EU Council Rejects Changes to GDPR Personal Data Definition
EU member states have agreed to remove the European Commission’s proposal to change the definition of personal data from the Digital Omnibus package. This decision comes from a Council compromise reached on February 20, which was obtained by Euractiv. The proposed amendment aimed to alter the way personal data is defined under the General Data Protection Regulation (GDPR), but it faced significant opposition from several countries and data protection authorities.
The Commission had suggested that personal data should be defined based on the data holder’s ability to re-identify an individual, even if others receiving the data could not do so. This change would have allowed data processors to potentially avoid GDPR obligations by arguing that they cannot re-identify the data subjects. Critics, including the European Data Protection Board (EDPB), warned that this approach oversimplifies legal nuances and could weaken privacy protections.
The Council’s compromise also removes the Commission’s power to use secondary legislation to set criteria for when data is considered sufficiently pseudonymised. Instead, the text emphasizes the role of the EDPB and its updated guidelines on pseudonymisation. Pseudonymisation is a key privacy technique where personal data is processed in a way that the individual cannot be identified without additional information, which remains protected under GDPR.
This decision reflects the concerns raised by the EDPB in its negative opinion on the Digital Omnibus proposal. The Board highlighted risks that the Commission’s changes could undermine existing privacy standards. While some EU countries were uncertain about the best path forward, the EDPB’s opinion appears to have influenced the Council’s choice to reject the Commission’s proposed amendments to the personal data definition.
