European data protection authorities are signaling a potential showdown with the European Commission over proposed updates to data privacy rules, with a key focus on how strictly to define “personal data.” The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published their Joint Opinion on the Digital Omnibus Proposal, offering a clear signal of where legislative debate will likely intensify.
For organizations, this Joint Opinion provides valuable insight into potential amendments and underscores the importance of maintaining robust compliance frameworks while the legislative process unfolds.
Avoiding ‘Loopholes’ in Identifying Individuals
A central point of contention revolves around the Proposal’s attempt to define personal data based on whether an entity can *reasonably* identify an individual. This approach stems from a 2023 ruling by the Court of Justice of the European Union (CJEU) in the EDPS v Single Resolution Board (C-413/23 P) case. The proposed wording suggests information wouldn’t be considered personal data if the entity possessing it lacks the means to identify the individual.
The EDPB and EDPS strongly object, emphasizing that the definition of personal data is “at the very core of EU data protection law.” They criticize the Proposal for focusing on a single aspect of the CJEU’s ruling while ignoring broader legal precedent. They argue that data can become personal when disclosed to *anyone* capable of identification, potentially implicating both the recipient and the original disclosing entity.
The EDPB is preparing updated guidance on pseudonymisation and anonymisation, believing these are more appropriate avenues for addressing the complexities raised by the EDPS in SRB judgment than amending the core definition of personal data. Organizations should, therefore, continue to rely on existing GDPR-based identifiability assessments for now.
Defining the Boundaries of ‘Revenge’ Data Requests
The Digital Omnibus Proposal also aimed to provide more flexibility in handling data subject access requests (DSARs) perceived as malicious or retaliatory—often called “revenge” DSARs. The EDPB and EDPS are taking a cautious stance, arguing it’s problematic to link concepts like “abuse” or “revenge” to legitimate requests for data access. They reiterate that the right to access data under the GDPR isn’t limited to verifying legal compliance and can be exercised for broader, legitimate purposes.
Instead, the authorities recommend focusing on demonstrable abusive *intent*, such as a clear intention to cause harm. They also oppose automatically dismissing “overly broad” requests as excessive, insisting any refusal must be objectively justified, thoroughly documented, and offer the data subject an opportunity to clarify their request. This signals that organizations will continue to face strict evidentiary standards when considering refusing DSARs.
AI and Legitimate Interest: A Balancing Act
The Proposal recognized the potential for legitimate interest to justify the development and operation of artificial intelligence (AI) models. The EDPB and EDPS insist this must remain firmly grounded in Article 6, paragraph 1, lit. f of the GDPR, which requires a strict balancing test.
They specifically call for clear and proactive communication to data subjects about their “unconditional right to object” to AI processing, ideally *before* processing begins, acknowledging the technical difficulties of removing personal data once it’s embedded in AI systems. They also request a clearer definition of the scope of this right. Furthermore, transparency measures used to justify legitimate interest must exceed the standard requirements of Articles 13 and 14 GDPR and shouldn’t simply be a matter of existing compliance.
This suggests that AI development relying on legitimate interest will continue to face heightened scrutiny, requiring robust documentation and strengthened rights-management frameworks.
Streamlining Breach Notifications
One area where the EDPB and EDPS express support is the Proposal’s suggestion to raise the threshold for data breach notifications under Article 33, paragraph 1 of the GDPR. The Proposal would require reporting only breaches likely to result in a “high risk” to individuals’ rights and freedoms. The authorities believe this increase won’t substantially affect data protection levels while significantly reducing the administrative burden on organizations, offering welcome procedural relief.
Looking Ahead
The Joint Opinion confirms the Digital Omnibus Proposal will be subject to rigorous review. While the supervisory authorities support the goal of simplification, they emphasize the importance of upholding core GDPR principles and safeguards. Organizations should closely monitor these developments and maintain robust compliance frameworks as the legislative process progresses.
