There is a paragraph that the European Commission spent years building a legal case for, that the technology industry spent years lobbying for, and that the European Data Protection Board and European Data Protection Supervisor spent their joint opinion capital pushing back against. It was three sentences long. It would have been inserted into Article 4(1) of the GDPR — the foundational definition of what counts as personal data — and it would have changed the scope of European data protection law more fundamentally than any single amendment since the Regulation came into force in 2018.
Governments across the EU have withdrawn the revised definition of personal data from the GDPR omnibus package, softening earlier proposals that had prompted strong resistance from regulators and civil society — a decision that signals a preference for maintaining the original scope of the General Data Protection Regulation instead of reopening sensitive debates that risked weakening long-standing protections.
For privacy professionals navigating the Digital Omnibus reform process, this deletion is the most significant development in the legislative process to date — not because it ends the debate, but because of what it reveals about the political dynamics shaping the reform, what it leaves unresolved about the pseudonymisation question that was the amendment’s real-world target, and what it signals about the path the GDPR’s foundational concepts will now travel as the omnibus continues through trilogue.
What the Commission Proposed — and Why It Mattered
To understand what was deleted, you need to understand what it said and why the Commission believed it was necessary.
The Commission intended to clarify the definition of personal data in Article 4(1) GDPR by establishing a subjective or relative interpretation of the term — that is, the assessment of data as personal data or anonymous/non-personal data would be based on the perspective of the relevant data controller. The proposed language would have added a paragraph to Article 4(1) reading, in substance: information relating to a natural person is not necessarily personal data for every other person or entity merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity.
Read that carefully, because the implications are significant. What the Commission was proposing was not a new legal concept — it was a codification of a legal position that already exists in GDPR Recital 26 and has been progressively confirmed by the Court of Justice of the European Union through a series of judgments including Breyer, Scania, and most recently the September 2025 decision in EDPS v. SRB. The amended definition is most significant in multi-party data flows — for example, controller-processor chains, and data-sharing chains under the Data Act — where different actors have different abilities to re-identify an individual from data. The third new sentence was designed to avoid a knock-on effect whereby data becomes personal data for the sender merely because the recipient can identify the individual, a point that has generated uncertainty in light of parts of the CJEU’s reasoning.
The practical impact of the proposed amendment, had it been adopted, was substantial. Businesses would no longer need to treat certain datasets as personal data if they can no longer reasonably identify individuals, removing GDPR obligations such as legal basis, access rights, and data transfer restrictions. Companies would be able to more efficiently share, analyse, or commercialise certain data, provided proper risk assessments are in place and documented.
In other words: the same pseudonymised dataset could simultaneously be personal data for Party A — who holds the re-identification key — and non-personal data for Party B — who does not — without the data’s classification for Party B being contaminated by Party A’s ability to identify. For organisations operating in complex data-sharing ecosystems — research consortia, cloud processing chains, AI training pipelines, Data Act sharing arrangements — this entity-specific approach would have dramatically clarified which GDPR obligations applied at each node of the processing chain.
The Opponents Who Killed It — And Why They Were Right
The Council’s pushback comes mere weeks after the European Data Protection Board and European Data Protection Supervisor issued a joint opinion generally in favour of the Commission’s aims in the Digital Omnibus, but also critical of the proposal to change the definition of personal data. Per the joint opinion, the EDPB and EDPS recommend the definition of personal data should say what personal data is, instead of what it is not, and avoid the current negative formulation that is likely to increase legal uncertainty.
The EDPB’s objection was both substantive and constitutional. EDPB Chair Anu Talus said the Omnibus package is critical for boosting EU economic competitiveness. However, she also said the EDPB and EDPS each view the Omnibus as going too far in changing the GDPR’s definition of personal data. “Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights,” Talus said.
The constitutional objection centred on the accompanying Article 41a mechanism — a provision that would have allowed the Commission to adopt implementing acts specifying criteria to determine whether data resulting from pseudonymisation no longer constitutes personal data for certain entities. The EDPB and EDPS indicated the Commission should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law.
That last point is the most legally significant objection, and it is the one that appears to have carried the most weight with Council delegations. The scope of the GDPR — which entities and which data fall within its protective framework — is not an administrative question. It is a fundamental rights question, embedded in Article 8 of the EU Charter of Fundamental Rights. Delegating the power to decide what falls outside that scope to Commission implementing acts, without the procedural guarantees of the ordinary legislative procedure, is a different order of legal delegation than allowing the Commission to specify technical implementation details. Several delegations flagged that amending the definition of personal data could constitute a substantial change to EU data protection rules, affecting the scope of application of the GDPR, which would require a thorough assessment.
