Agefi Luxembourg - décembre 2025

Décembre 2025 7 AGEFI Luxembourg Économie Continuedpage 1 Undertheproposal,thethresholdfornotifying dataprotectionauthoritiesaboutpersonaldata breaches would increase: only incidents that pose a high risk to individuals’ rights and free- domswouldrequire reporting. The reporting windowwouldbeextendedfrom72to96 hours,andastandardizedsinglere- porting form would be intro- ducedtostreamlinesubmissions. e) Cookie consent reform The Commission’s proposal tackles “consent fatigue” by moving and adapting cookie rules from the ePrivacyDirective into the GDPR. In practice, this means: -Placing/usingofcookiesinrelation tonatural personswill be subject to the GDPR, which implies that a basis of lawfulness under the GDPR is necessary. Hence, the Digital Omnibus leaves it up to the data controllerstochoosetheadequateground.Thisleads to some legal uncertainty and consent may still be needed in many cases of non-essential cookies. In order to alleviate this legal uncertainty, it is foreseen that cases of low-risk deployment of non-essential cookieswill bewhitelistedandwill not needconsent (and thus could be based on legitimate interest). -One click toaccept or refuse all non-necessarycook- ies will be required (although already understood as a requirement by some national authorities). - Cookie banners could eventually disappear as browsers and operating systems take over consent management, using standardized privacy settings that automatically communicate your choices to websites. - Compliancewith rules on cookies will be subject to the same sanctions as under the GDPR (including fines up to 4%of the organisation’s global turnover). Whilethissimplifiescompliance,itraisesprivacycon- cerns: less upfront control for individuals and more reliance onpost-hoc objections. Businesses fromtheir end shouldprepare for: - Revising cookie policies and consent flows. - Assessing legitimate interest for tracking and profiling. -Monitoringstandardsforautomatedconsentsignals. f) Repeal of the P2B regulation The so-called P2B (platform-to-business) Regulation (EU)2019/1150governingthepracticesofplatformto their business customers, for example the Amazon marketplacetowardsthethird-partyvendorsthatare active on that platform, will be abolished. The Com- missionconsidersthatcompetitionlaw,aswellasthe DigitalServicesAct(DSA)andtheDigitalMarketsAct (DMA) provide for sufficient tools to tackleproblem- atic practices of the platforms towards their business customers. g)IntegrationofDataGovernanceActandtheOpen DataDirectivewill be integrated into theDataAct - reductionof cloud switching obligations for SMEs TheOpenDataDirective governing access topublic sector data for reuse, complemented by the Data Governance Act (for special data such as personal and confidential data) will be integrated into the Data Act which covers a wide array of other topics such as the access to IoT generated data and provi- sionsoncloudswitching. Inrelationtocloud-switch- ing,someobligationsarewatereddownforSMEsand in case of custom-made cloud services. h)AI andData Processing One of themost debatedelements of theDigitalOm- nibus is the introduction of a new legal basis for AI- relateddata processing. Under this provision: -AI training, testing, and validation can rely on legit- imateinterestratherthanconsent,providedthatstrict safeguardsareinplace(suchasbalancingtests,trans- parency, dataminimization, anddata subject rights) - If removing special-category data (such as health or ethnicity information) would be “disproportionate,” processingmaystilloccurunderadditionalprotective measures. These measures could include measures like stronger encryption, limited access, and trans- parency obligations to reduce risks ofmisuse. This raises critical questions: - How would “disproportionate” be interpreted in practice? - Could this open the door to profiling or bias risks if special-categorydata is used inAImodels? -What compliance strategieswouldbusinesses need to adopt to balance innovation with fundamental rights? In any case this change would entail that companies will need to develop structured frameworks for Le- gitimateInterestAssessments(LIA)tailoredtoAIpro- cessing. i) SME Compliance Relief: GDPR record keeping and sanctions Currently, under Article 30(5) GDPR, organizations with fewer than 250 employees are exempt from maintaining records of processing activities (RoPA) unless: - The processing is likely to result in a risk to individ- uals’ rights and freedoms. - The processing is not occasional. - Special-category or criminal conviction data is in- volved. The Digital Omnibus proposal signifi- cantly raises this threshold and intro- duces a risk-based approach: - New threshold: The exemption will apply to organizations with fewer than750employees,providedtheyalso meetfinancialcriteria(annualturnover≤ €150 million or balance sheet total ≤ €129million). - Risk-based condition: These organizationswillonlyneed to maintain RoPA if their processing activities are likely to result in a high risk to individuals’ rights and freedoms (as defined under Article 35 GDPR for DPIAs). Under the proposal, manymid- sized companies that previously had to maintain detailed process- ingrecordswouldbeexempt.Nev- ertheless, it is strongly recommended tostartpreparinginternalguidelinestoidentifywhen processing activities could trigger a Data Protection Impact Assessment (DPIA) or fall outside the pro- posedexemptionforhigh-riskprocessing.Onamore general note, theDigitalOmnibus foresees amore le- nient regimeon the sanctionend, fully taking intoac- count the principle of proportionality. BottomLine The Digital Omnibus signals a clear move toward simplificationandharmonizationof EUdigital regu- lations,aimingtoreducecomplianceburdensandad- dress “consent fatigue.” However, critics warn that these changes couldweaken coreGDPRprotections, particularlyaroundsensitivedata,profiling,anduser control over tracking. For legal professionals, thismeans two things: - Stay ahead of the curve: Even though the proposal isnotyetlaw,businessesshouldbeginassessinghow these changes might affect their compliance frame- works. - Future-proof compliance strategies: Develop risk- based approaches, update internal policies for legiti- mate interest assessments, and prepare for new reporting and consentmechanisms. The legislative process is still ongoing, and the final text may evolve—but proactive planning nowwill help organizations adapt quickly when the rules take effect. Vincent WELLENS, Avocat à la Cour, (portrait) Ottavio COVOLO, Avocat à la Cour (portrait) Jill VAN OVERBEKE, Associate, NautaDutilh Simplification of EU digital regulations: The Digital Omnibus BanquedeLuxembourg,sociétéanonyme–14,boulevardRoyal–L-2449Luxembourg–R.C.S.B5310 For over 40 years Banque de Luxembourg Asset Servicing has been helping initiators to set up their investment funds in Luxembourg. Our specialist teams are ready to assist you with tailor-made services, expertise and unwavering support. Supporting fund initiators since 1983