc/passwd” directory, which stores user credentials on Linux servers. The corporation’s intrusion prevention system managed to detect and block all the malicious traffic, preventing any breach or data loss. The event does, however, draw attention to the increasing sophistication and regularity of cyberattacks directed at municipal organizations that handle substantial amounts of public data. The company has been advised by experts to perform a thorough forensic audit, enhance network segmentation, and guarantee that security fixes are routinely applied to all servers. The incident serves as a reminder that in order to safeguard vital public infrastructure, even local government systems need strong cybersecurity protections, ongoing monitoring, and increased employee awareness. 

Source: https://timesofindia.indiatimes.com/city/nagpur/cyberattack-storm-hits-nmc-over-2000-hacking-bids-on-servers-in-day/articleshow/125201764.cms 

2. Landmark decision: Pseudonymised Data not necessarily “Personal Data” under GDPR 

 In its September 4, 2025, opinion (Case C-413/23 P), the Court of Justice of the European Union (CJEU) reaffirmed that under the General Data Protection Regulation (GDPR), pseudonymized data does not automatically qualify as “personal data.”
Whether the recipient of that data can plausibly re-identify the people who created it while taking organizational, legal, and technological precautions into consideration is the decisive factor. The data is not covered by the GDPR for the recipient if they do not have access to or the means to obtain additional information that would enable reidentification. The court emphasized that this is not a general exemption, noting that the data is still “personal” and subject to GDPR if the recipient can identify persons (for instance through contracts or additional datasets).
Additionally, even when transferring pseudonymized data, the original controller is still required to uphold GDPR obligations. This ruling gives organisations wider freedom to use pseudonymized data (for example, in analytics or AI training), provided they can show that the recipient cannot reasonably re-identify individuals. They must evaluate each situation individually, record their security measures, and amend data-sharing agreements as necessary. 

 Source: https://www.skadden.com/insights/publications/2025/11/in-a-landmark-decision-eu-court-clarifies? 

 3. Major Data Breach Exposes Chinese Cyber-Weapons and Global Espionage  

 A data breach at the Chinese security company Knownsec, reportedly linked to Beijing and the Chinese military, has exposed highly classified information. The breach, first reported by the Chinese infosec blog MXRN, allegedly compromised over 12,000 classified documents. 

The trove reportedly offers a rare look into Chinese cyber capabilities, detailing state-owned cyber-weapons, internal hacking tools, and a global target list. Evidence of advanced Remote Access Trojans capable of penetrating Linux, Windows, macOS, iOS, and Android systems was also exposed. The Android malware reportedly has capabilities to extract data from popular Chinese messaging apps and Telegram. 

The leak also contained concrete evidence of espionage success, including a spreadsheet listing 80 overseas targets successfully attacked by Knownsec. Furthermore, massive data hauls stolen from foreign countries were part of the breach: 

• 95GB of immigration data obtained from India. 

• 3TB of call records stolen from South Korean telecom operator LG U Plus. 

• 459GB of road planning data obtained from Taiwan. 

Some of the documents were briefly posted to GitHub before being removed. 

Source: https://www.theregister.com/2025/11/09/asia_tech_news_roundup/?utm_source=chatgpt.com