Artificial Intelligence & Machine Learning,
General Data Protection Regulation (GDPR),
Next-Generation Technologies & Secure Development
EU Council Rejects Redefined ‘Personal Data’ Classification
The Council of the European Union has formally rejected a proposal from the European Commission aimed at redefining ‘personal data,’ a move that has drawn cautious commendation from stakeholders in data protection, including Paul Nemitz, a key architect of the General Data Protection Regulation (GDPR). This proposal, part of a broader “Digital Omnibus” initiative introduced in late 2025, sought to amend existing laws to facilitate data-sharing and thereby enhance economic competitiveness.
In early February, European data protection regulators had already expressed their opposition to the amendments, underscoring concerns that a redefinition of personal data would significantly compromise individual data protections (see: EU Privacy Watchdogs Critique Digital Omnibus).
The Council’s decision to reject the Commission’s proposal came as a relief for those advocating for stringent data protection measures. As reported by Euractiv, the Council’s compromise text does not include the contested redefinition, preserving the existing framework that defines personal data. Nemitz indicated that the rejection aligns with recommendations previously set forth by the European Data Protection Board.
The initial proposal aimed to exclude certain types of data from the ‘personal data’ classification if they could not be directly linked to identifiable individuals, even if subsequently sold to third parties capable of making such connections. Critics argued that this would weaken individual data rights and privacy protections.
While Nemitz acknowledged the Council’s stance as encouraging, he expressed concerns regarding other elements of the Digital Omnibus text. Specifically, he criticized the omission of an article that would have permitted the Commission to establish criteria for recognizing pseudonymized data as non-personal for specific entities, arguing that this runs contrary to GDPR’s foundational premise.
Furthermore, Nemitz cautioned against allowing artificial intelligence firms to cite “legitimate interests” as a legal basis for training models on personal data. He noted that this approach, if codified, would favor major tech entities and compromise individual rights through potential exploitation of detailed personal profiles.
As the debate progresses, the European Parliament has yet to declare its position on the Digital Omnibus. Recent assessments have indicated that the proposals may dilute uniform data protection across member states. The Commission’s limited stakeholder engagement and the absence of thorough impact assessments have raised further questions about the transparency and accountability of the reform process.
With the ongoing scrutiny of data governance frameworks, organizations must remain vigilant regarding developments that may influence their data handling practices. As this situation unfolds, businesses can draw lessons on the complexities inherent in balancing technological advancement with the imperative for robust cybersecurity measures.