Why is the “personal data” definition aspect of the Digital Omnibus deemed controversial by some? And why are the alleged issues with the definition in fact absent?
The Commission’s proposal is to codify recent case law of the EU Court of Justice, notably the SRB judgment (4 Sept 2025), by putting it into the law that data is not necessarily “personal” for every entity led to interact with it. It would be a statutory consecration of the “relative” approach to the notion of personal data: whether data is personal depends on whether a given entity has means reasonably likely to be used to identify individuals – and that requires a case-by-case assessment, not general hypotheses.
Some, such as the EDPB & EDPS, are concerned that this would narrow the GDPR’s scope, create loopholes, and allow companies to escape obligations by relying on pseudonymisation and dataset fragmentation (see EDPB/EDPS Omnibus proposal report).
Thing is: the last time the EDPB/EDPS made such claims, the CJEU rejected them. The EDPS was a party to the SRB case, and the EDPB intervened in support of the EDPS. Their claim? Personal data is an absolute concept. This is needed to ensure a high level of data protection. The CJEU’s response? Wrong.
In that context, the influence the EDPS & EDPB members are having at the EU Council discussions on the Omnibus raises questions. The EDPB/EDPS *want* the GDPR to apply as broadly as possible, because that gives them authority.
Yet a relative approach to “personal data” is not a reduction in protection. If and when “means reasonably likely to be used” *DO* exist, the GDPR applies in full. If they do not, imposing obligations that cannot be meaningfully complied with does little to enhance data protection and only creates problems.
The relative approach helps handle situations in which a data recipient *doesn’t* have a practical way of acting upon data subject requests without requesting additional information (which the GDPR explicitly says is not needed). And if identification becomes possible, the rules apply.
What about Scania then?
Some see the 3rd sentence of the proposed change as limiting the CJEU’s Scania judgment – but that dealt with a *known*, specific recipient, not a *potential*, undefined recipient. We shouldn’t have to deal with unforeseeable, potential recipients, and the proposal helps.
What if the change isn’t adopted then?
Then we’re back to existing case law, which we know *the EDPB & EDPS argued against*. Some regulators continue to claim IP addresses are *always* personal data, even for websites with no user registration. Regulators & complainants will continue to brandish formalistic arguments. Sure, some organisations have in-house or external lawyers like me to tell them what case law actually entails and how to push back – but not all do.
So the absence of change does not mean a high(er) level of protection but just a continued lack of legal certainty. Good news for lawyers like me, I guess?
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