There is a familiar choreography in European data protection politics, and it usually begins with someone proposing a modest clarification to the GDPR before someone else solemnly announces that fundamental rights are about to be lowered into the nearest canal. The choreography is effective because it invites everyone to debate privacy in the abstract, rather than ask the more uncomfortable institutional question that sits underneath the Digital Omnibus: who decides when the GDPR applies, and how much discretion should supervisory authorities retain when that threshold determines whether research, AI development, data sharing and ordinary digital services can operate with predictable legal risk?

My objection to the current direction of travel has never been that the GDPR should be hollowed out, nor that privacy should be made subordinate to innovation whenever someone in a hoodie says the word “model”. I object that the European Data Protection Board and its supervisory ecosystem have, through guidance, opinions, and enforcement posture, steadily expanded the practical perimeter of EU data protection law beyond what legal certainty, proportionality, and institutional balance can sustain. That is not a complaint about regulators doing their job; it is a complaint about regulators treating the boundary of their own jurisdiction as a matter for regulatory interpretation rather than legislative settlement.

The Commission’s original move in the Digital Omnibus should be read in that light, because the point was not deregulation but discipline, and the target was not the right to data protection but the accumulated scope creep that makes compliance increasingly difficult to price before a project begins. The Commission attempted to restore balance by clarifying trigger logic, actor-relative identifiability, pseudonymisation, scientific research, AI development, terminal-equipment access and automated decision-making, while placing parts of the Board’s perimeter-setting role within a more controlled institutional frame. In other words, the Commission was regulating the regulator, which explains why the reaction from the data protection establishment has been so revealing.

The definition of personal data is the constitutional hinge of the EU digital acquis, because almost every subsequent obligation turns on the moment at which information becomes legally attributable to an identified or identifiable natural person. Once that trigger fires, the full GDPR architecture follows: lawful basis, transparency, rights, security, transfers, accountability, breach notification, DPIAs, and, in many cases, a supervisory dialogue that no innovation team can safely ignore. A definition that is broad enough to catch real power over individuals can still be disciplined enough to exclude purely hypothetical identifiability. That distinction is precisely where recent disputes over pseudonymised data have become so important.

The Commission’s proposed Article 4 clarification captured a basic but often resisted proposition: information does not become personal data for every entity merely because some other entity, somewhere in the data chain, may have the means to identify the person. That proposition does not deny that pseudonymised data may be personal data, and it does not deny that singling out or linkage can matter; it simply insists that identifiability should be assessed in concreto, from the perspective of the actor whose obligations are being triggered, by reference to means reasonably likely to be used by that actor. That approach is not anti-rights because rights are not strengthened when legal triggers become unknowable.

The Presidency compromise retreats from that legislative settlement, and the retreat matters. The visible deletion of the Article 4 rewrite, combined with the new Article 29a route for an EDPB opinion on pseudonymisation, anonymisation and identifiability, moves the issue from hard legislative correction back into supervised interpretation. The compromise retains useful language about actual technical, organisational and legal capabilities, and it preserves the “means reasonably likely to be used” discipline. Still, the operative centre of gravity has shifted from a statutory perimeter to a Board-led articulation of that perimeter. For anyone concerned about EDPB scope creep, that is not a neutral drafting choice.

This is where the innovation lens becomes indispensable, because trigger uncertainty does not merely inconvenience lawyers who enjoy writing memos with cautious footnotes. Trigger uncertainty changes product design, research design, investment sequencing, data-partnership architecture, model-training strategy, contractual allocation of risk, and firms’ willingness to run European projects with European data. A dataset that has been pseudonymised, technically secured, contractually constrained and operationally separated from identification infrastructure can still become commercially awkward if every recipient must treat the Board’s next opinion as a latent expansion of the legal perimeter.

The same institutional pattern appears elsewhere in the compromise. Recital 40a pushes national supervisory authorities to ensure that national guidance, recommendations and best practices do not contradict guidance issued by the Board, which may reduce fragmentation at the Member State level but also strengthens the Board’s gravitational pull over interpretation. Article 70 is amended so that the Board may further specify criteria and conditions for decisions based on profiling under Article 22, which may be helpful if guidance remains disciplined by the legislative text, but troubling if guidance becomes the practical site at which the scope of legal permission is narrowed after the legislature has spoken.

This tension also appears in the scientific-research provisions, which are better understood as a warning sign than as a drafting curiosity. The compromise recognises methodology, autonomy, ethics, transparency, verifiability, and the contribution of research to society’s general knowledge and wellbeing. At the same time, the recitals still acknowledge that scientific research may occur in academic, industry, and other settings and may serve public, private, or commercial purposes. Yet the operative definition is more formal and potentially more contestable than an innovation-friendly reading of Recital 159 would require, which means that public-private research, industrial R&D and model-development work may have to spend more time proving that they qualify as research before they can benefit from the safeguards-based flexibility that the GDPR already promised.

The AI and special-category changes are more encouraging, although their usefulness depends on whether regulators apply them with restraint. The new derogation for incidental and residual special-category processing in AI development and operation recognises a reality that privacy lawyers have too often handled with doctrinal melodrama: large-scale training, testing and validation data may contain special-category traces that the controller neither sought nor needs for the processing. The sensible answer is not to convert Article 9 into a super-trigger that freezes the project, but to require avoidance measures, lifecycle controls, erasure where feasible, protection where erasure is disproportionate, and documentation that allows the controller’s safeguards to be tested.

The biometric verification provision also deserves a more generous reception than it will probably receive from the usual suspects. The compromise distinguishes one-to-one verification from one-to-many identification. That distinction matters because authentication can reduce fraud, secure access, and support trustworthy digital services without creating the same population-scale surveillance risks as biometric identification systems. The safeguard that biometric data, or the means needed for verification, must remain under the sole control of the data subject is demanding. Yet the very fact that the text distinguishes verification from identification shows that the law can regulate risk more intelligently when it stops treating every technical process as its most invasive form.

Article 22 is another example of that attempt to restore risk calibration, because the compromise clarifies that a solely automated decision may be permissible where the decision is necessary for the contract, authorised by law, or based on explicit consent, and where appropriate safeguards are in place. The clarification that contractual necessity is not defeated merely because a human could also take the decision is especially important, since a contrary rule would turn “necessity” into an anti-automation presumption rather than a proportionality assessment. The difficulty, once again, lies in whether the Board’s future profiling guidance will support that calibrated structure or re-inscribe a more restrictive supervisory preference through interpretive detail.

The ePrivacy and terminal-equipment changes show both the promise and the fragility of the compromise. The text accepts that endless consent prompts have become a regulatory design failure, and it creates no-consent routes for transmission, explicitly requested services, anonymous aggregated audience measurement and security. The audience-measurement exception is sensible where the information is truly anonymous, aggregated, not combined with other service or third-party data, not shared, and not reused for another purpose. In contrast, the security exception is equally defensible where access is strictly necessary for cybersecurity, the protection of personal data, privacy, or fraud prevention. These are exactly the sorts of low-risk or necessary operations that should never have been trapped in banner theatre.

Yet the compromise also shows how easily simplification can become a new compliance industry. The contextual advertising language appears to have been struck down, even though genuinely contextual advertising, based on the immediate content of a page or query without profiling or retention, is precisely the kind of less-invasive advertising model that European law should encourage if it wants to reduce behavioural tracking. The new automated and machine-readable consent framework may improve user experience, but only if standards are neutral, granular, privacy-preserving, non-self-preferencing, and commercially workable; otherwise, Europe will replace cookie-banner theatre with standards theatre, browser politics, and a new layer of compliance uncertainty.

The transition periods deepen that concern, because Article 88a would apply after six months, Article 88b duties and ePrivacy Article 5(3) national measures would operate on a 24-month horizon, and browser and operating-system obligations would take even longer to bite. A system that promises simplification in principle but postpones operational clarity through a chain of standards, Member State measures and future technical implementation cannot credibly claim to deliver immediate relief to innovators. The result may be a familiar European compromise: a good diagnosis, an over-institutionalised cure and enough transitional complexity to keep consultants comfortable for another legislative cycle.

The broader point is that innovation policy cannot be built on regulatory benevolence, because firms, researchers and public bodies do not need regulators to be kind; they need the law to be sufficiently predictable that lawful projects can be designed without waiting for the next interpretive turn. Europe can protect fundamental rights and support innovation only if the rules identify real risks, allocate responsibility clearly and constrain discretion at the point where legal obligations attach. When the perimeter of the GDPR depends too heavily on supervisory interpretation, innovation becomes not merely regulated. Still, structurally uncertain, and structural uncertainty is the most expensive form of regulation because nobody can calculate its final cost.

That is why the Commission’s attempt to regulate the regulator should not be dismissed as a deregulatory provocation. It was a necessary response to a governance problem that has been politely misdescribed for too long as interpretive prudence. The EDPB has an indispensable role in ensuring consistency. Still, consistency is not the same as constitutional ownership of the GDPR’s trigger conditions, and the Board should not be allowed to preserve ambiguity where the legislature is trying to restore legal certainty. A regulator that interprets the law should not become the institution that decides, through cumulative guidance, how far its own jurisdiction extends.

The final text should therefore recover the Commission’s central insight while preserving the compromise’s better safeguards. Actor-relative identifiability should be codified, not merely gestured at through recitals and future opinions. Pseudonymisation should remain a serious risk-reduction and governance tool, not a fiction and not a forbidden inference. Scientific research should include robust public-private and industry-led work in which methodology, integrity, and safeguards are in place. AI residual-data rules should prevent Article 9 from becoming a super-trigger for incidental traces. Biometric verification should remain distinct from biometric identification. ePrivacy reform should reduce pointless prompts rather than shifting transaction costs into standards politics.

