Stakeholders Disagree Over Impact of GDPR Personal Data Definition Revamp

The EC floated the simplification package on Wednesday last week to mixed reactions (see 2511190005). While some privacy practitioners called the proposed changes "tweaks," others worried about reopening the "Pandora's box" of the GDPR.

If approved by the European Parliament and EU Council, the measure would revise the GDPR's definition of personal data to exclude information where the entity holding it doesn't have "means reasonably likely to be used" to identify that individual, Covington's privacy team wrote in a Thursday update.

The amendment reflects the European Court of Justice's September decision in EDPB v SRB (C-413/23 P) (see 2509040029), which held that information wouldn't be considered personal data for the entity holding it, and would fall outside the GDPR's scope, if identification was legally prohibited or would require a disproportionate effort, Covington attorneys said.

The proposal also gives the EC the power to adopt implementing acts to specify when pseudonymized data constitutes personal data, based on the state of the art of available techniques, the Covington update noted.

The proposed clarification of personal data "could be transformative for technology companies," Pinsent Masons data protection lawyer Anna Flanagan emailed us Monday. By explicitly stating that data shouldn't be considered personal when the holder lacks the "means reasonably likely to be used" to re-identify someone, the proposal "introduces a practical, capability-based test," she said.

In effect, pseudonymized or aggregated datasets, where re-identification isn't reasonably possible, could fall outside the scope of the GDPR for that entity, Flanagan added. That could significantly reduce compliance burdens for cloud providers, analytics platforms and AI developers, she said.

If those datasets are no longer classified as personal data, GDPR obligations like data subject access requests, data protection impact assessments and certain technical measures may no longer apply, Flanagan said. That simplification would "ease the routine of processing of large-scale datasets and unlock greater flexibility for data-driven innovation."

Privacy protections "remain intact," Flanagan said; as long as identification is objectively not possible, individual rights are preserved. The proposals aim for a "pragmatic balance" that "maintains privacy while helping businesses leverage data responsibly and efficiently."

Noyb privacy lawyers Max Schrems and Levan Lobzhanidze, however, said in a video Saturday that the change shifts the definition from an objective basis (whether a person is identified or identifiable) to a subjective, context-based one (the reasonable likelihood that someone can be identified or identifiable). Far from simplifying burdens on organizations, the revision is more likely to have the opposite effect, they said.

There are real-life consequences of the proposal, Schrems said. Among other concerns is that if a company acts as a data exporter and is no longer covered by the GDPR because its data is deemed pseudonymized, it may be able to ship that data to other exporters without any level of protection, he said. It's unclear what happens if some parts of a data chain are subject to the GDPR and others aren't, he added.

The EC stated that if the information is shared with third parties that could reasonably identify the person to whom the data relates, those third parties would have to treat the data as personal, Pinsent Masons attorneys reported Thursday.