The Commission's Omnibus IV package specifically proposes a definition of small mid-cap companies (SMCs), which includes companies with fewer than 750 employees, a turnover of less than €150 million and a balance sheet total of less than €129 million. Parallel to a recommendation on the SMC definition, the Commission wants to amend eight existing EU legislative acts, including the General Data Protection Regulation (GDPR). Overall, the Commission expects the deregulation measures in the Omnibus IV package to generate annual savings of €400 million for businesses. The request for introducing an SMC definition was made in the report by Mario Draghi on the future of European competitiveness in September 2024, who had argued that EU regulation places a disproportionate burden on small and medium-sized enterprises (SMEs) and SMCs compared to larger companies.

The Commission has conducted a consultation on the Omnibus IV package until 25 August, in which AK has also participated with fundamental comments and a statement on the GDPR. AK opposes any further de facto broadening of the definition of SMEs by adding the new SMC definition. It appears that this new category in the Omnibus IV package is intended to enable dismantling legislation without a comprehensive impact assessment. In particular in Austria, with its predominantly SME structure, this approach is also running the risk of disadvantaging small businesses (including one-person businesses) compared to large companies.

Amendment to the GDPR – additional exemption for SMC

The Commission's Omnibus IV package specifically proposes an amendment to the General Data Protection Regulation. The amendment concerns the maintenance of a processing register – a document that provides an overview of all data processing operations within a company. Under the Commission's proposal, in future there will be an exemption not only for SMEs (up to 250 employees), as has been the case to date, but also for SMCs, provided that their data processing does not pose a ‘high risk’ to the rights and freedoms of data subjects. In effect, this would extend the scope of the exemption to around 99% of all companies in the EU. The proposed changes are justified by potential savings of €66 million for companies.

From AK’s perspective, not maintaining a processing directory represents a significant data protection erosion, as there is concern that businesses will no longer be able to properly fulfil their information obligations toward data subjects. As a consequence, companies may fail to implement any data protection measures or implement incorrect ones, as they no longer have an overview of all their processing activities. Without a processing directory, it is also no longer possible for supervisory authorities to exercise unrestricted control and enforce the law. The provision in the Omnibus IV proposal that companies themselves can reliably differentiate between ‘high’ and ‘very high’ risk also does not appear to be practicable.

The fundamental right to data protection versus potential savings for businesses

Overall, maintaining a processing directory is often the first and only reason companies address the issue of data protection and develop a data protection strategy. Especially in times of increased use of AI applications, the issue of data protection has become a higher priority: the now proposed dual approach to risk classification under the AI Act and the Omnibus IV proposal raises concerns that companies will classify their AI as risk-free and thus come to the incorrect conclusion that they no longer need to implement data protection measures. It is difficult to see why the fundamental right to privacy of 448 million people should be sacrificed for a saving of 66 million euros on the part of companies. More important would be the provision of sample databases, digital processing directories and AI-supported tools that help companies comply with data protection requirements.

Further information:

AK EUROPA: Konsultation zum 4. Omnibus-Paket: Öffnung der DSGVO (German only)
European Commission: Omnibus IV
BEUC: EU simplification plans should keep GDPR and on-product labelling strong
AK EUROPA: Rules to Protect. Criticism of the Commission's omnibus packages and alternatives to deregulation