The Digital Omnibus will not decide whether Europe values privacy, because Europe plainly does and should. The more serious question is whether Europe can protect privacy through a legal architecture that is intelligible enough for innovators to use, researchers to trust, and regulators to enforce, without expanding their mandates by interpretation. The Commission understood that legal certainty is not the enemy of rights. Still, one of their conditions, and the compromise, should be judged by whether it preserves that insight or politely hands the perimeter back to the institutions whose scope creep made reform necessary.

Subscribe now

The Madrid questions put pressure on the part of the EU digital law that is usually treated as settled. They ask whether the GDPR’s foundational concepts still provide enough legal certainty for AI development; whether the AI Act can be operationalised in a way that developers, deployers and regulators can actually use; and whether the Omnibus and Digital Fitness Check should be understood as rights-reducing simplification or as a more serious attempt to make the digital acquis work as a system.

My answer is that this is not a simple story of obsolete law being overtaken by new technology. That framing is attractive because it is easy. It lets one side say that the GDPR is no longer fit for purpose, and the other side say that any clarification is a deregulatory attack. Neither position is good enough.

The deeper problem is instability.

When the trigger starts to wobble

Take personal data. In principle, it is meant to operate as a threshold concept. It tells us when the GDPR is engaged. That matters because the whole legal architecture turns on it. If the threshold is clear enough, actors can organise themselves around it. If the threshold becomes elastic and unpredictable, the law stops guiding conduct and starts producing defensive behaviour.

That is increasingly the risk in AI contexts. Pseudonymisation, identifiability, singling out, inference, downstream linkage and model training all place pressure on the boundary. The hard question is not whether data can ever become personal in a wider ecosystem. Of course it can. The hard question is whether the law can distinguish realistic identifiability from abstract possibility, and whether it can do so for the actor whose conduct is actually being assessed.

If organisations cannot determine with sufficient confidence whether particular information will be treated as personal data for a given actor in a given context, compliance becomes defensive overinclusion. That is not the same thing as good governance. It diverts effort from substantive risk into scope anxiety.

And because the GDPR has become a hinge instrument for the wider digital acquis, instability at Article 4 is no longer a data protection problem. It spills into AI governance, research, data access, product design, testing, bias mitigation and institutional enforcement.

Article 22 and the upstream exercise of power

Article 22 presents a related problem. It is still oriented around relatively discrete acts of automated decision-making. But many AI systems do not exercise power through one neat final decision. They operate through ranking, recommendation, optimisation, scoring, classification and behavioural shaping.

That means the significant intervention may occur upstream. The system may structure who is visible, which option is presented, which opportunity is made salient, which category is assigned, which pathway becomes easier, or which treatment becomes more likely. By the time a formal decision appears, much of the meaningful power may already have been exercised.

So the question is not only whether Article 22 is too old. The better question is whether its decision-focused structure is well matched to the architecture of inference and influence. In many cases, it is not.

The AI Act and the burden of translation

The AI Act brings a different version of the same problem.

My work on Article 5(1)(a) and (b) - on subliminal, manipulative and deceptive techniques, and on systems exploiting vulnerabilities - made clear how difficult the move from principle to operational law can be. The easy proposition was never the hard part. Nobody wants genuinely subliminal AI techniques. Nobody wants systems that deliberately exploit children, vulnerable persons or acute asymmetries in ways that undermine autonomy and cause harm.

But a prohibition is not just a statement of disapproval. It is a legal instrument. Developers, deployers, regulators, courts and advisers need to know how to use it.

Once one moves from the slogan to the application, the difficulty becomes obvious. What counts as manipulation? What threshold is required? Which vulnerabilities count? How should the law treat recommender systems, dark patterns, persuasive interfaces, behavioural targeting or AI-enabled personalisation? What kind of harm is required, and how likely must it be?

One of the most revealing dynamics is the difference between agreement on an example and agreement on the principle behind it. A case study may look convincing. It may appear to fall comfortably within the spirit, and perhaps the letter, of the prohibition. But the moment the principle behind that example is asked to travel to another context, interface, or business model, hesitation begins.

That hesitation matters. It shows the burden of translation. Europe often legislates at a high level of abstraction and then leaves much of the operational meaning to be constructed later through guidelines, standards, enforcement practices, and litigation. Some of that is inevitable. Complex systems require complex interpretation. But timing matters. If the real meaning of the law arrives only after long, late guidance, the law is not doing enough work before the obligations bite.

This burden is not only on the industry. It falls on regulators, DPAs, the Commission, national authorities, courts, advisers and academics. Please help construct the regime's usable grammar after the legislation has been adopted.

The Omnibus is not housekeeping.

That is why the Omnibus is not mere housekeeping.

The debate is often framed as a choice between simplification and fundamental rights. I do not accept that framing. In parts of EU digital regulation, excessive procedural density can make substantive protection harder, not easier. Poorly aligned regimes can generate cumulative burdens, threshold uncertainty and contradictions that look protective in the abstract but become dysfunctional in practice.

The better question is whether the digital acquis works as a system. The GDPR, the AI Act, consumer protection, platform law and data access rules may each be defensible in isolation. The problem is how they interact. Where they duplicate, contradict or force actors into impossible positions, the result is not higher protection. It is incoherent.

Article 10(5) of the AI Act exposes the point.

If we are serious about identifying and mitigating bias in high-risk AI systems, then we must confront an uncomfortable but unavoidable fact. In some cases, responsible bias testing may require the controlled use of data that reveals, or is capable of revealing, characteristics associated with special categories.

That is not because the system is trying to exploit those categories. It is because without a structured way to test outcomes across relevant characteristics, discriminatory effects may remain invisible.

Here, the current architecture strains. We say discriminatory AI outcomes are unacceptable. We say bias mitigation is necessary. But if the legal framework treats all such data use with procedural suspicion while failing to provide a workable, proportionate and clearly delimited route for necessary processing, we create a contradiction. We demand bias mitigation while making responsible bias testing structurally difficult.

That is not a mature rights strategy. It is a failure to reconcile data protection and non-discrimination at the level where real systems are built and tested.

The answer is not deregulation. The answer is a narrow, lawful, safeguard-based pathway. Strict purpose limitation. Necessity. Technical and organisational controls. Data minimisation in the real sense, not as a slogan. Retention discipline. Auditability. Institutional accountability.

Proportionality is not a concession. It is one of the conditions for the protection of governable rights.

What privacy professionals have become

The final Madrid question asks whether we are still privacy professionals or whether we have become something broader.

We have become something broader.

Privacy remains essential, but it cannot be the default answer to every digital problem. Some problems are competition problems. Some are consumer protection problems. Some are labour problems. Some are safety problems. Some are public-law and institutional design problems. Privacy may be somewhere in the story, but it is not always the whole story.

This is where academia and professional education need to be more honest. We have trained many people to see digital systems through privacy goggles. That has produced genuine expertise. It has also produced a tendency to force too many questions into the GDPR frame.

Research can fall into the same habit. It is often very good at identifying possible harms. It is weaker at assessing likelihood, seriousness and fit. Risk regulation is not a competition to imagine the darkest possible scenario. The mature question is not only “what is the risk?” It is: how likely is it, how serious is it, and what is the right legal response?

That is the shift from privacy professionalism to digital governance professionalism. It requires legal architecture, institutional fit, proportionality and the humility to admit that different harms may require different tools.

The closing point

I would put the point this way. The law is not strengthened by becoming harder to foresee, harder to discipline and easier to stretch. Rights are not protected by procedural overload for their own sake. And uncertainty is not a safeguard.

If Europe wants trustworthy AI, lawful innovation and credible institutions, it needs legal certainty not as an afterthought, but as part of the rights architecture itself.

Rights need realism. Law needs discipline.

Q&A

Is this just a privacy veto over Article 6(11)?

No. The argument supports Article 6(11) as a serious tool for contestability. It does not say data should never be shared. It says that the legal condition of anonymisation must be satisfied first, and that useful access should then be preserved through tiered modalities.

Does your approach make the data useless?

Not if the architecture is properly designed. Head, torso and aggregate signals may support meaningful improvement. Some data can be exported. Some may require controlled access. Some may need suppression. The point is to avoid both unsafe utility and safe but meaningless access.

Why are contracts not enough?

Contracts can reduce misuse and define access conditions. They cannot alter the legal status of data that remains identifiable through realistic lawful means. A promise not to re-identify is not the same as anonymisation.

Are clean rooms part of the answer?

Yes, but only in a disciplined sense. A clean room is not a laundering device for non-anonymous data. It can add safeguards for data that has already met the anonymisation threshold but is unsuitable for ordinary download.

What does contestability mean here?

It means that rival search engines have a meaningful opportunity to improve quality and discipline the gatekeeper, not merely that they exist as formal alternatives. Search quality depends on feedback loops, and Article 6(11) targets part of that feedback infrastructure.

Why does this matter beyond Google?

Because the EU is already struggling with the meaning of personal data, pseudonymisation and anonymisation across the GDPR, the Digital Omnibus, DPA guidance, the DSA, the Data Act and AI governance. A weak DMA-specific standard would worsen that fragmentation.

It is not a simple privacy-versus-competition problem. That framing is too crude. Article 6(11) exists because access to search data can matter for contestability. Query, ranking, click and view data are not incidental traces. They are part of the feedback infrastructure that improves search quality. A gatekeeper that benefits from scale in those signals should not be able to turn that scale into a permanent insulation from competition. That is the force of the DMA obligation, and I support it.