There is a further dimension to the EDPB’s objection that deserves more attention than it has received in most coverage of this development. The proposed amendment was framed as a codification of existing CJEU case law — a technical clarification of what the courts had already said, not a substantive change to the law. The EDPB pushed back on that framing directly, arguing that the proposed modification of the definition of personal data seems to go further than the recent CJEU case law, and beyond a targeted modification of the GDPR, which may risk adversely affecting the fundamental right to data protection.
That disagreement — between the Commission’s characterisation of the amendment as codification and the EDPB’s characterisation of it as expansion — is not a semantic dispute. It is a dispute about how far the relative or entity-specific approach to personal data identification actually extends under existing law, and about how much further the proposed amendment would have pushed it. The EDPB, as the body charged with interpreting and applying the GDPR, is better positioned than the Commission to make that assessment.
What the Council Kept — And What That Means
The deletion of the revised personal data definition was not the only significant change in the Council’s compromise text. Greater attention is now placed on the forthcoming pseudonymisation guidelines prepared by the European Data Protection Board. These guidelines are expected to shape how organisations interpret key safeguards, offering practical direction instead of altering the legal definition of personal data. The updated prominence given to the guidance reflects a broader trend within the Council towards regulatory clarity rather than legislative redesign.
This is a meaningful pivot in strategy. Rather than resolving the pseudonymisation question through a statutory amendment to Article 4(1), the Council’s compromise text elevates the EDPB’s forthcoming updated pseudonymisation guidelines as the mechanism through which practical clarity will be delivered. The EDPB released a draft of those guidelines in January 2025; final adoption is expected during the Omnibus legislative process.
For privacy professionals, this pivot from legislative amendment to regulatory guidance has significant practical implications. Guidance is softer law than statute — it is persuasive and authoritative, but it does not have the binding force of a regulation, and supervisory authorities in different member states may interpret it with different degrees of deference. A statutory amendment to Article 4(1) would have created a uniform, directly applicable rule across all 27 member states simultaneously. Updated EDPB pseudonymisation guidelines will create a shared interpretive framework, but one whose application will still depend on national supervisory authority practice and, ultimately, on how the CJEU interprets the guidance in future litigation.
The ePrivacy complications add another layer. The EDPB and EDPS noted that without establishing a firm definition of what constitutes personal data within the Omnibus’ proposal, it could result in inconsistent requirements imposed on data controllers who collect user data through embedded cookies on webpages. The EDPB had broadly welcomed the Commission’s proposal to simplify cookie consent rules — one of the Omnibus’s less controversial provisions — but flagged that the cookie consent changes interact with the personal data definition question in ways that could create new inconsistency if the definition question is left unresolved. A website operator whose cookie data is personal data under the GDPR but not under the ePrivacy changes — or vice versa — faces interpretive challenges that neither the Council’s deletion nor the EDPB guidance will fully eliminate.
The AI Training Legitimate Interest Question: What Survived
While the personal data definition amendment was deleted, other provisions of the Digital Omnibus that directly affect the AI sector survived the Council’s compromise process, at least in modified form. The proposal clarifies how legitimate interest applies to AI systems. In line with the EDPB Opinion, personal data can be processed for AI models as long as any use in a specific situation does not break any EU or national law, and the processing complies with all requirements of the GDPR. The proposal subjects this processing to strong safeguards and ensures that data subjects have the unconditional right to object to the processing of their personal data.
The legitimate interest clarification for AI training is commercially significant in a way that the personal data definition deletion does not fully undo. Under current GDPR practice, the application of legitimate interest as a legal basis for AI model training is contested — different supervisory authorities have reached different conclusions, and enforcement has been inconsistent. The Omnibus provision creating an explicit, GDPR-compliant pathway for legitimate interest in AI training, with a hard right to object, reduces that uncertainty materially even in the absence of the personal data definition change.
For organisations training AI models on data that includes personal data — which is, in practice, most large-scale AI development — the surviving legitimate interest clarification may ultimately be more operationally significant than the deleted personal data definition amendment would have been. The definition change would have reduced the scope of data classified as personal in certain processing chains. The legitimate interest clarification, if adopted in final form, provides a clearer legal basis for processing data that definitively is personal.
