The EU Digital Omnibus Regulation impact on the GDPR's Definition of Personal Data
On November 19, the European Commission introduced a draft regulation known as the Digital Omnibus Regulation (Omnibus Regulation), aimed at simplifying and consolidating various digital laws within the EU. One of the most significant proposed changes is with respect to the definition of personal data in Article 4(1) of the EU General Data Protection Regulation (GDPR).
The current draft of the Omnibus regulation proposes to add three additional sentences to the definition of personal data under the GDPR. The three proposed sentences reinforce principles already contained in the Recitals to the GDPR, as well as jurisprudence from the Court of Justice of the European Union as to what is not personal information under GDPR (and therefore out of the scope of the GDPR).
The three proposed additional sentences are:
- “Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person.” This change makes it clear that it is not sufficient that someone, somewhere, on the entire planet Earth is able to identify the data subject for information to be deemed personal data. Instead, information is only personal data if the entity actually processing the personal information (controller or processor) can identify the data subject. What other people may be able to do to identify an individual is not relevant.
- “Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity.” This sentence naturally flows from the first addition and simply says that whether information is personal data is based on the other information the entity is likely to have and other means that the entity is reasonably likely to use. In other words, information is not personal data just because the entity could go to extreme measures to identify the individual. Instead, it is personal data only if the entity processing the information has the means to access the additional information and is reasonably likely to use those means. It is yet to be seen how far this will go, but it may mean that contractual limitations could be sufficient. For example, if an entity pseudonymizes personal data and is contractually prohibited from providing the key or other information to re-identify, a party receiving the pseudonymized data may be able to consider it non-personal information. Notably, this concept was always part of GDPR as disclosed in Recital 26, but often ignored by contracting parties in data protection and similar agreements.
- “Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.” This is another change that makes it clear that personal data is in the proverbial “eye of the beholder” (or should we say eye of the data holder). Simply put, if an entity cannot identify a data subject based on the information it has, but gives the information to a third party that can, the information is not personal data for the first entity, but is personal data for the receiving entity. It implies that personal data may go from personal data to just non-personal information and back, depending on who has it.
Impact to Businesses
While the changes largely reiterate what the GDPR already says in the recitals, the proposed changes, if adopted, are still likely to have an impact on contractual negotiations between data transmitters and data recipients that would otherwise be subject to GDPR. While many organizations have claimed that appropriately anonymized or pseudonymized information is still personal data in the hands of any recipient — even though such view is contrary to the recitals — this language would make it clear that this information may not be personal data if the recipient cannot identify the data subject and doesn’t have reasonable means or access to information that would make such identification possible. And if an information holder passes non-personal data on to someone who could re-identify the information so that it is personal data, it is still not personal data to the entity sending it.
In effect, the changes, if adopted, make it clear that the obligations related to anonymized and pseudonymized information are lower for organizations that cannot reasonably use the information to identify an individual than the obligations required for personal data under GDPR and may help reduce the need to expend limited resources on what may now be clearly non-personal data.
If the changes are adopted, they may also have longer-reaching effects, as they imply that anonymized or pseudonymized information (assuming the recipient cannot reasonably identify an individual) can potentially be used without restrictions (such as for training AI) or even exported outside the EU without the need for standard contractual clauses or other data protection measures if the data importer is still unable to identify an individual.
On 19 Nov., the European Commission published a draft regulation to simplify and consolidate various digital EU laws, the so-called Digital Omnibus Regulation. One of the most consequential proposed changes relates to the definition of personal data in Article 4(1) of the EU General Data Protection Regulation. The concept of what is personal data not only defines the scope of application of the GDPR but also has practical implications for other legal acts of the EU Digital Rulebook such as the Artificial Intelligence Act or the Data Act.
View referenced article