It may reveal something about the searcher. It may also contain personal data that appears to concern another person. In practice, however, the system will often have no reliable way to distinguish between a query that contains personal data about the end user who issued it and a query that contains personal data about someone else. The safer approach is to treat personal data contained in the query text as part of the end-user anonymisation problem rather than assume it can be conceptually carved away.

This is why I have submitted a response to the Commission consultation. My concern is not that the Commission is wrong to pursue the Article 6(11) objective. On the contrary, the contestability objective is legitimate and important. My concern is that the final measures must not invent a privacy fiction to make the access obligation administratively convenient.

Dr M.R. Leiser's Commission Submission on 6(11) DMA

458KB ∙ PDF file

Download

Download

A useful but unsafe dataset fails data protection law. A dataset that reaches anonymity only by stripping out all meaningful contestability value may comply in form while failing the purpose of Article 6(11). The hard work is to respect the anonymisation requirement first and then ask how much useful access can still be preserved.

The danger, as I see it, is that search data might be treated as anonymised because obvious identifiers have been removed, certain thresholds have been applied, and recipients are contractually prohibited from re-identifying users. Contracts matter. Recipient obligations matter. Audit matters. Purpose limitation matters. But contracts cannot be asked to do the conceptual work of anonymisation if the underlying access model remains too risky. Protecting privacy by contract is not enough unless the technical, organisational and institutional controls genuinely change the realistic means of identification available in the recipient environment.

At the same time, privacy cannot become a veto over the DMA. If the answer to the privacy risk is simply to suppress local, fresh, entity-rich, sequence-based, and some rare-query signals rather than to ask whether they can be delivered through safer access modalities, then Article 6(11) risks becoming a formal right to degraded access.

So, my submission is solution-based. I argue that the Commission should move from a single transformed record-level dataset to a Safe Search Data Access Regime. That means recognising that “access” is not the same thing as unrestricted possession. Lower-risk, common-tail data may be suitable for export. Aggregate signals may be suitable for privacy-preserving release. Data that has been anonymised but remains unsuitable for ordinary download due to marginally elevated operational, combination, or output-leakage risk may require controlled API access, clean-room access, trusted execution, or regulator-supervised escrow. Data that cannot be anonymised to the Article 6(11) standard should not be disclosed through a clean room; it should be suppressed, aggregated, or used only to generate a privacy-tested model or to provide access to outputs. Some data may still need to be suppressed. But the decision should be evidence-led, reviewable and tied to both privacy risk and search utility.

The central proposal is an Anonymisation and Utility Impact Assessment. That assessment should ask first whether the data has genuinely been anonymised in the relevant recipient environment, and then whether the resulting access still supports real search-improvement tasks: ranking, query understanding, local search, freshness, relevant head and torso learning, carefully controlled rare-query analysis, click modelling and evaluation of OSE functionality in AI-enabled interfaces.

The AI dimension makes this even more urgent. The preliminary measures appear to assume that a chatbot with OSE functionality is eligible. The key point is that eligibility should not be conflated with service-wide access. Article 6(11) must not become a route for general-purpose model training, fine-tuning of non-OSE systems, model grounding outside the OSE function, advertising enrichment, identity-graph improvement or unrelated product optimisation. Access should follow the genuine online search engine function: retrieval, indexing, ranking, query understanding, SERP interaction and evaluation of that function. It should not become a general AI data pipeline.

There is also a broader institutional issue here. Europe cannot afford another unstable meaning of anonymisation. We already have debates across the GDPR, the Digital Omnibus, DMA implementation, DPA guidance, pseudonymisation guidance and AI governance about when data should be treated as personal, pseudonymised, anonymous, or contextually outside the realistic scope of identification. If one regime treats anonymisation as almost unreachable, while another appears to accept a more flexible contract-dependent model, the EU digital rulebook will become even less coherent.

The better answer is not absolutism. It is disciplined contextualism. Personal data is not a mystical status attached to information forever. Identifiability depends on the actor, the context, the means reasonably likely to be used, the legal constraints, the technical safeguards and the factual access environment. But that contextual analysis has to be honest. It cannot become a convenient label for weak anonymisation. Nor can it be stretched so far that every dataset remains personal for everyone, everywhere, forever.

The Commission has an opportunity here to do something important. It can make Article 6(11) work as a serious tool for contestability. It can protect users from a reckless search-log release model. It can provide smaller search engines with useful signals. It can ring-fence AI use. It can clarify the responsibilities among Google, recipients, auditors, DPAs, and the Commission. And it can avoid creating yet another incoherent layer in the law of anonymisation.

That is the point of my submission. Do not weaken Article 6(11). Do not pretend that search logs become anonymous by formula. Do not lower anonymisation to preserve utility. Once anonymisation is achieved, preserve contestability through a tiered, evidence-led and independently reviewable access regime.

#DMA #DigitalMarketsAct #GoogleSearch #DataProtection #GDPR #Privacy #Anonymisation #Pseudonymisation #CompetitionLaw #DigitalRegulation #PlatformRegulation #AIRegulation #Search #EuropeanCommission #DigitalOmnibus #LegalCertainty #DataGovernance

My argument is that this criticism confuses contextual legal analysis with fragmentation. The GDPR does not require abstract identifiability everywhere. It requires a disciplined assessment of the means reasonably likely to be used, including real routes of relinkage, enrichment, and onward disclosure.

The Omnibus drafting may need safeguards and tightening. But preserving doctrinal fog is not a rights strategy. Legal certainty is part of the rule of law.

YouTube video here:

The lecture develops the argument from the slides and connects it to adjacent issues not fully captured in the slides: DMA anonymisation under Article 6(11), approaches to anonymisation and pseudonymisation, AI and research spillovers, consent overload, and the risk of default-regulator drift.

Embed YouTube video here:

Respect where it is due, disappointment where it is earned

I have worked with and alongside people in the EDRi world before, and I say this with genuine respect for much of the work they have done over the years. EDRi has often played an important role in resisting real overreach and in keeping fundamental rights in the foreground when others would rather treat them as an administrative inconvenience. That history matters. It is precisely why this intervention is so disappointing. In its paper on the first Council compromise on the GDPR and ePrivacy elements of the Digital Omnibus, EDRi acknowledges that the text marks a significant shift from the Commission’s original proposal, noting that several amendments affecting core structural elements of the GDPR appear to have been removed, including changes to the definition of personal data, scientific research, Article 22, and the Commission’s proposed implementing powers on pseudonymisation. It nevertheless argues that important risks remain and that the negotiations must still be steered away from weakening safeguards.

Perhaps some of that framing was sharpened for political effect. I am also certain that EDRi itself would accept that some middle ground must exist between a boundless, abstract notion of identifiability and an artificially narrow one. But that is exactly why the paper is so frustrating. Rather than helping to identify that middle ground, it slips back into a familiar defence of ambiguity. More broadly, in parts of the civil society ecosystem, there are institutional and sometimes funding-related incentives to preserve a politics of permanent alarm around GDPR scope, because a permanently elastic perimeter is easier to mobilise around than a serious discussion about thresholds, realism, and legislative discipline. Whether or not that fully explains this paper, the result is the same: a rebuttal that treats efforts to restore legal clarity as threats to rights.

In summary, my disagreement with EDRi rests on three core legal points. First, an elastic GDPR trigger adopted for convenience does not confer stronger protection or greater certainty. It creates more uncertainty, more room for administrative drift, and more instability for those trying to comply with the law, especially SMEs and others without deep compliance resources. Second, the GDPR is already contextual. Recital 26 has always required a realistic assessment of identifiability by reference to means reasonably likely to be used, and any attempt to minimise the significance of EDPS v SRB ends up underreading not only that judgment, but also the text of the GDPR and the broader contextual logic of the case law. Third, the Omnibus debate is, at its best, an attempt to clarify what degree of realism the law actually requires, so that identifiability becomes more foreseeable, more disciplined, and more workable across the digital economy.

(i) An elastic GDPR trigger does not protect rights more effectively. It creates more uncertainty, more scope for discretionary expansion, and more compliance anxiety, especially for SMEs and actors without deep legal resources.

(ii) The GDPR was never purely abstract in the first place. Recital 26 already embeds contextuality, and any attempt to minimise SRB ends up minimising not only that judgment but also the logic of the text itself and the broader contextual case law on identifiability.

(iii) The Omnibus debate is really about the degree of realism required by the law. Its strongest version is not deregulatory. It is an attempt to restore a more workable and legally disciplined account of identifiability across the digital economy.

That problem becomes clearest in EDRi’s treatment of the definition of personal data. On pages 2 and 3, it argues that assessing qualification by reference to the capabilities or position of a specific controller would itself create fragmentation, because the same dataset could be personal data for one actor but not for another, particularly in complex chains involving controllers, processors, and intermediaries. It also argues that this would complicate compliance, misread EDPS v SRB, and risk wider incoherence across the EU legal framework. That is the heart of the rebuttal, and it is where, in my view, the paper goes most seriously wrong.

The civil society case against legal certainty

The first thing to notice is what EDRi is actually defending. Formally, it claims to be defending legal certainty and fundamental rights. Substantively, it is defending a model in which the outer perimeter of the GDPR remains vague enough to be stretched through interpretation, guidance, enforcement practice, and institutional preference. That is not a minor distinction. It goes to the heart of the Omnibus debate.

The paper says that changing the law so that qualification depends “more heavily on the capabilities or position of a specific controller” would itself create fragmentation, because the same dataset could be treated as personal data for one actor but not for another. But that objection already assumes what it needs to prove. It assumes that legal uniformity entails identical outcomes for all actors, irrespective of their actual factual positions. That is not how legal uniformity works. Uniformity requires a common legal test, not a compulsory sameness of result detached from context.

