Making the GDPR realistic? Authorities only want that in part

[This is a translation of an op-ed in French that was published in the French journal Revue Politique on SRB and the Digital Omnibus, plus the newest EDPB & EDPS Joint Opinion on the topic. The original in French can be found on the Revue Politique website.

+ The banner image is a jest – readers will know that I view the Commission’s ePrivacy proposal in the Digital Omnibus as very unfortunate and that I appreciate some of the EDPB’s recent openings towards better stakeholder engagement.]

---

Four letters with a bad reputation today in some circles but perhaps less tomorrow: GDPR or General Data Protection Regulation. With reason. “We need consent for everything”. “A detailed analysis of the laws of each country of destination for our data? That’s absurd!”. Yet the principles of data protection law are based on a long forgotten realism and optimism: the GDPR, the law on the topic and a source of inspiration worldwide, is not there to prohibit processing of personal data but instead to permit it in a responsible and regulated manner. The European Union’s internal market is founded on the free movement of persons, goods, services and capital; the GDPR complements this framework by ensuring the free movement of data, provided their processing takes place in a correct manner.

Since several years, however, the Court of Justice of the European Union as well as supervisory authorities (the CNIL in France, the Garante in Italy and many others) appear to have made of the protection of personal data the first among all fundamental rights. Freedom of expression? My right of access, Article 15 of the GDPR, allows me to obtain access to opinions expressed by evaluators in my respect. Freedom to conduct business? Monetising online content by way of advertising is considered by the European Data Protection Board as not being necessary for the performance of a contract and as only being permitted on the basis of my consent, which implies also a right to refuse that processing. The empire of data protection prevails, full stop.

“Prevailed”, perhaps? The start of the academic year came with a wind of renewal, with the judgment of  4 September 2025 of the Court of Justice in a case concerning pseudonymised data, i.e. data whose part enabling identification of a natural person has been decoupled from the content data. In this case, these were comments submitted by creditors to the Single Resolution Board (SRB), comments that the SRB transmitted to the consultancy firm Deloitte after having replaced in the data in question the name and contact details of each creditor with a unique identification number. Deloitte thus only had comments and identification numbers but was not in a position to detect the identity as such of the creditors. Jane, Paul and George became AB837, Z9N2A and X8YBA.

The Court of Justice therefore stated what should have been self-evident: for Deloitte, this information does not appear to be personal data, provided that (i) the method of pseudonymisation is effective (no “George” appearing randomly within the data received), (ii) Deloitte is not reasonably able to obtain reidentification from the SRB or a third party, for instance by way of a table matching identification numbers to true identities, and finally (iii) Deloitte does not provide such information to a third party that is itself capable of carrying out such a reidentification. It is pragmatic ruling – Such Realism to Behold, surely!

Those who lost in this case were the European Data Protection Supervisor (the data protection authority tasked with monitoring European Institutions’ compliance with data protection law) and the European Data Protection Board (which brings together the various national authorities). Together, data protection authorities from across the European Union had defended the opposite view before the Court of Justice: in their opinion, information that is personal data from the perspective of one entity must be perceived as such by any third party. This interpretation, which is absolutist and anything but pragmatic, was explicitly rejected by the Court of Justice.

Two months later, it was the European Commission’s turn to show that the GDPR is not untouchable: its ‘Digital Omnibus’ proposal, unveiled on 17 November 2025, includes a proposal to amend the definition of ‘personal data’. The key lessons of the SRB judgment would be incorporated within the definition itself, with certain subtleties. For example, the aforementioned condition (iii) would not be fully included. Some have gone up in arms, accusing the Commission of distorting the Court of Justice’s teachings; others (such as yours truly) see it more as a choice by the Commission to make the Court’s case law more accessible by incorporating the essence of its lessons into the law and avoiding some of the excesses of condition iii, which initially comes from the ‘Scania’ judgment of 9 November 2023 but is very difficult to implement correctly. Once again, a touch of common sense and pragmatism.

The other proposed amendments to the GDPR are for the most part just as pragmatic. A data subject access request based on grounds unrelated to data protection (such as a fishing expedition for evidence or to cause trouble for a former employer)? The controller is explicitly allowed to invoke abuse of rights, already a general principle of European law. The reason for this (seemingly obvious) clarification is that some courts and authorities have dismissed counterarguments based on abuse of rights. What about training AI models on the basis of legitimate interest as a legal ground? The European Data Protection Board had already indicated that this is possible in theory. Putting in place a pan-European list for scenarios in which a ‘data protection impact assessment’ or DPIA is required? About time too, so that organisations wishing to commence processing covering several European jurisdictions can avoid having to take into account the hundreds (truly!) of different scenarios that currently apply.

Yet data protection authorities, under the umbrella of the European Data Protection Board together with the European Data Protection Supervisor, are challenging some of the proposals. The change to the concept of personal data? Unacceptable, in their view. They claim that this change would allow companies to create fictitious structures to circumvent the GDPR, while the illustrations they provide are examples of situations that actually reduce privacy risks. It is moreover perfectly legitimate for a legislator to seek to resolve problems arising from broad interpretations. The authorities’ position leaves a key message unspoken, though: when information ceases to be perceived as personal data, it falls outside of their remit. One must therefore be careful not to see their position as neutral.

Of course, the Commission’s text is merely a proposal. The European Parliament will have its say, as will the EU Council. It may be that none of the suggestions survive the legislative process. Still, the proposal exists, and it shows that data protection law can be pragmatic. While SRB and the Digital Omnibus do not signal the end of ivory-tower decisions, their message is clear: the GDPR can be revived in a manner that achieves a better balance, and the business world is no longer alone in believing this.

---

As I wrote, this was is a short-ish article, notably because of character constraints, but it feeds into a broader debate about the EDPB & EDPS Joint Opinion, the Digital Omnibus, and the notion of personal data (+ the impact of pseudonymisation). For instance, there is much to be said about the practical impact of that condition (iii) and whether the proposal truly limits the notion of personal data in that context or merely excludes uncertainty regarding potential recipients.

Further reading on these issues:

• Pseudonymisation & “means reasonably likely to be used” for identification: when does data become personal? (10 December 2025)
• When is data no longer personal? And what are the implications? (SRB commentary, 5 September 2025)