Europe’s approach to governing the digital economy has often arrived in waves, and the General Data Protection Regulation was the one that reshaped the shoreline. Since GDPR took effect, companies have treated “personal data” as the central fault line for compliance, litigation risk and cross-border data strategy.
Now, as the European Union tightens platform rules under laws such as the Digital Services Act and broadens its “digital rulebook,” the European Commission is also proposing to revisit the definitional core of GDPR itself, signaling that the next phase of regulation may focus less on expanding obligations than on clarifying where they begin and end.
A new Foley & Lardner analysis describes a draft “Digital Omnibus Regulation,” introduced by the European Commission on Nov. 19, that aims to simplify and consolidate elements of the EU’s digital-law stack while making a consequential adjustment to the GDPR definition of personal data in Article 4(1). The proposal would add three sentences intended to reinforce a principle that often appears in GDPR recitals and EU court interpretation but is not always reflected in day-to-day contracting: whether information is “personal data” can depend on the entity holding and processing it, and on the realistic means that entity could use to identify a person.
The first proposed sentence, as summarized by Foley & Lardner, would make explicit that information about a natural person is not automatically personal data for every entity simply because someone else, somewhere, could identify the individual. Instead, the key question is whether the specific controller or processor can identify the data subject. The second addition would anchor the analysis in practical capability, stating that information is not personal for an entity that cannot identify the individual when considering the means “reasonably likely” to be used by that entity.
In Foley & Lardner’s framing, that could re-balance how companies treat pseudonymized datasets and contractual limits on re-identification, potentially narrowing scenarios in which organizations assume GDPR duties attach regardless of context. The third sentence would reinforce a “holder-specific” view: if an entity cannot identify an individual but later transfers the data to a recipient that can, the information may be non-personal for the sender and personal for the recipient.
The practical effect, per Foley & Lardner, is that, “if an entity cannot identify a data subject based on the information it has… the information is not personal data for the first entity.”
Related: EU Trade Commissioner Warns Against Weakening Tech Rules Under US Pressure
The implications for the digital economy extend beyond privacy law in isolation. Foley & Lardner notes that the scope of “personal data” is not only a boundary for GDPR compliance but also has knock-on effects across the EU’s expanding digital framework, including newer regimes such as the Artificial Intelligence Act and the Data Act. For businesses, clearer demarcation between personal, pseudonymized and effectively non-identifiable information could reduce compliance friction in routine data transfers, especially in environments where multiple parties touch the same dataset but do not share the keys or auxiliary information needed to re-identify individuals.
That matters in practice because the EU’s broader ruleset—DSA included—pushes platforms and service providers toward more documentation, more audits and more structured risk management. If the Omnibus proposal ultimately narrows when data must be treated as “personal” for a given entity, some firms could redirect privacy and governance resources toward higher-risk processing, rather than expending effort on datasets that cannot reasonably be tied to an individual in their hands.
Foley & Lardner also points to a potentially significant downstream effect for international data strategy and AI development: if recipients cannot reasonably identify individuals, anonymized or pseudonymized information could, in some cases, be used with fewer restrictions, including for training AI systems, and might be exported outside the EU without the same reliance on standard contractual clauses and related measures—provided the importer remains unable to identify the person. The direction is consistent with an EU regulatory posture that increasingly treats definitions and scope as policy tools.
For companies operating across Europe’s rules-heavy digital economy, that means the next compliance battleground may not be a new obligation, but the fine print that determines when existing obligations apply.