And that is where EDRi’s position begins to unravel. Article 4(1), read with Recital 26, has never set up a metaphysical inquiry into whether identification is conceivable somewhere in the abstract. It asks whether a person is identifiable, directly or indirectly, by reference to means reasonably likely to be used. Those words are not ornamental. They require a practical inquiry. Reasonably likely by whom? Used by whom? Under what technical, organisational, and legal conditions? With what additional information? At what cost? With what degree of foreseeability? None of this can be answered without regard to the situation of the actor said to hold personal data.

So when EDRi says that a controller-relative approach is dangerous because two different actors might stand in different legal positions, it is objecting to the ordinary consequence of a contextual legal test. That is not fragmentation. It is the law.

Why EDRi’s fragmentation argument fails

EDRi’s central argument is that if identifiability is assessed from each actor’s standpoint, one controller may apply the GDPR while another may not, creating a “fragmented regulatory environment” and “significantly complicate compliance”. This sounds intuitive until one pauses and asks a prior question: why should the law produce the same answer for actors who are not in the same position?

If one actor holds a dataset together with keys, lookup tables, contractual rights of access, technical means of enrichment, and routine onward disclosure pathways, while another actor does not, it would be bizarre to insist that the law must pretend their situations are identical. The alternative is not legal certainty. The alternative is to universalise the scope by fiction, i.e. alleging that because identifiability exists somewhere in the ecosystem, it must be treated as present everywhere. That is not faithful to the GDPR. It is a policy preference dressed up as a doctrinal necessity.

I do not doubt that EDRi is genuinely concerned about downstream loopholes and strategic attempts to evade the GDPR. That concern is legitimate. But the answer to possible evasion cannot be to preserve a trigger test so elastic that legal certainty becomes impossible in practice.

EDRi wants to convert a shared legal test into a shared legal outcome. But law does not usually work that way, and there is no reason why data protection law should be forced into that mould. The same piece of information can have different legal significance depending on the actor, the surrounding environment, the means available, and the foreseeable uses to which it can be put. That is true across regulatory, competition, public, and private law alike. It is true because legal standards are applied to facts, not to slogans.

Indeed, EDRi’s argument has a revealing asymmetry. It treats any difference in outcomes between actors as intolerable fragmentation. Yet, it is perfectly comfortable with the very real fragmentation produced by the current state of affairs, in which the formal legal test remains contextual. At the same time, the practical enforcement culture often treats identifiability as functionally boundless. That leaves controllers, researchers, businesses, regulators, and courts in a permanently unstable environment in which the text says one thing and the compliance culture pressures them toward another. That is fragmentation in the real world. It is just fragmentation that EDRi happens to like.

The law was always contextual.

EDRi’s paper speaks as though a more actor-relative approach were some novel and suspicious departure from the settled architecture of EU data protection law. It is not. The contextual character of the inquiry was always there.

Recital 26 has always been the hinge. Its language about “all the means reasonably likely to be used” cannot sensibly be applied without considering actual actors and contexts. The phrase does not invite lawyers or regulators to imagine every hypothetical future path by which somebody, somewhere, might identify somebody else. It asks for a realistic assessment. That is exactly why the recent draft Council compromise line matters so much. If identifiability is to be assessed ex ante and in concreto, taking into account the controller’s actual technical, organisational and legal capabilities, that is not a radical break with the GDPR. It is a disciplined restatement of what realistic application of Recital 26 has always demanded.

EDRi’s response is to warn that the “controller-centric approach” disappears from the Commission proposal and that this is welcome, while also accepting that identifiability continues to be assessed under Article 4(1) and Recital 26. But that concession should have much larger consequences than the paper admits. If Recital 26 remains the touchstone, the relevant debate is not whether context matters. It is how context is to be operationalised. EDRi wants context to matter just enough to preserve rhetorical fidelity to the text, but not enough to discipline expansive interpretations in practice. That is not a legal argument. It is a strategic one.

There is a further irony here. EDRi itself acknowledges that pseudonymised data in complex ecosystems may remain “realistically identifiable” through correlation, enrichment, or sharing across actors. That is true, but it actually proves the opposite of what the organisation wants. It shows that the correct inquiry is not abstract or universal. It is factual and environment-specific. If correlation, enrichment, or data sharing across actors is realistically part of the processing setting, identifiability remains. If it is not, then the law should not simply presume it. In other words, once one takes realism seriously, one is driven back to contextuality, whether one likes it or not.

Complex ecosystems are not a licence for abstraction.

The paper’s next move is to say that modern digital systems rarely involve a single actor, and that data move through “complex chains involving multiple controllers, processors and sub-processors”. Under a more actor-relative approach, EDRi says that different participants in the same chain could reach different conclusions about whether the same information constitutes personal data.

This is one of those arguments that sound strong only because they trade on a false choice. The choice is not between total abstraction and radical atomisation. It is not between pretending each actor exists in a vacuum and pretending that all actors everywhere must be treated identically because someone in the chain might identify someone eventually. The correct approach is to assess identifiability in context, while taking seriously all realistically foreseeable pathways of onward disclosure, linkage, enrichment, singling out, and recombination within the relevant processing environment.

That means two things at once: First, an actor cannot artificially narrow its legal obligations by pretending not to know what is structurally built into its own processing model. If onward sharing, correlation, or re-linkage is part of the architecture, then those routes are relevant to identifiability. Second, regulators and advocates cannot inflate the GDPR’s perimeter by pointing to speculative possibilities that are not realistically part of the actor’s technical or legal environment. The test is not whether someone with unlimited imagination and unlimited resources might someday identify someone. The test is whether identification is reasonably likely in the concrete setting that matters.

EDRi’s approach collapses these two questions into one, thereby making the trigger depend less on realistic identifiability than on the sheer possibility of networked data ecosystems. But modern digital ecosystems are not an excuse to abandon legal discipline. If anything, they make discipline more necessary.

The compliance argument is similarly overstated. EDRi says that organisations would need to classify and reclassify data repeatedly across chains and uses, generating operational complexity and litigation. But data protection law already depends on context-sensitive judgments at every stage: purpose, compatibility, necessity, proportionality, risk, lawful basis, safeguards, retention, and access rights all turn on the facts of processing. It is odd to suddenly discover a horror of contextual classification only when the discussion reaches the threshold question. In practice, what businesses and institutions need is not an unreal promise that every actor will always receive the same answer. What they need is a clear legal standard that tells them which facts matter. That is exactly what the current compromise language is trying to provide.

The selective reading of SRB

EDRi says that reliance on EDPS v SRB is misplaced because that judgment concerned a “very specific factual situation” and cannot be generalised into a broader legislative rule. Taken at face value, this is unobjectionable. No good lawyer wants to rip a paragraph from a judgment and pretend it rewrites the whole Regulation.

But that is not really what is happening here. The issue is not whether SRB can be mechanically universalised. The issue is whether the judgment confirms something important about the structure of the identifiability inquiry. It plainly does. The significance of SRB is not confined to its facts. It lies in the Court’s refusal to treat identifiability as something that can be assumed in the abstract, without regard to the actor said to hold the data and the realistic means available to that actor.

That matters enormously. It means that the Court did not endorse the kind of universalised, hypothetically expansive theory of personal data that parts of the data protection ecosystem have become used to. It reaffirmed realism. It pushed the inquiry back toward context. It underscored that one cannot simply wave at identifiability in the abstract and call the job done.

So when EDRi says that the judgment is too fact-specific to matter in the broader debate, what it is really doing is trying to confine the implications of a judgment that is politically inconvenient to its preferred understanding of scope. The narrowness argument becomes a way of neutralising the case rather than engaging with what it actually says.

I do not suggest that SRB should be overread, and I am sure EDRi would agree that no single case should be treated as if it rewrites the whole Regulation. The problem is the opposite one: the paper reads the judgment so narrowly that it drains it of its real doctrinal significance.

And that is why the allegation of overreading needs to be turned on its head. The real danger is not only overreading SRB. It is underreading it. Critics often suggest that the Omnibus, by drawing on SRB, would make “personal data” a subjective concept. But I have never argued that personal data is subjective. I have argued that it is relative, or contextual. That is a very different claim. A subjective concept turns on unilateral assertion. A relative concept turns on the application of a common legal test to differing factual circumstances. That is exactly what Recital 26 already requires when it asks whether identification is possible by means reasonably likely to be used. The significance of SRB is that it reasserts that realism. To deny that such a judgment has anything meaningful to say about legislative attempts to operationalise that same realism is not prudence. It is interpretive selectivity.

Rights rhetoric without the rule of law discipline

EDRi repeatedly emphasises that the definition of personal data determines when the fundamental right to data protection applies, and therefore when GDPR safeguards become operational. That point is true. The difficulty lies in what the paper tries to do with it.

The argument seems to be that because the definition matters constitutionally, any effort to clarify it in a more realistic, actor-relative way must be treated with suspicion, if not outright hostility. But that does not follow. A constitutional threshold is not protected by making it infinitely elastic. A right is not strengthened by making the point at which it applies increasingly indeterminate. Quite the opposite. When the scope becomes unstable, political and institutional power migrates away from the legislature and toward those who get to interpret, guide, and enforce the threshold in practice. That is a rule-of-law problem, not a solution.

One of the most damaging habits in this field is the tendency to assume that maximal indeterminacy is morally superior to legal clarity. It is not. A threshold that can be stretched through soft law and administrative drift may feel attractive to those who want to keep as much as possible within the gravitational pull of the GDPR. But the cost is profound. The law becomes less foreseeable. Democratic accountability weakens. The distance between text and practice widens. And every perimeter question is pushed into an arena where institutional actors exercise power without the same democratic legitimacy that legislation carries.

