EU drops plan to revise definition of personal data in GDPR review

European Union governments have decided to withdraw a proposal that would have revised the definition of personal data under the General Data Protection Regulation (GDPR). The change had been part of a broader legislative review, sometimes referred to as an omnibus package, but faced resistance from data protection regulators and civil society organisations.

The GDPR, which has applied across the EU since 2018, defines personal data as any information relating to an identified or identifiable individual. This definition is central to determining when privacy protections apply. Reopening it would have raised questions about the scope of existing safeguards and potentially altered how organisations handle personal information.

By removing the proposed revision, member states have signalled a preference for maintaining the current legal framework rather than revisiting foundational concepts. Instead of amending the regulation itself, attention is shifting to interpretative guidance.

In particular, the European Data Protection Board (EDPB), which coordinates national data protection authorities, is preparing updated guidelines on pseudonymisation. Pseudonymisation refers to processing personal data in a way that reduces the link to an identifiable individual, while still allowing certain uses. The forthcoming guidance is expected to clarify how organisations should apply this technique in practice and how it fits within the GDPR’s requirements.

The compromise text also keeps the discussion connected to the ongoing review of the ePrivacy Directive, which regulates privacy in electronic communications. This alignment suggests that any future updates to EU privacy rules will seek consistency across different legal instruments.