European data protection authorities express serious concerns about proposed changes to personal data definitions in the Digital Omnibus regulation.
Concerns About Proposed Changes
The European Data Protection Board and European Data Protection Supervisor have focused their opinion on aspects related to GDPR. According to these institutions, some proposed changes raise serious concerns as they could negatively affect the level of protection for individuals, create legal uncertainty and hinder the application of personal data protection law.
Changes to Personal Data Definition
Under current GDPR regulations, personal data refers to any information about an identified or identifiable natural person. The new proposal would define personal data as only those information that can be directly linked to a person.
According to the Digital Omnibus proposal, data status would be determined from the administrator’s perspective, considering the identification measures that are reasonably likely to be available to them. If such measures are not available, information should not be treated as personal data by the administrator, even if other entities could perform identification.
Pseudonymized Data Concerns
The Digital Omnibus would also allow pseudonymized data to be considered non-personal data in certain situations.
Opposition from Authorities
In their letter, EROD and EIOD “strongly call on co-legislators not to accept the proposed changes in the definition of personal data, as they go far beyond a purposeful or technical amendment to GDPR. Furthermore, they do not accurately reflect the case law of the Court of Justice of the EU and clearly exceed its scope, which would significantly narrow the concept of personal data.”
“The European Commission should not have the power to decide by an implementing act what is no longer personal data after pseudonymization, as this directly affects the scope of application of EU data protection law,” the opinion states.
Statements from Leadership
According to EROD Chair Anu Talus, “simplification is necessary to reduce bureaucracy and strengthen the competitiveness of the EU, but it cannot come at the expense of fundamental rights.”
“We strongly appeal to co-legislators not to accept the proposed changes in the definition of personal data. These changes are not consistent with the case law of the Court of Justice of the European Union and would significantly narrow the concept of personal data. We must ensure that any changes to GDPR and EUDPR actually clarify obligations and provide legal certainty, while maintaining trust and a high level of protection of rights and freedoms of the individual,” assessed European Data Protection Supervisor Wojciech Wiewiórowski.