What This Means for the Broader Omnibus Trajectory
The Council’s deletion of the personal data definition amendment is a significant political signal about the current state of play in European privacy politics, but it is not a final answer. The Digital Omnibus must still pass through the European Parliament, and the trilogue process between Council, Parliament, and Commission will produce further amendments before a final text is adopted.
The Digital Omnibus Proposal is expected to move through the legislative process in the European Parliament and Council throughout 2026. Several committees, including IMCO, ITRE, and LIBE, will be involved in shaping the Proposal. While it has been mentioned in the press that the European Parliament may adopt a fast track procedure, it is currently uncertain whether an expedited procedure will be applied.
The LIBE committee — the Parliament’s civil liberties, justice and home affairs committee, which has traditionally been the primary guardian of data protection standards in the legislative process — will be the forum where the personal data definition question is most carefully scrutinised. If the Parliament’s LIBE rapporteur shares the EDPB’s constitutional concerns about the Article 41a implementing act mechanism, the definition amendment may remain deleted in the final text. If the Parliament’s more industry-aligned committees push for its reinstatement in a modified form — perhaps with stronger constraints on the Commission’s implementing act authority — it could return to the text in trilogue.
The Commission, which proposed the amendment and presumably still believes the policy case for it is sound, will have its own position to advance. The EDPB’s updated pseudonymisation guidelines, whenever they are finalised, will also influence the legislative conversation: if the guidelines deliver the practical clarity that organisations need without a statutory amendment, the legislative case for the definition change weakens further. If the guidelines leave significant ambiguity unresolved, the pressure to revisit the legislative route will intensify.
What Privacy Professionals Should Do Right Now
For privacy professionals advising organisations on GDPR compliance, the Council’s deletion creates a specific set of compliance planning challenges that cannot wait for trilogue resolution.
The fundamental compliance position remains unchanged by the Council’s action. The GDPR’s definition of personal data, as it currently stands and as clarified by the CJEU’s recent case law, is the operative standard. Organisations that have been anticipating the Commission’s proposed entity-specific approach as a basis for treating pseudonymised data as non-personal for downstream processors need to recalibrate their compliance plans to reflect the reality that this statutory clarification is not coming imminently and may not come at all.
The EDPB’s draft pseudonymisation guidelines should be closely monitored. Pseudonymised data, which could be attributed to a natural person by the use of additional information, remains information related to an identifiable natural person, and thus is personal data under Recital 26 GDPR. Therefore, the processing of such data needs to comply with the GDPR, including the principles of lawfulness, transparency, and confidentiality. The draft guidelines released in January 2025 already contain useful practical guidance on technical approaches, access controls, and data subject rights management for pseudonymised data — guidance that becomes more important as the legislative route to clarification is at least temporarily closed. The final guidelines, when adopted, should be immediately incorporated into compliance frameworks.
Data-sharing architecture reviews are now more urgent, not less. The entity-specific approach to personal data classification was most practically valuable for organisations operating in complex multi-party data flows — research consortia, processor chains, Data Act sharing arrangements, AI training pipelines that receive data from other controllers. Those organisations were anticipating the statutory clarity that the Commission’s amendment would have provided. In the absence of that clarity, they need to ensure their data-sharing arrangements are structured around the existing Recital 26 standard — not the entity-specific standard that was proposed — until the trilogue process produces a final answer.
The pseudonymisation implementation gap is where the Council’s decision bites hardest for practical compliance programs. The Commission’s proposal was motivated in part by real and documented confusion about how pseudonymisation should be governed in multi-party processing chains. That confusion has not been resolved by the Council’s deletion — it has been deferred to a guidance process whose timeline and authority are both less certain than statute. Organisations currently structuring data-sharing arrangements around pseudonymisation need robust documentation of their re-identification risk assessments and their technical and organisational measures, because the supervisory authority scrutiny of those arrangements will not diminish simply because the legislative question is unresolved.
The wider lesson of the Council’s move — that the GDPR’s foundational definitions are not available for administrative simplification through Commission implementing acts — is one that privacy professionals should embed in how they advise their organisations on every aspect of the Omnibus that touches fundamental rights scope questions. The EU’s data protection framework is built on a constitutional foundation that member state governments, whatever their economic competitiveness concerns, were not willing to delegate to secondary legislation. That constraint on the reform process is not a failure of ambition. It is the system working as designed.
The definition fight is not over. But the privacy watchdogs, for now, have held the line.
