The European Union is currently navigating a pivotal moment in the evolution of its digital rulebook. The European Commission has proposed a “Digital Omnibus” package intended to harmonize various regulations, including the GDPR and the ePrivacy Directive. While the stated goal is to reduce administrative friction and bolster economic competitiveness, the proposal has sparked a significant debate among the continent’s top privacy regulators.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) recently issued a joint opinion that raises a red flag over one specific area: the fundamental definition of personal data. For privacy professionals, this is not a mere semantic debate. It represents a potential shift in the very foundation of global data protection standards.
The Proposed “Negative” Definition
At the heart of the friction is the Commission’s attempt to clarify Article 4(1) of the GDPR. The Omnibus proposes adding a paragraph stating that information is not necessarily personal data for one entity simply because another entity has the means to identify the individual.
The Commission’s intent is to move toward a more “relative” approach to data. Under this logic, if an organization lacks the “means reasonably likely to be used” to identify a person, that data should not be treated as personal data in their hands, even if a subsequent recipient might have those means.
However, the EDPB and EDPS argue that this “negative” definition—defining what personal data is not rather than what it is—creates dangerous legal uncertainty. They contend that this change would effectively overrule established precedent from the Court of Justice of the European Union (CJEU). By narrowing the scope of what constitutes personal data, the regulators fear that a vast amount of information currently protected under the GDPR could suddenly fall into a regulatory grey area.
The Technical Reality of Pseudonymization
The proposed changes have a direct impact on how pseudonymized data is treated. Currently, pseudonymization is viewed as a security measure applied to personal data, meaning the data remains within the scope of the GDPR. The Omnibus proposal suggests a path where certain pseudonymized datasets might be reclassified as non-personal data through future “implementing acts” by the Commission.
The regulators are pushing back strongly against this. They argue that the Commission should not have the power to decide by decree what is no longer personal data after pseudonymization. From a compliance perspective, this highlights a growing tension between the desire for technical flexibility and the need for a high level of fundamental rights protection.
If the definition of personal data becomes fragmented based on the specific capabilities of the data holder, the “portability” and “interoperability” of data become much more complex. An organization might receive a dataset they believe is anonymous, only to find themselves in violation of the GDPR if a regulator determines they actually had the “means reasonably likely” to re-identify the subjects.
The Risk of Regulatory Inconsistency
Beyond the definition of data, the EDPB and EDPS expressed concern regarding the lack of a full impact assessment for the Omnibus. They pointed out that introducing these changes could create conflicts with other major frameworks, such as the Data Act and the AI Act.
For instance, if a data controller is processing “technical, non-personal information” under the Data Act, but that same information is considered “personal data” under a stricter GDPR interpretation, the controller is caught in a legal vacuum. This “rock and a hard place” scenario is exactly what high-end compliance programs seek to avoid. A refusal to share data could infringe on the Data Act, while sharing it could trigger massive GDPR sanctions.
The regulators are essentially calling for a “safety first” approach. They welcome the simplification of rules, such as those intended to reduce “cookie banner fatigue” under the ePrivacy Directive, but they refuse to accept these gains at the cost of narrowing the scope of individual rights.
Auditing Your Data Definitions
This debate serves as a critical reminder for enterprise organizations: the legal definition of the data you handle is not a static fact. It is a shifting regulatory boundary.
As the Digital Omnibus moves through the legislative process, we recommend that organizations perform a “stress test” on their current data classifications. You must evaluate your datasets not just based on your own ability to identify individuals, but through the lens of potential “reasonable means” available to third parties.
-
Re-evaluate Anonymization Claims: Are you relying on a “relative” definition of anonymity that might not hold up under the EDPB’s stricter interpretation?
-
Scrutinize Data Flows: If the Omnibus passes in its current form, how would your data-sharing agreements with “subsequent recipients” need to change?
-
Monitor CJEU Precedent: Ensure your compliance team is tracking the specific cases, such as the Single Resolution Board v. EDPS, which the regulators are using to defend the current broad definition of personal data.
Future-Proof Your Compliance Strategy
The tension between the European Commission’s drive for innovation and the regulators’ commitment to privacy rights creates a complex environment for any business operating in the EU. Staying ahead of these shifts requires more than just reactive adjustments. It requires a proactive, sophisticated approach to data governance.
At Captain Compliance, we provide the expertise and the technical tools necessary to navigate these high-level regulatory disputes. We help you build a compliance roadmap that remains resilient even when the fundamental definitions of the law are in flux.
If you are concerned about how the Digital Omnibus or the shifting definitions of personal data will affect your global operations, let’s start a conversation. Contact us today to sign up for a demo of our platform and see how we can help you maintain the highest standards of data integrity and legal certainty.
