GDPR remains unchanged: the EU has abandoned plans to modify the definition of personal data

In recent months, an intense debate has been taking place within the European regulatory landscape regarding potential amendments to the General Data Protection Regulation (GDPR). One issue that attracted particular attention from both the legal and technological communities concerned the possible modification of the very definition of personal data—one of the fundamental concepts underpinning the entire data protection system in the European Union.

The proposal, which emerged as part of a broader initiative to simplify digital regulations in the EU, opened the possibility of narrowing the definition of personal data to some extent, particularly with regard to pseudonymized data or data that require additional steps to be linked to a specific natural person.

For technology companies and parts of the industry, such a change could have meant greater flexibility in the use of data for developing digital services, analytics, and training artificial intelligence models. At the same time, privacy advocacy organizations warned that redefining this concept could weaken the existing level of protection for individuals.

Precisely because of these dilemmas, the definition of personal data quickly became one of the central topics in the regulatory debate in Brussels. Given that this concept determines whether certain information is considered subject to protection under the GDPR at all, any change would have had potentially far-reaching consequences for the digital economy.

The definition of personal data at the center of legal debate

Following discussions between EU institutions and Member States, the Council of the European Union decided, at this stage, not to amend the existing definition of personal data in the GDPR. As a result, the portion of the compromise text concerning the redefinition of this concept was removed.

In practice, this means that the current rule remains in force: personal data is any information relating to an identified or identifiable natural person, including data that, when combined with additional information, can lead to the identification of an individual.

This approach confirms the existing interpretation that pseudonymized data will, in many cases, still fall under the personal data protection regime, provided there is a realistic possibility that such data could be linked to a specific individual using additional information. In doing so, the European regulator maintains a relatively broad understanding of the concept of personal data, which has significant implications for companies that rely on large datasets in analytics, digital services, and the development of artificial intelligence systems.

The Council of the EU opts to retain the existing definition

This decision confirms continuity in the European legislator’s approach to privacy protection. At the same time, it highlights how the balance between technological innovation and the protection of fundamental rights remains one of the key issues in EU digital regulation.

For companies operating in the European market – particularly in sectors such as digital services, data analytics, and artificial intelligence – this means that the regulatory framework established by the GDPR remains unchanged in this respect. Data processing that enables the identification of an individual continues to fall fully within the scope of data protection rules.

Majstorović & Partners closely monitors developments in the European regulatory framework in the fields of digital technologies, data protection, and artificial intelligence, providing legal support to companies in interpreting new rules, assessing regulatory risks, and ensuring compliance with European privacy standards.

As the digital economy continues to evolve, clearly defined concepts and a stable regulatory framework remain essential for maintaining user trust and legal certainty in the market.

A reference text on this topic is available at:
https://www.euractiv.com/news/council-deletes-revised-definition-of-personal-data-from-gdpr-omnibus/