EDRi’s paper presents itself as defending rights against erosion. But the practical effect of its position is to defend the fog of doctrine. And doctrinal fog is not a fundamental right.

Who benefits from keeping the perimeter vague?

At this point, the institutional stakes become impossible to ignore. The fight here is not simply about semantic nuance in Article 4(1). It is about who controls the practical perimeter of the GDPR.

If the legal threshold remains abstract, unstable, and permanently contestable, then institutions such as supervisory authorities and the EDPB retain enormous de facto power over the law’s real scope through guidance and enforcement. Civil society groups whose legitimacy, influence, and funding models are tied to a broad politics of rights-based alarm also retain a familiar and useful terrain on which to operate. Every clarification becomes a rollback. Every legislative attempt to impose discipline becomes a threat. Every contextual refinement can be reframed as a form of deregulatory capture. We should be honest about that ecosystem’s incentives.

None of this means that everyone defending the status quo is acting in bad faith. That would be too crude. But it does mean that the politics of this debate are not neutral. When EDRi warns that contextual identifiability would create uncertainty, it is not speaking from nowhere. It is speaking from within a wider institutional and advocacy environment that has grown comfortable with a certain kind of ambiguity, especially ambiguity that can be rhetorically converted into rights maximalism.

But ambiguity is not neutral. It has advantages for some actors over others. Large institutions with specialist legal teams and a high tolerance for uncertainty can navigate it. Smaller firms, researchers, public bodies, and ordinary market actors often cannot. They are left to operate under a cloud in which the scope of the law is broad in principle, unpredictable in detail, and often clarified only after the fact. If one cares about genuine legal certainty, that should matter.

There is also an odd asymmetry in EDRi’s account of power. The organisation worries that a more contextual approach would favour large actors with greater technical and legal resources. That concern deserves to be taken seriously. But one must then compare it with the present arrangement. Under the current state of interpretive drift, who is best able to survive a world of vague triggers, sprawling compliance expectations, and ever-shifting guidance? Not small actors. Not start-ups. Not researchers operating near the margins of legal ambiguity. The present instability already has an advantageous scale. The question is whether we are willing to admit it.

Why the Omnibus debate matters beyond the GDPR

EDRi also says that changing the definition of personal data would have structural consequences across the wider EU legal framework and could create cascading effects across the digital rulebook. On one level, that is obviously true. The GDPR serves as a baseline across multiple instruments.

But this argument again proves too much. The relevant question is not whether the GDPR’s perimeter matters beyond the GDPR. Of course it does. The real question is whether the current instability of that perimeter is itself causing systemic problems across adjacent regimes. In my view, it plainly is.

An overextended and conceptually unstable trigger pushes too many problems into data protection law by default. Questions that belong, at least in part, to consumer protection, the AI Act, competition law, platform regulation, cybersecurity, media regulation, or sector-specific frameworks are recoded as threshold fights over personal data because the perimeter of the GDPR remains so expansive and uncertain in practice. That is not systemic coherence. It is a regulatory distortion.

A clearer and more realistic account of identifiability would not blow up the digital acquis. It would help stabilise it. It would help ensure that the GDPR does what it is supposed to do, while allowing other parts of the rulebook to do their own work at the appropriate layer. In that sense, legal certainty about scope is not an enemy of rights. It is one of the conditions for a more coherent rights architecture across the wider acquis.

This is why the Omnibus debate matters so much. It is not a technical quarrel about a single recital or a proposed amendment. It is a constitutional debate about perimeter-setting, institutional balance, and whether the legislature may still clarify the law when administrative practice has drifted too far from legal discipline.

Digital rights advocacy cannot survive on misinformation.

The most troubling feature of EDRi’s intervention is not simply that it takes the wrong side on a difficult legal question. Reasonable people can disagree. The paper treats contextual identifiability as a threat to rights, when in reality it is the legal structure that the GDPR itself already points to. It calls lawful differentiation between actors “fragmentation”, even though the same legal test can perfectly well yield different answers in different contexts. It minimises the significance of SRB because the Court’s insistence on realistic analysis is inconvenient to the maintenance of an abstract, expansive politics of scope. And it dresses all of this in the language of fundamental rights, as though constitutional seriousness requires permanent resistance to legislative clarification. That is not good enough.

You cannot claim to stand for fundamental rights while spreading misinformation about what contextual identifiability means. You cannot present yourself as a defender of digital rights while being selective about democratically enacted legislation, celebrating law when it aligns with your preferred politics of scope and denouncing it when it imposes discipline on your institutional worldview. You cannot dismiss, minimise, or strategically sidestep the significance of CJEU case law when it cuts against your position and then speak with a straight face about the rule of law. And you certainly cannot do all of that while insisting that those seeking clearer, democratically grounded perimeter-setting are engaged in some covert project of rights reduction. That is not principled advocacy; rather, it is selective constitutionalism.

If digital rights advocacy is to retain credibility, it has to be more than a reflex defence of the broadest possible reading of every trigger, in every context, at every moment. It has to include intellectual honesty about the law’s text, seriousness about institutional incentives, respect for democratic legislation, and genuine fidelity to the Court when it resists abstract overreach. Without those things, “digital rights” becomes less a constitutional commitment than a slogan deployed to preserve a preferred status quo. And that, ultimately, is why EDRi’s pages 2 and 3 are so disappointing. They do not defend the law against simplification. They defend ambiguity against discipline. They do not protect rights by insisting on realism. They protect a politics of perimeter panic in which almost any clarification can be cast as danger. For those of us who actually care about rights, legal certainty, and the rule of law together, that should not be good enough.

An apple falls in a lab. It hits a volunteer on the head. Personal data is processed. Notes are taken. Reactions are observed. A pattern begins to emerge.

Now ask the EDPB’s draft Guidelines 1/2026 a simple question: is this “scientific research”?

At one level, the answer should be easy. Of course, the volunteer should be protected. Of course, there should be safeguards. Of course, the GDPR matters.

But that is not where the real difficulty lies.

The real difficulty is that the Guidelines increasingly seem to confuse science with the institutional habits of established academia.

On paper, the Guidelines say the right things. They repeat that “scientific research” should be interpreted broadly. They acknowledge applied research, technological development, and privately funded research. They even say research can be conducted for profit.

But then the document builds a gatekeeping structure around six so-called key indicative factors. Meet all six, and you are presumed to be doing scientific research. Miss one, and the burden flips. Now you must justify and demonstrate why your work should nonetheless count as science.

That is where the problem begins.

Because what are these factors really doing?

They privilege publication and sharing of results. They emphasise autonomy and independence in a way that sits far more comfortably with universities than with product teams, startups, commercial labs, or tightly governed industrial R&D. They refer to researchers as having academic or scientific qualifications, even citing a PhD as an example. They ask whether the activity contributes to society’s general knowledge and well-being. They point towards independent review bodies as evidence of scientific merit.

None of this is wholly irrational. But taken together, it creates a very particular image of what “real” science looks like. It looks planned. It looks like the committee approved. It looks publishable. It looks institutionally familiar. It looks, above all, respectable to the regulator.

That may describe some science. It does not describe all of it.

Real discovery is often messy. It is iterative. It is exploratory. It is sometimes secretive for good reasons. It does not always begin with a neat hypothesis, a peer review pipeline, a university partner, or a public dissemination strategy. Some of the most consequential scientific and technological breakthroughs have emerged from private labs, hybrid teams, commercial settings, or environments where publication comes later, if at all.

That is why the Newton example matters.

If Newton had to prove from the outset that his apple incident sat neatly within a comprehensive research plan, satisfied a regulator’s preferred picture of independence, and was directed toward publicly verifiable and shareable results, we would immediately see how odd the exercise is. The problem is not the existence of safeguards for the person under the tree. The problem is that the Guidelines risk turning the legal concept of scientific research into a cultural test about what regulators think science ought to look like.

And this is also where the legal structure begins to wobble.

Recital 159 GDPR does not point in a narrow direction. It says scientific research should be interpreted broadly to include technological development and demonstration, fundamental research, applied research, and privately funded research. That is a strong textual signal. Yet the Guidelines seem unable to state openly that private research is excluded, because the GDPR will not allow them to do so. So instead, they move by implication. They construct a six-part test whose centre of gravity lies in publication, external review, academic qualifications, and public-facing scientific legitimacy. Formally, private research remains included. Functionally, it is placed under suspicion.

That is why the document feels oddly extra legal. The six-factor framework is not derived directly from the GDPR’s text. It is assembled by gesturing toward a mix of codes, standards, and general research norms, without a convincing explanation of why those materials should harden into a quasi-legal threshold for access to the GDPR’s research framework. The result is not genuine clarification. It is a kind of duck test for science: if the work looks enough like the regulator’s preferred image of research, it gets through. If not, the burden shifts back to the controller to explain itself.

The paragraph on verifiability and transparency is a particularly good example. It says results are shared with other parties, for example, by publication, or will be shared in the future, subject to intellectual property and trade secret limits. But that formulation quietly narrows the space that Recital 159 seemed to leave open. It treats dissemination as the standard marker of legitimacy, even though serious R&D often involves controlled disclosure, regulatory reporting, internal validation, or confidential development pathways that are no less methodologically rigorous than those required for journal articles. The GDPR did not define scientific research as publishable research. The Guidelines come dangerously close to saying exactly that.

There is one genuinely useful clarification buried in the text. The section on ancillary processing operations appears to recognise that preparatory and supporting activities related to research can themselves fall under the broader umbrella of scientific research. That matters. But even there, the drafting is clumsy. The Guidelines seem to suggest that anonymisation, as a preparatory step, can sit within the research framework. In contrast, elsewhere the logic of anonymisation is that, once the process succeeds, the resulting data falls outside the GDPR. That is not fatal as a legal proposition, but it needed to be explained much more carefully than it was.

