The European Data Protection Board¹ (EDPB) and the European Data Protection Supervisor² (EDPS) adopted on 10 February 2026 a joint opinion (Joint Opinion 2/2026³) on the European Commission’s Digital Omnibus initiative (described by the Commission as “a set of technical amendments to a large corpus of digital legislation, selected to bring immediate relief to businesses, public administrations, and citizens alike, and to stimulate competitiveness”).

Although both bodies welcome (and largely endorse) the Commission’s proposals set out in the initiative (subject to certain caveats), the opinion expresses marked unease with the proposed approach to redefining personal data, which would be recalibrated to align with the CJEU’s most recent interpretation of the concept [Case C-413/23 (EDPS v SRB)⁴].

In this decision, the CJEU’s introduces a more “relative” approach to the concept of personal data, holding that pseudonymized data do not necessarily qualify as personal data in all circumstances. Instead, the assessment must be made from the perspective of the specific recipient and the actual, lawful means available to them for re-identification.

While the Court confirmed that the obligation to inform data subjects must be assessed at the time of collection and from the perspective of the original controller, it also clarified that pseudonymized data may fall outside the scope of personal data for a recipient who lacks realistic means of re-identification. In practice, this does not remove the need for a lawful basis when transferring data, but it does mean that where re-identification is merely theoretical, the non-personal character of the data from the recipient’s perspective should weigh in favor of permitting the disclosure, particularly where the transfer relies on legitimate interests.

With this in mind, the Commission’s proposal under the Digital Omnibus initiative is to add a new paragraph to article 4(1) of the GDPR, which would read as follows:

“Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.”⁵

In the eyes of both the EDPB and the EDPS, the Commission’s proposal risks reducing the material scope of the GDPR by narrowing the notion of personal data beyond the limits recognized in Case C-413/23 (EDPS v SRB), which in fact confirms a much broader definition of personal data, and, in doing so, overlooking earlier rulings that have consistently endorsed a broad interpretation of identifiability.

They argue that data should not be considered non-personal simply because only a later recipient (rather than the current holder) has the means to identify the individual concerned. In this regard, they recall that the CJEU stated in that decision that “impersonal data may become personal in nature when they are put at the disposal of a recipient (any recipient) with means reasonably likely to be used to identify a data subject,”⁶ and note that this statement is made without limiting its scope to a specific context of “making available” or data transfer.

However, such a reading does not adequately reflect the Court’s reasoning considered in its entirety, nor is it consistent with the structure and nuances of its broader jurisprudence on the concept of identifiability.

In EDPS v SRB, the Court expressly rejected the idea that pseudonymized data are personal data “in all cases and for every person.”⁷ It made clear that the qualification of data as personal depends on whether the individual is identifiable by the specific recipient, taking into account the means reasonably likely to be used in practice.

This ruling reflects the Court’s long-standing, contextual and entity-based approach to identifiability.⁸ Seen in this light, the argument that the Omnibus proposal selectively codifies a single element from a single judgment is unpersuasive.

If the wording of the proposal, particularly its final sentence, which states that “Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates,” gives rise to uncertainty and could indeed adversely affect the fundamental right to data protection, as mentioned by the authorities, this concerns the formulation rather than the substance of the reform, and (in our view), it does not warrant setting aside the proposal in its entirety.

However, the authorities’ criticism of the Commission’s emphasis on “identification” highlights an important issue: a narrow focus on identification may not fully capture situations where individuals can still be singled out in practice through persistent identifiers. In such cases, even where a person cannot be re-identified by name, a persistent or unique identifier may nonetheless enable that person to be singled out and acted upon (for example through tracking, profiling, or targeted decisions).

Any “contextual” recalibration of the concept of personal data could therefore usefully avoid suggesting a strict binary relationship between “identified” and “anonymous” and explicitly address situations in which a controller may remain responsible even where the individual is not directly identified. One way to do so would be to reflect the notion of “singling out” referred to in Recital 26 of the GDPR. Under such an approach, responsibility could still arise where individuals are indirectly identifiable (for instance because they can be singled out, influenced, or otherwise affected), even in the absence of direct identification. This would help ensure that the practical effectiveness of EU data protection safeguards is maintained.

In our view, a revision incorporating a contextual assessment of identifiability could be considered, without calling into question the fundamental scope of European data protection legislation. We will follow very closely whether the concept (and its definition) evolves in practice, and whether the Commission explicitly addresses these issues in the legislative text.

---

[1] The European Data Protection Board is an independent European body with legal personality. It ensures that the General Data Protection Regulation and the Law Enforcement Directive are applied consistently and ensures cooperation, including on enforcement. It is composed of the heads of the national data protection authorities (Supervisory Authorities) of the countries in the European Economic Area, as well as the European Data Protection Supervisor (EDPS).

[2] The European Data Protection Supervisor (EDPS) is the independent supervisory authority responsible for monitoring data protection and privacy within European Union (EU) institutions, bodies, offices, and agencies.

[3] Accessible here: https://www.edpb.europa.eu/system/files/2026-02/edpb_edps_jointopinion_202602_digitalomnibus_en.pdf

[4] Accessible here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62023CJ0413

[5] See EDPB-EDPS joint Opinion 2/2026, paragraph 11.

[6] See EDPS v SRB judgment, paragraphs 84 and 85, redrafted by EDPB-EDPS joint Opinion 2/2026, paragraph 16.

[7] See EDPS v SRB judgment, paragraph 86.

[8] See Breyer judgment, paragraph 49; Nowak judgment, paragraph 31; Scania judgment, paragraph 48; IAB Europe judgment, paragraph 40; OLAF judgment, paragraph 51.