Recital 26, the Digital Omnibus, and why deidentification statements are becoming inevitable

If Ella Fitzgerald and Louis Armstrong were singing about EU data law today, their famous tomatoes-and-potatoes duet might need a new bridge.

"You say anonymization, I say deidentification."

"You say personal data, I say not for me."

"Let's not call the whole thing off — but let's stop borrowing each other's keys."

In a previous article, we explored how anonymization remains the high note of the EU General Data Protection Regulation world: rare, demanding and binary. Either the melody can no longer be traced back to a person, or it can. Most datasets that claim to be anonymized are, in reality, something more modest and far more common: pseudonymized — also known as deidentified. They are still playing the same tune, just behind a curtain.

That distinction mattered because the GDPR has, until now, treated personal data as a yes-or-no proposition. There has been no "mostly anonymous" refrain, no comfortable middle ground. And for years, that rigidity was justified by a single, deceptively compact provision: Recital 26.

Recital 26 has always set the tempo. It makes clear that data protection does not hinge on theoretical possibilities — whether, given unlimited time, resources, and technology, someone somewhere could reidentify a person — but on whether an individual is identifiable or can be singled out by means reasonably likely to be used, taking into account cost, time, technology and purpose.

The recital — and remember, recitals are not binding but provide strong, example-based color on the original legislative intent — embeds a contextual, risk-based and fundamentally relative concept of personal data into the GDPR's DNA. The Court of Justice of the European Union has been faithfully riffing on that theme for more than a decade, spanning decisions from Breyer v. Bundesrepublik Deutschland to EDPS v. Single Resolution Board.