And here is the deeper economic point. If Newton cannot satisfy this test inside the EU, he does not stop experimenting. He moves the lab. He relocates the team, the capital, and the data-intensive stage of the work to a jurisdiction with clearer, more functional rules. That is how this kind of regulatory posture harms innovation. It does not usually kill it outright. It pushes it elsewhere.

That is a mistake.

The GDPR itself does not treat scientific research as a status reserved only for universities, peer-reviewed journals, or people with the right institutional markers. It structures it as a purpose category, constrained by safeguards. That is the key point. The right question is not whether the project feels academic enough. The right question is whether the activity is genuinely directed at generating new knowledge or resolving scientific or technological uncertainty, and whether it is being conducted under robust safeguards.

That is also why the Guidelines’ own examples are so revealing. A startup doing generative AI research is treated as scientific research when it partners with a university, secures ethical review, uses established methods, and publishes a peer-reviewed paper. But the same document treats a company’s internal analysis of sales data for marketing strategy as outside scientific research. The line between those examples is not just about science versus non-science. It is also about which forms of institutional legitimacy the EDPB is prepared to recognise.

And that poses a serious risk to modern R&D.

Commercial research is said to be included, but it is included in a way that feels permanently suspect. Product development is not excluded in express terms, but it is pushed into a posture of justification. Startups and industrial labs are told, in effect, you may count as science, but only if you can perform science in a manner that looks sufficiently like academia.

That is not legal clarity. That is a recipe for contestability, compliance conservatism, and chilled innovation.

There is a better way.

A serious framework would ask whether the work contains an appreciable element of novelty and whether it seeks to resolve scientific or technological uncertainty. It would then insist on strong Article 89-style safeguards: data minimisation, pseudonymisation where possible, ethical oversight where appropriate, transparency, access controls, and meaningful governance. That approach would protect people without redefining science so narrowly that only the most institutionally legible forms of research can enter the gate.

The law should police harm, coercion, opacity, and misuse of personal data.

It should not turn into a No True Scotsman test for science.

Otherwise, the next Newton will not be told to watch where the apple is falling.

He will be told to come back once he has a committee, a publication strategy, and a more respectable biography. And if he cannot do that, he will build the laboratory somewhere else.

The European Data Protection Board and the European Data Protection Supervisor have now issued Joint Opinion 2/2026 on the Commission’s Digital Omnibus proposal. The Digital Omnibus is part of a broader effort to simplify the EU’s digital legislative framework: to reduce overlap, clarify scope, lower compliance burdens, and ensure that Europe’s data rules remain workable in practice rather than admirable in theory.

Simplification is not cosmetic. Over the past decade, the EU digital acquis has expanded rapidly: GDPR, the Data Act, the Data Governance Act, the AI Act, sectoral regimes (e.g., European Health Data Space Regulation), and national implementing variations. For research institutions, startups, pharmaceutical sponsors, AI developers, and SMEs, the cumulative effect is not just high standards but structural complexity. Legal uncertainty around identifiability, secondary use, pseudonymisation, and research exemptions has become a friction point for innovation across the Union. The Digital Omnibus is an attempt to confront that reality.

The Joint Opinion from the EDPB and EDPS is, on its face, well-intentioned. It seeks to preserve fundamental rights, maintain legal coherence, and avoid unintended dilution of data protection guarantees. Those are legitimate objectives. But good intentions do not immunise institutional positions from unintended systemic effects. This post argues that, particularly in the sections addressing pseudonymisation and scientific research, the Joint Opinion risks producing consequences far beyond technical clarification.

By resisting harmonised criteria for when pseudonymised data may fall outside the GDPR for certain actors, and by reshaping the contours of what qualifies as “scientific research”, the Opinion introduces new uncertainty at precisely the points where research ecosystems and private R&D depend on clarity. The effect is not likely to be immediate prohibition. It is more subtle: increased contestability, supervisory divergence, compliance conservatism, and ultimately reduced investment in EU-based data-driven innovation.

The paradox is striking. A simplification initiative designed to make the digital rulebook more navigable may, if the Joint Opinion’s approach prevails, leave research actors navigating an even narrower and less predictable pathway.

(Note: There is a deeper structural issue here. Part of the friction does not lie only in the substance of the Joint Opinion, but in the way the EDPB drafts and structures its guidance more generally. The documents are often written in a highly lawyerly register, layered with cross-references, recitals, qualifications, and implicit doctrinal moves that require careful decoding. For academics and large platforms with in-house counsel, that may be manageable. For SMEs, start-ups, and interdisciplinary research teams, it effectively necessitates external legal interpretation. The interpretive step becomes a cost centre in its own right. That drafting style is not inevitable. A comparison with the ICO’s guidance illustrates the point. The ICO tends to foreground practical explanations, concrete examples, and structured pathways through compliance questions. The legal architecture remains intact, but the navigational map is clearer. Clarity reduces friction. Friction shapes behaviour. Behaviour shapes innovation. If simplification is the political objective, then drafting style is not a cosmetic issue. It is part of regulatory design. Complexity does not only arise from rules. It also arises from how those rules are communicated and operationalised…But I digress!)

The question is not whether data protection should remain robust. It must. The question is whether preserving maximal interpretive control over the regulatory perimeter serves data subjects better than enabling safe, well-governed, and technologically mature research infrastructures to flourish within Europe.

That is the tension this post examines.

Impact on Research and Innovation

The Joint Opinion contains two moves that matter directly for research and innovation. First, it rejects the proposed mechanism that would have clarified when data resulting from pseudonymisation should, for certain entities, no longer be treated as personal data under a new Article 41a GDPR, to be specified through implementing acts. I have addressed that aspect elsewhere, but I revisit it again somewhat in this post. Second, while the Opinion welcomes greater clarity for scientific research, it recommends reframing the proposed definition in ways that risk narrowing practical access to the GDPR’s research flexibilities, particularly for private sector actors and public–private collaborations.

In the context of scientific research, the Joint Opinion, citing Recital 159 of the GDPR, expressly acknowledges that research may support innovation and also pursue commercial interests. It nevertheless recommends removing references to innovation and commercial interests from the operative definition and instead introducing criteria such as “autonomous and independent” research and “verifiable and transparent results”, with particular emphasis on the public availability of results.

Taken together, that combination is likely to function as a gatekeeping signal. Commercial research is rhetorically accepted, yet structurally downgraded. Independence and public dissemination are elevated into quasi-qualifying criteria. Those features sit uneasily with proprietary R&D, clinical product development, and many reproducibility-driven workflows that depend on controlled disclosure. The approach is difficult to reconcile with the GDPR’s own instruction that scientific research be interpreted broadly, including “technological development and demonstration” and “privately funded research”.

There is understandable industry concern that the Opinion seems to suggest that private research cannot qualify. Although it does not explicitly state so, the recommendation to remove references to innovation and commercial interests from the definition, coupled with the example that “product research and development” may support innovation but does not necessarily constitute scientific research, sends a signal. The risk is not a textual prohibition on private research. The risk is an enforcement-relevant ambiguity that invites restrictive supervisory interpretations and produces chilling effects in public–private research ecosystems.

That ambiguity does not sit neatly within corporate R&D departments. Much of contemporary research, whether conducted by multinational firms or universities, is structurally cross-border. Data may be collected in one Member State, curated in another, and analysed in a third. Large European companies operate distributed research hubs across the Union. Universities routinely collaborate across borders, pooling datasets and expertise. The legal qualification of the activity as “scientific research” therefore has direct implications for cross-border transfers, governance arrangements, and the availability of GDPR flexibilities.

If supervisory authorities in different Member States read the Opinion through a restrictive lens, fragmentation becomes a real possibility. A dataset considered eligible for research flexibilities in one jurisdiction could be treated more narrowly in another. That kind of uncertainty not only constrains the private industry. It burdens academic consortia, joint laboratories, and Horizon-style collaborations. The chilling effect operates symmetrically. When definitions become doctrinally tightened but operationally unclear, risk-averse compliance teams respond predictably: they narrow projects, slow partnerships, or decline participation altogether. The paradox is that an interpretive move framed as clarificatory may, in practice, complicate precisely the cross-border research structures the Union has spent decades building.

The net likely impact, if the Joint Opinion’s framing is adopted or becomes supervisory orthodoxy, is greater uncertainty and higher compliance friction precisely in the settings where EU innovation policy depends on data access and linkage: multi-controller consortia, trusted research environments, federated analytics, and SMEs/startups that cannot afford prolonged legal contestation. The most defensible policy path is to preserve rights through enforceable safeguards (Article 89(1) GDPR, DPIAs, secure access, auditability) while keeping the research concept actor‑neutral and explicitly inclusive of privately funded and industrial applied research, and while using harmonised technical criteria to encourage stronger pseudonymisation and safer sharing rather than penalising it.

In a previous post, I argued that the rhetoric used to maintain the status quo on the definition of personal data was more akin to a power play against the European Commission. The scientific research section of the Joint Opinion is structured differently. It opens in a conciliatory register. It welcomes the aim of harmonisation and legal certainty. It recognises elements in the proposed definition, such as contributions to scientific knowledge, societal well-being, and adherence to ethical standards. Then, having established that tone, it proceeds to reengineer the concept.

The proposed intervention is not cosmetic. The Opinion recommends moving methodological criteria into the operative definition itself: a systematic approach, autonomy and independence, verifiable and transparent results, with transparency potentially involving public availability. At the same time, it suggests relocating “support innovation” and “further a commercial interest” to the recitals. It adds that product research and development may support innovation, but does not necessarily qualify as scientific research.

