Digital Omnibus: Council Pushes Back on Redefining “Personal Data”

GDPRBusinessesonline businessEnglishdigital services
Written By Ana-Maria Drăgănuță Briard

The Digital Omnibus negotiations continue to evolve in the Council of the European Union, and the most recent development is significant even at this early stage. On 20 February 2026, the Cypriot Presidency circulated a compromise text ahead of the Antici (Simplification) discussions. In that draft, Member States have removed the amended definition of “personal data” that the European Commission proposed last November.

The Commission had aimed to update the GDPR’s definition so that data would only be “personal” for an entity if that specific entity could reasonably identify an individual from the data it holds, a shift intended to reflect recent CJEU case law and address how pseudonymised data is treated.

The Council’s draft removed this language.

Instead of embedding a relative, entity-specific definition in Article 4(1) GDPR, the Council text keeps the existing definition and appears to defer interpretive work to guidance bodies (e.g., the EDPB) rather than changing the law itself.

This aligns with the joint opinion of the European Data Protection Board and the European Data Protection Supervisor, which welcomed simplification in principle but urged co-legislators not to adopt the proposed definition changes, as they “go far beyond a targeted amendment” and risk narrowing the scope of the GDPR.

What This Means Practically

  • No redefinition of personal data yet: The Council’s compromise text drops the revised definition. If this carries through negotiations, the GDPR’s current scope remains intact for now.

  • Guidance over legislation: Rather than rewriting core GDPR text, the Council draft signals a preference for interpretive guidance on identifiability and pseudonymisation.

  • Other Omnibus changes still on the table: The Digital Omnibus still includes practical amendments (breach reporting templates, DPIA lists, cookie/ePrivacy alignment, AI/legitimate interest clarifications) that could move forward independently of the definition issue.

For organisations, this means that a core structural change under the GDPR has not yet been agreed, and reliance on a narrowed “personal data” scope is premature. Instead, businesses should look at the Omnibus’ operational adjustments that are more likely to survive negotiation and impact compliance routines.

Bottom Line

The Council’s leaked compromise text is an early signal that Member States are not ready to rewrite the GDPR’s definition of personal data as the Commission initially proposed. Whether this holds through the legislative process remains to be seen, but for now, the focus shifts back to how the EU’s data protection framework functions in practice.

The content of this article is general information, not tailored legal advice for your specific situation. It has a strictly informative and general purpose; the information contained does not constitute legal advice.

Every business is different. For personalised consultancy, schedule a consultation call or write to us directly at 📧 anamaria@legallyremote.online.

Ana-Maria Drăgănuță Briard
Next

Why your Articles of Association and Shareholders Agreement must speak the same language