EU Digital Omnibus: What the proposed changes to the concept of personal data mean in practice

On 19 Nov., the European Commission published a draft regulation to simplify and consolidate various digital EU laws, the so-called Digital Omnibus Regulation. One of the most consequential proposed changes relates to the definition of personal data in Article 4(1) of the EU General Data Protection Regulation. The concept of what is personal data not only defines the scope of application of the GDPR but also has practical implications for other legal acts of the EU Digital Rulebook such as the Artificial Intelligence Act or the Data Act. 

Not much new under the sun

While the European Commission aims to leave the existing definition in Article 4(1) unaltered, it suggested adding three new sentences at the end of the clause. Although some actors decried this as significantly restricting the scope of application of the GDPR, none of the proposed wording for Article 4(1) is novel. Rather, the proposal reflects (in part long-standing) case law of the Court of Justice of the European Union. Moreover, it implants an often-overlooked principle already contained in Recital 26, sentence 3, of the GDPR into the definition of personal data. 

Let’s have a closer look at the wording proposed by the Commission to be added to Article 4(1) GDPR:

First proposed new sentence: "Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person."