At some level, any definition of research will involve contestable terms. Law cannot eliminate vagueness entirely. We will always fight over the margins. That is not a drafting failure. It is the nature of norm-setting in complex domains. The difficulty here is more specific. Paragraph 29 criticises the indeterminacy of phrases such as “furthering a commercial interest”, yet replaces them with formulations such as “autonomous and independent manner” and “methodological and systematic approach”. Those expressions are no less open-textured. What does autonomy mean in a public–private consortium? What does independence look like in a corporate research lab that collaborates with a university? What degree of transparency satisfies “verifiable results”?

The Opinion gestures toward ethical codes and research standards to flesh this out. Yet anyone who has spent time in research governance knows that these communities disagree persistently about what counts as independence, transparency, or methodological rigour. These are living debates, not settled technical checklists.

Critics such as NOYB are right to observe that language like “any research that supports innovation” could be read extremely broadly. One can see why the EDPB is wary of a definition that might be invoked opportunistically. But the proposed solution does not eliminate indeterminacy; rather redistributes it. By embedding contested methodological criteria into the binding definition while relegating innovation and commercial references to non-binding recitals, the Opinion risks increasing rather than reducing uncertainty.

The irony is almost architectural. In seeking to close one interpretive gap, the Opinion opens several others, and does so in a way that will ultimately depend on supervisory discretion. When the binding text becomes narrower, and the contextual explanations move into softer recitals, enforcement-relevant ambiguity does not disappear, it metastasises.

On purpose limitation, the Opinion supports clarifying that further processing for scientific research is compatible, independently of the Article 6(4) compatibility test. Still, it stresses that compatibility should not be conflated with lawfulness and highlights that data subject rights may vary depending on the initial legal basis. On transparency, it supports a new derogation where individual notice would be impossible or disproportionate, but recommends narrowing language (“where and insofar”) and provides examples where notice would impair research. Finally, it clarifies that scientific research may pursue a legitimate interest under Article 6(1)(f) of the GDPR, while reminding that other legal bases may be more appropriate in some cases.

Implementing Acts, Scope, and What Article 8(3) CFR Does and Does Not Do

It is worth reiterating that the Joint Opinion is right that clarifying when pseudonymised data remains personal data can affect the GDPR’s practical perimeter; that is precisely why harmonised criteria can matter. The logical gap is the leap from “scope‑relevant” to “constitutionally improper for implementing acts”. Article 8(3) CFR requires independent supervision of compliance; it does not, by itself, allocate exclusive interpretive control over the definition of personal data to supervisory authorities, nor does it prohibit the legislature from mandating uniform technical criteria through implementing measures that remain subject to judicial review.

The Opinion’s framing also sits uneasily with the nature of the “means reasonably likely to be used” test, which is inherently technical and time‑sensitive: cost, time, available technology, and realistic legal access are factual variables, and both the CJEU in Breyer and in the more recent EDPS v SRB litigation emphasise contextual assessment rather than formal labels. A delegated technical standard can therefore be understood not as a redefinition of scope, but as a stabilisation of how to operationalise “reasonably likely” in particular data‑sharing patterns (for example, where keys are structurally segregated, access is contractually prohibited, and secure environments make reidentification realistically unavailable).

Where this becomes operationally significant is in the proposed solution. The Opinion resists embedding certain elements in binding text and instead gestures toward further guidance. Yet guidance is not a substitute for uniformity in high-stakes, cross-border research collaborations that depend on predictable classifications in order to design compliant data pipelines from the outset. When research infrastructures span multiple Member States, legal categorisation is not an academic exercise. It determines architecture, governance, contractual allocation of responsibility, and risk modelling.

The Opinion itself acknowledges fragmentation in Member State practice. That makes the reliance on additional non-binding guidance all the more paradoxical. If divergence already exists, layering guidance on top of an open-textured definition while resisting clearer binding criteria is a structurally weak way to deliver simplification. It assumes a level of interpretive convergence that the Opinion simultaneously concedes is lacking.

There is also an asymmetry that rarely gets spelt out. Large corporate actors can absorb interpretive complexity. They hire more lawyers. They commission external opinions. They build internal compliance teams. The friction slows them down, but it is manageable.

Now imagine the same interpretive burden falling on a lone researcher, a small start-up, or a doctoral candidate designing a data-driven thesis project. For them, another dense and lawyerly guidance document is not a minor inconvenience. It is a barrier to entry. They do not have in-house counsel. They do not have the resources to triangulate supervisory positions across jurisdictions. They have to make ex ante design decisions in conditions of uncertainty.

In that light, “further guidance” begins to look less like clarification and more like displacement. The complexity does not disappear. It moves downstream, onto those least equipped to manage it. And that is an odd way to pursue simplification in a research ecosystem that depends as much on small actors and early-career scholars as it does on multinational laboratories.

Scientific Research, Private Sector Eligibility, and how the “Commercial Interest” Question is being Misframed

If the industry reading is “they are saying private research cannot qualify” (a worry already conveyed to me), the most rigorous response to the EDPB/EDPS is this: the GDPR itself contradicts that reading. Recital 159 instructs that scientific research be interpreted broadly and explicitly includes “technological development and demonstration” and “privately funded research”. That is not an incidental recital; it is the clearest textual signal in the GDPR about the intended breadth of “scientific research purposes”. It is also consistent with the policy architecture of the GDPR research provisions, which were never designed as a blanket exemption. Research processing remains within the GDPR framework, but operates under a conditional regime structured around safeguards, most prominently Article 89(1). That architecture reflects a deliberate choice. Research is not deregulated. It is regulated differently, provided that appropriate technical and organisational measures are implemented.

In that sense, a normative argument often gets lost in the definitional skirmishing. One might reasonably want more actors, not fewer, to operate within Article 89(1). The provision explicitly anchors research flexibility to safeguards such as data minimisation, appropriate technical and organisational measures, and, where possible, pseudonymisation. It is one of the few places outside Article 32 where pseudonymisation is foregrounded as part of the lawful processing's structural design. The logic is clear: flexibility is granted in exchange for embedded protective architecture.

There is also an unintended dynamic lurking beneath the surface. If the definitional threshold for “scientific research” becomes too narrow or too uncertain, rational actors will look for alternative legal bases. They may structure processing under other grounds in Article 6 or Article 9 that do not trigger the specific safeguard logic of Article 89(1). In doing so, they could end up operating within the GDPR, but outside the research-specific protective frame that emphasises pseudonymisation and structured safeguards.

From a data protection perspective, that is an odd outcome. A regulatory move intended to prevent overbroad invocation of research flexibilities might inadvertently incentivise routes that involve fewer built-in structural protections. Pushing actors toward Article 89(1), where appropriate, aligns innovation with explicit safeguard obligations. Pushing them away from it may produce the opposite of what a precautionary instinct would seek to achieve.

The Joint Opinion does not deny that research may be commercially oriented. It expressly says so and cites Recital 159. The vulnerability lies in what it recommends next. It proposes removing innovation- and commercial-interest-related language from the binding definition and replacing it with criteria such as autonomy, independence, and a transparency requirement, with a gloss on possible public availability of results. That manoeuvre is not doctrinally compelled by the GDPR. Nor is it a neutral drafting tweak. It risks producing a de facto exclusion of private R&D through indeterminate qualifiers that will inevitably be read conservatively in enforcement contexts.

There is a second irritation embedded in the drafting technique. The Opinion frequently pushes interpretive substance into recitals, which are non-binding by design. In the relevant footnote, it simultaneously signals discomfort with the operative language and insists that it does not disagree with the underlying principle. In effect, it says: remove this from the definition, but we do not reject the idea behind it. That is a curious move.

If the concern is that “supporting innovation” or “furthering a commercial interest” is too open-ended, then the regulatory task is to articulate a workable refinement. Instead, the solution offered is relocation. The commercial dimension is displaced to the recitals, while methodological criteria are elevated into the enacting terms. No substantive alternative framework has been proposed to distinguish legitimate commercial research from opportunistic invocations. The hard conceptual work is deferred.

The functional consequence is predictable. Supervisory authorities and compliance teams will treat what appears in the binding definition as decisive and what sits in recitals as secondary. Actors will internalise the signal that commercial orientation is suspect, even if not formally excluded. That chilling effect is foreseeable. Yet by couching the move as mere drafting hygiene and preserving rhetorical allegiance to the underlying principle, the Opinion avoids taking full ownership of the narrowing dynamic it sets in motion. Regulatory architecture matters. Where substance sits in a legal instrument is not stylistic trivia. It shapes incentives, enforcement posture, and ultimately the boundaries of permissible activity.

The key point is this: the GDPR does not structure “scientific research” as a status category tied to institutional form (university versus company), funding source (public versus private), or downstream commercialisation. Instead, it structures it as a purpose category constrained by safeguards. When the Joint Opinion implies that “product research and development” does not necessarily constitute scientific research, it is making a legitimate anti-abuse point (not all “R&D” labels are science), but it does so using an underspecified boundary that invites over-inclusion, particularly if supervisory authorities treat commercial incentives as evidence against “independence”.

A more GDPR-compliant approach would distinguish science from non-science through governance and methodological integrity indicators compatible with private-sector practice, rather than embedding “independence” and “publicness” as freestanding thresholds. In clinical research and regulated product development, research integrity is typically secured through protocol governance, ethics committee oversight, preregistered statistical analysis plans, audit trails, monitoring obligations, and regulatory scrutiny. Commercialisation may be the end goal, but methodological discipline and external oversight are often far more stringent than in loosely structured academic settings.

