On 19 Nov., the European Commission published a draft regulation to simplify and consolidate various digital EU laws, the so-called Digital Omnibus Regulation. One of the most consequential proposed changes relates to the definition of personal data in Article 4(1) of the EU General Data Protection Regulation. The concept of what is personal data not only defines the scope of application of the GDPR but also has practical implications for other legal acts of the EU Digital Rulebook such as the Artificial Intelligence Act or the Data Act.
Not much new under the sun
While the European Commission aims to leave the existing definition in Article 4(1) unaltered, it suggested adding three new sentences at the end of the clause. Although some actors decried this as significantly restricting the scope of application of the GDPR, none of the proposed wording for Article 4(1) is novel. Rather, the proposal reflects (in part long-standing) case law of the Court of Justice of the European Union. Moreover, it implants an often-overlooked principle already contained in Recital 26, sentence 3, of the GDPR into the definition of personal data.
Let’s have a closer look at the wording proposed by the Commission to be added to Article 4(1) GDPR:
First proposed new sentence: "Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person."
This sentence is a direct rebuttal of the absolute approach advocated by the EU data protection supervisory authorities for decades. Put simply, regulators have argued that if one person on earth is able to make a link between a piece of information and a natural person, everyone must treat such information as personal data. This applies irrespective of whether the person or entity processing the information can actually identify an individual on the basis of such information.
This approach was particularly evident in its purest form in the arguments made by the European Data Protection Supervisor in the recent SRB case (Case C‑413/23 P) before the CJEU. In that case, the EDPS argued pseudonymized data must be regarded as constituting, in all cases and for every person, personal data (para. 86). This notion has been rejected by the CJEU with by far the clearest words to date.
However, that was not the first time the court took the opposite view. It is important to recall that the CJEU — in the Breyer ruling of 2016 (Case C-582/14) and several times since then, including the Nowak, CRIF, Scania, OLAF and IAB Europe cases — has applied a "relative approach." This means the court assessed in each case whether the person or entity processing data could actually identify the natural person to which the information relates, either using its own information or that held by a third party. Only if that was possible did the CJEU qualify the information as personal data for this entity or person. However, for whatever reason, this case law has been largely ignored by EU supervisory authorities and many lower courts over years.
Against this backdrop, it seems that the Commission tried to capture the essence of the CJEU case law over the last decade by adding the first proposed new sentence to Article 4(1) GDPR — thereby enshrining the relative concept of personal data in this key definition. This intention is also reflected in Recital 27 of the draft Digital Omnibus Regulation where this additional wording is qualified as a clarification of the existing law only. Bearing in mind that the CJEU is the ultimate authority to interpret the GDPR, one can only agree with such assessment.
Second proposed new sentence: "Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity."
The first part of this sentence is a logical continuation of the previous sentence. While the first proposed new sentence essentially says information does not become personal data just because someone else is able to identify a natural person, the second sentence instead concludes that the right question to ask is whether the entity handling the information itself is able to identify. This again is a mere reiteration of previous CJEU case law and its relative approach.
If an entity is not able to identify, then the latter part of the second proposed new sentence states that additional information necessary for identification held by a third party must only be taken into account if the entity processing the information has the means to access such additional information and it is reasonably likely that such means will be used.
This wording is not new either, it has always been part of the GDPR, somewhat hidden in the third sentence of Recital 26. This recital complements the definition of personal data in Article 4(1) of the GDPR and states that "to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used … either by the controller or by another person to identify the natural person directly or indirectly."
Therefore, the second proposed new sentence is merely a clarification.
Third proposed new sentence: "Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates."
At first glance, this sentence is another description of the relative concept of personal data. It seems obvious that nonpersonal information processed by Entity A does not become personal data for Entity A just because it shares the information with Entity B even if Entity B has additional information that enables it to link the information to an identifiable person. Rather, under the CJEU's SRB ruling, the information qualifies as personal data for Entity B, which can link it to an individual, whereas the same information would not qualify as personal data for Entity A, which cannot make such link and also has no access to the additional information held by Entity B.
However, in the CJEU's Scania ruling (Case C-319/22, para. 49) and again, in the SRB ruling (para. 84, 85), the court held that in the above-mentioned scenario, the information would nevertheless become personal data also for Entity A if shared with Entity B. Albeit in my understanding the CJEU only wanted the GDPR to apply to Entity A in relation to the transfer of such data to Entity B, i.e., not beyond this transfer for other purposes of Entity A.
This obiter dictum caused some confusion as it seemed like a partial departure from the relative concept of personal data: In the SRB case, the CJEU rightly made it clear that the additional information held by SRB, the sending entity, and enabling it to relate the pseudonymized data back to natural persons is not attributable to Deloitte, the receiving entity, if Deloitte has no means reasonably likely to be used to access such additional information. Hence, the information was not qualified as personal data for Deloitte. Therefore, why should in the above-mentioned scenario the additional information held by Entity B be attributed to Entity A irrespective of whether Entity A has means reasonably likely to be used to access the additional information held by Entity B? One can only speculate about the court's motivation for such an outlier statement.
As confirmed by a Commission representative during the recent IAPP Europe Data Protection Congress 2025, the third proposed new sentence to be added to Article 4(1) GDPR is targeted at "overruling" exactly this concept of the CJEU developed in the Scania and SRB cases. It appears the Commission has recognized the findings of the CJEU could otherwise have undesirable effects on the practical effectiveness of the EU Data Act.
The reason is obvious. If a data holder — for example, one who holds only technical, nonpersonal information — had to determine for every user or third party claiming access to this data under Chapter II of the Data Act whether they could link technical information to an identifiable individual, it would effectively jeopardize the objectives of Chapter II of the Data Act. In practice, data holders would rarely be able to make such determination. That would leave data holders caught between a rock and a hard place as sharing the data without a reliable GDPR legal basis could create a risk of GDPR sanctions — whereas a refusal to provide the data might infringe the Data Act.
It is welcome news for business and other organizations that the Commission is trying to solve this dilemma by proposing the third sentence be added to Article 4(1) of the GDPR.
Why it matters
Against this backdrop, it seems clear that the third proposed new sentence would have a practical effect if it were to make it into the final version of the Digital Omnibus Regulation. But what about the first two newly proposed sentences that only summarize existing CJEU case law or reflect Recital 26 of the GDPR? It seems the Commission sees a risk that CJEU case law and Recital 26 could continue to be misunderstood or neglected, as has happened in recent years with other CJEU rulings on the concept of personal data. To ensure a consistent interpretation of what is personal data — and an equally consistent enforcement of the GDPR and other EU digital regulations by supervisory authorities and courts — the Commission apparently deems it necessary to state the obvious, in other words, to codify CJEU case law and to move the current Recital 26 in part into the main body of the GDPR.
Going forward, it will become a real option for organizations to apply the relative concept of personal data way beyond pseudonymization. Although the CJEU has pursued a relative approach for a decade, arguing that identifiers like IP addresses or vehicle identification numbers were not personal data in the individual case has, until now, carried a considerable risk of sanctions by supervisory authorities. The clear statements of the CJEU in the SRB ruling will likely force supervisory authorities to change course and embrace a relative concept of personal data. The Commission's proposed changes to Article 4(1) GDPR now constitute the final nail in the coffin of the absolute concept of personal data — even if the proposed wording will see some changes in the legislative process ahead.
This is good news for companies and organizations.
