EDPB, EDPS detail concerns over personal data definition in joint opinion on Digital Omnibus

The European Data Protection Board and European Data Protection Supervisor released their highly-anticipated joint opinion on the European Commission's Digital Omnibus proposal.

The opinion, adopted 10 Feb., identifies several areas where both the EDPB and EDPS are in favor of changes the Omnibus would make to marquee EU digital regulations, such as the EU General Data Protection Regulation, the ePrivacy Directive and others. However, both bodies detail several other provisions contained in the Omnibus they believe the Commission must reevaluate. 

Overall, the EDPB and EDPS said they supported the broad objectives of the Omnibus package, which are to "optimise the application of the digital rulebook, simplify compliance with the rules, strengthen individuals' ability to exercise their rights, and stimulate competitiveness," per the opinion. Notably, they said they support provisions in the Omnibus that aim to foster "greater harmonisation, consistency and legal certainty or reduce unnecessary administrative burden."

"The creation of a single, clearer and horizontal framework is an ambitious aim, which, if fulfilled, will help improve legal certainty for businesses and public authorities, maintain the level of protection for data subjects and support the Commission's goal of fostering innovation by enabling trustworthy and responsible access to data," the opinion states. "To achieve the full potential of the Commission's ambitions to foster innovation while protecting rights, as set out in the Data Union Strategy, trust will be key."

The EDPB and EDPS highlighted support for specific proposals, including changes on data breach notification, data protection impact assessments, processing for scientific research and the lawful use of biometric data in the identity verification context.

EDPB Chair Anu Talus said the Omnibus package is critical for boosting EU economic competitiveness. However, she also said the EDPB and EDPS each view the Omnibus as going too far in changing the GDPR's definition of personal data.

"Simplification is essential to cut red tape and strengthen EU competitiveness — but not at the expense of fundamental rights," Talus said in a statement. "We welcome the Commission's steps toward greater harmonisation, consistency, and legal certainty. However, we strongly urge the co-legislators not to adopt the proposed changes in the definition of personal data, as they risk significantly weakening individual data protection."

In comments to the IAPP, McDermott Will & Schulte Partner Rosa Barcelo said the opinion shows the EDPB and EDPS are taking "a practical approach to data protection." Barcelo added, "at the same time, perhaps not surprisingly, it rejects structural changes, like narrowing the definition of personal data, which it says would weaken the fundamental right to data protection."

Where friction exists

The current proposed change narrows the scope of personal data, which the EDPB and EDPS indicated goes beyond the European Commission's main objective of "targeted" and "technical" changes to the GDPR.

According to the joint opinion, the Omnibus proposes to change the GDPR's definition of personal data by adding a paragraph to Article 4(1) of the GDPR to state "Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates."

In their joint press release, the EDPB and EDPS agree the amended definition would also impact how pseudonymized data is treated under the GDPR. They said the Commission "should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law."

The potential Omnibus impacts on pseudonymized data come as the EDPB is currently working toward finalizing updates to its guide on pseudonymized data after a draft was released January 2025.

The recommended remedy, per the opinion, is the definition of personal data "should say what personal data is, instead of what it is not" and avoid the current "'negative'" that "is likely to increase legal uncertainty."

European Data Protection Supervisor Wojciech Wiewiórowski called on EU lawmakers to reject the Omnibus' proposed changes to the definition of personal data, noting they erode Court of Justice of the European Union precedent on defining personal data, which was most recently affirmed by the court last September in the case known as EU Single Resolution Board v. EDPS. 

"These changes are not in line with the (CJEU's) case law and would significantly narrow the concept of personal data," Wiewiórowski said in a statement. "We must make sure that any changes to the GDPR … actually clarify obligations and bring legal certainty while maintaining trust and a high level of protection of individual rights and freedoms."

In comments to the IAPP, Baumgartner Baumann Partner Ulrich Baumgartner, CIPP/E, said the joint opinion reflects the EDPB and EDPS fighting "tooth and nail against the proposed clarifications of the definition of personal data." However, he said the proposed changes within the Omnibus "are in fact welcome news for businesses and other organizations in Europe and beyond and would codify a much more nuanced approach as to what constitutes personal data as currently accepted by EU regulators."

Baumgartner said, in issuing their opinion, EDPB and EDPS did not directly address the first two sentences of the European Commission's revised definition of personal data, and instead only addressed the third sentence of the paragraph to be added, in which they claim the Commission is attempting to overrule CJEU case law. 

"It is significant that the EU supervisory authorities seem to accept the first two sentences (of the Commission's revised definition), and are direct rebuttal of the absolute approach advocated by the EU data protection supervisory authorities for decades," Baumgartner said. "If codified, such changes would force them to radically change their approach in enforcement — which would give companies much more flexibility around anonymization. So in my view, the most important aspect of the opinion is that it remains silent regarding the first two sentences."

Other areas of concern

The joint opinion criticized the Omnibus proposal for lacking a full impact assessment on the potential "adverse effects of certain proposed changes on the protection of fundamental rights and freedoms of individuals."

With regard to other specific areas of the proposal, the EDPB and EDPS indicated the proposal unnecessarily adds language to the GDPR outlining when developers of artificial intelligence systems can claim legitimate interest to process personal data to train models. They also proposed additional clarification on provisions covering automated individual decision-making technology, as well as clarification on the scope of specific exemptions covering the "incidental and residual processing of special categories of data in the context of AI." 

Beyond the GDPR alterations, the joint opinion touched on strong support for the Omnibus' objectives to modify the ePrivacy Directive, such as reducing data subjects' cookie banner fatigue by simplifying rules while still protecting end users’ personal data. However, the bodies said without establishing a firm definition of what constitutes personal data within the Omnibus’ proposal, it could result in inconsistent requirements imposed on data controllers who collect user data through embedded cookies on webpages. 

"The EDPB and the EDPS also generally welcome that the proposal aims to provide limited additional derogations to the general prohibition to store or gain access to personal data in the terminal equipment and the fact that the oversight of such matters will be entrusted to the supervisory authorities established in accordance with the GDPR to further support regulatory consistency," the opinion states. "The EDPB and the EDPS are concerned that the proposed separation of the rules on access to and storage of information in terminal equipment over different legal instruments may lead to legal uncertainty."

Baumgartner said if the joint opinion were to take hold in a revised Omnibus package, it may create a scenario where data controllers could face penalties due to manufactured legal conflicts between the GDPR and Data Act. He indicated a data controller processing "technical, non-personal information" would potentially need to make a determination if every user and third-party could link that data to an identifiable person. 

"In practice, data holders would rarely be able to make such determination," Baumgartner  wrote. "That would leave data holders caught between a rock and a hard place as sharing the data without a reliable GDPR legal basis could create a risk of GDPR sanctions, whereas a refusal to provide the data might infringe the Data Act."

Alex LaCasse is a staff writer for the IAPP.