According to a leaked draft of the EU member states' decision on the European Commission's Digital Omnibus to reform the EU's digital rulebook, the Council of the European Union eliminates the proposed new definition of "personal data" under the EU General Data Protection Regulation.  

The draft, obtained by both Euractiv and Politico, is dated 20 Feb., and is a compromise text circulated by the Cypriot presidency of the council. Politico reported the text is expected to be addressed at the 27 Feb. meeting of member state diplomats.   

When the European Commission originally released the Omnibus' text in November 2025, it said part of its motivation was to reform the definition of personal data that is pseudonymized. The Commission said doing so would take into account the Court of Justice of the European Union's ruling in the EU Single Resolution Board v. European Data Protection Supervisor case in September of last year, in which the court affirmed that pseudonymized data can constitute as personal data under certain circumstances. 

The leak of the council's draft reflects a wholesale removal the modified definition, which sought to add a paragraph to Article 4(1) of the GDPR that would have read, "Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates."

The council's pushback comes mere weeks after the European Data Protection Board and European Data Protection Supervisor issued a joint opinion generally favoring of the Commission's aims in the Digital Omnibus, but was also critical of the proposal to change the definition personal data. 

Per the joint opinion, the EDPB and EDPS recommend the definition of personal data "should say what personal data is, instead of what it is not" and avoid the current "negative" that "is likely to increase legal uncertainty."

The opinion also noted the amended definition would impact how pseudonymized data is treated under the GDPR. The EDPB and EDPS indicated the Commission "should not be entrusted to decide by an implementing act what is no longer personal data after pseudonymisation as it directly affects the scope of application of EU data protection law," as the EDPB is currently working on finalizing updates to its guide on pseudonymized data after a draft was released in January 2025.

The council's compromise text also removes that language from the Digital Omnibus that would have enabled the Commission to issue subsequent implementing acts upon passage of the Omnibus and instead acknowledges the EDPB's work on updating its guide on pseudonymized data 

European Digital Rights Policy Advisor Itxaso Domínguez de Olazábal posted on LinkedIn that the Commission's proposed change "would have made it easier for actors in complex processing chains to argue that data is 'not personal' from their perspective."

"Commission framed these changes as 'simplification,'" Domínguez de Olazábal wrote. "But when you look at the red lines in this Council draft, you see something else: Member States are recognising that you cannot casually recalibrate fundamental rights law in the name of efficiency."

Alex LaCasse is a staff writer at the IAPP.