The Joint Opinion’s proposed criteria do not map cleanly onto those operational realities. “Autonomy” and “independence” are presented almost as existential attributes of research, yet in many regulated industries, research is embedded in corporate structures precisely because it is accountable, auditable, and reviewable. Likewise, “public availability” of results is not the only proxy for transparency. Transparency can exist within regulatory reporting, supervisory inspection, or structured disclosure regimes without full public dissemination of commercially sensitive findings.

There is also a striking omission. One might have expected a more explicit engagement with Article 9. Much of the regulatory anxiety around research arises where special categories of data are involved. Article 9 already structures that terrain through explicit conditions, derogations, and safeguards. Differentiating research contexts by reference to data sensitivity and the applicable Article 9 pathway would have been a more doctrinally grounded way to calibrate risk. Instead, the definitional recalibration proceeds largely at the level of abstract methodology and institutional character.

That feels like a missed opportunity. The GDPR already contains a risk-sensitive architecture. Article 89(1) ties research flexibilities to safeguards. Article 9 imposes heightened thresholds for special categories. A definition of scientific research that interacts coherently with those provisions would reinforce internal consistency. By contrast, importing open-textured criteria about independence and publicness, without anchoring them to data sensitivity or governance intensity, creates a mismatch between definitional theory and regulatory practice.

And it is precisely that mismatch that produces chilling effects. When the legal category does not reflect how research is actually governed in regulated sectors, cautious actors narrow their activities or reroute them entirely. Innovation does not collapse overnight. It simply slows, fragments, or relocates.

Purpose Limitation & Transparency: Where the Opinion Amplifies Uncertainty

In the context of purpose limitation, the Commission proposal (as reflected in the legislative text) aims to make explicit that further processing for scientific research is treated as compatible, in line with the GDPR’s existing logic and its research safeguards. The Joint Opinion endorses this but emphasises that compatibility should not be confused with lawfulness, and that rights vary with the initial legal basis. Formally, that is correct, but its practical effect is to reintroduce legal uncertainty into what is supposed to be a simplification exercise: research teams already struggle to operationalise multi-basis processing (consent, public interest tasks, legal obligation, legitimate interests) across cross-border datasets and long-time horizons.

On transparency, the Opinion’s suggestion to add “where and insofar” language narrows the derogation but does not solve the structural problem: large-scale secondary use and retrospective research often cannot feasibly provide individual notice, and research operators need clear, workable standards for when public notices, registry postings, or layered transparency suffice. If “scientific research” itself becomes contestable for private actors, the transparency derogation becomes correspondingly risky to rely on, multiplying friction.

Likely Practical Effects on Research and Innovation Workflows

The likely impact should be assessed less in abstract rights language and more in terms of workflow breakpoints: data access, linkage, pseudonymisation architecture, reproducibility obligations, and cross-organisational collaboration. The Joint Opinion’s recommendations credibly increase contestability at each breakpoint, especially for private and mixed consortia.

The main mechanism is chilling through classification risk. If research teams cannot predict whether a DPA will accept that a project qualifies as “scientific research,” particularly when the commercial orientation is evident, they respond rationally. They over-comply. They avoid data linkage. They have narrow secondary uses. They default to consent even where it is operationally impractical or scientifically distorting. They decline cross-sector collaborations. None of this requires a formal prohibition. It flows from uncertainty at the boundary.

Empirical work on GDPR compliance in cross-border clinical research already reports persistent legal uncertainty and operational burden as barriers to efficient research practice. Add definitional instability to that mix and the friction compounds. There is a further structural consequence that deserves emphasis. Divergent DPA approaches do not just create paperwork headaches. They distort sample construction. Suppose one Member State’s authority takes a relatively permissive view of what qualifies as scientific research, while another adopts a narrower interpretation. Research sponsors can concentrate trials in the more permissive jurisdiction. They can conduct the study there. They can generate results.

But the cost is methodological. Sample diversity shrinks. Cross-border representation declines. Population heterogeneity suffers. The resulting dataset may be legally cleaner, but scientifically weaker. A large, diverse, multi-jurisdictional cohort is often essential to methodological robustness. Fragmentation pushes researchers toward geographically concentrated samples that are easier to govern but less representative. There is a quiet irony here. The Opinion emphasises “methodological and systematic” approaches as hallmarks of scientific research. Yet by increasing classification uncertainty and amplifying cross-border divergence, it risks undermining precisely those methodological ambitions in practice. A systematic approach requires predictable legal parameters. Without them, science does what it always does under constraint: it adapts, but not always in ways that optimise quality.

Comparative impact table:

Enforcement Dynamics & Chilling Effects

A realistic enforcement model here is not immediate sanctions, but interpretive drift. Joint Opinions are not binding, but they are high-salience signals to DPAs and co-legislators, and they often shape the climate for supervisory authorities’ consideration of “defensible” positions for enforcement and guidance. If the Joint Opinion’s recommendations on the research definition are adopted, DPAs are incentivised to treat “scientific research” as a constrained gateway: they will ask whether research is sufficiently “independent”, whether results are “publicly available”, and whether commercially motivated R&D is “really science” or merely product optimisation. Because these criteria are not cleanly operationalisable, enforcement becomes inconsistent and negotiation-heavy. In cross-border clinical research, empirical evidence already points to divergent national approaches and burdensome compliance processes; adding a contested definition would likely intensify that divergence rather than reduce it.

In the context of pseudonymisation, the chilling effect is more architectural in nature. The CJEU’s reasoning in EDPS v SRB reinforces that identifiability is assessed relative to likely means available to a particular actor, and that strong pseudonymisation can change the classification for recipients who lack realistic reidentification means. A harmonised set of criteria could incentivise data holders to invest in stronger separation, key management, and secure access models because those investments would yield predictable compliance outcomes. Resisting those criteria, on the theory that they “redefine scope”, perversely discourages investment in privacy-enhancing research infrastructure by keeping the compliance status of “well‑pseudonymised” sharing legally contestable.

Alternative Regulatory Approaches and Policy Recommendations: A Rights-Preserving, Innovation-Enabling Alternative to the Joint Opinion’s Definitional Tightening

The GDPR already contains the correct structural idea for research: a broad concept paired with enforceable safeguards. Recital 159’s explicit inclusion of privately funded and technological development research is a strong indicator that exclusion of private research is not the intended baseline. The policy challenge is misuse (labelling non-research as research). Still, the solution should be to strengthen safeguards and auditability, not to embed ambiguous epistemic criteria that inadvertently exclude legitimate private science.

A more robust legislative design, consistent with Article 16 TFEU’s competence for the legislature to lay down the rules and with Article 8 CFR’s focus on fair processing and independent supervision, would do four things:

1. It would keep the definition of actor neutral and explicitly confirm that privately funded and industrial applied research can qualify when conducted to generate generalisable knowledge and is subject to Article 89 safeguards.

2. It would avoid making “public availability of results” a qualifying expectation; instead, it would require a documented dissemination pathway appropriate to context (publication, regulatory submission, patent filing, or controlled disclosure), recognising legitimate confidentiality and IP constraints.

3. It would treat “independence” as a governance property rather than an institutional property, defined through controls (protocol governance, auditability, conflict management) rather than by whether research is commercially sponsored.

4. It would support uniform technical criteria for pseudonymisation assessment in defined sharing patterns (trusted research environments, split‑key models, federated analytics), because this is the most direct way to both reduce legal uncertainty and increase actual protection by encouraging stronger technical and organisational separation.

Conclusion

If the Opinion’s posture prevails, the likely effect will not be an immediate prohibition on private research. It will be something subtler and arguably more damaging: a gradual narrowing of what is considered safe, defensible, and administratively sustainable for data-driven innovation within the Union. By resisting harmonised criteria for when strongly pseudonymised data should fall outside the GDPR for particular actors, the Opinion preserves legal contestability precisely where innovators most need clarity. Privacy-enhancing architectures such as split-key models, secure research environments, and federated analytics depend on predictable classification outcomes. If investment in stronger technical separation does not yield predictable regulatory treatment, the incentive to build safer data infrastructures weakens. That is not a pro-rights outcome; rather, it is a stagnation outcome.

Similarly, the approach to “scientific research” risks narrowing the concept in practice, even if not explicitly. By shifting emphasis toward independence, public availability, and distancing the definition from innovation and commercial orientation, the Opinion introduces ambiguity at the exact point where private R&D, clinical product development, and AI training pipelines require certainty. The GDPR itself instructs that scientific research be interpreted broadly. If supervisory culture drifts toward treating commercially oriented research as presumptively suspect, the result will not be better protection. It will be legal hesitancy, fragmented enforcement, and reduced willingness to invest in EU-based data-intensive research.

Innovation ecosystems operate on predictability. Venture capital, public–private consortia, pharmaceutical development, and AI model training all depend on mapping legal exposure in advance. When qualification as “scientific research” becomes uncertain and pseudonymisation remains perpetually contestable, the rational response is conservatism: less linkage, fewer collaborations, more defensive compliance, and, in some cases, the relocation of data-intensive activity to jurisdictions with clearer guardrails. The secondary effect falls more broadly on research. Universities, hospitals, startups, and industry sponsors increasingly operate in hybrid networks. If private actors are chilled, collaborative science is chilled as well. If pseudonymised data sharing is legally fragile, large-scale longitudinal and cross-border studies become harder. The cost is borne not only by commercial actors but by the research ecosystem as a whole. The Joint Opinion presents itself as a defence of fundamental rights. But rights protection and innovation capacity are not opposites. The GDPR’s original architecture reflects that: broad eligibility for research, paired with enforceable safeguards; contextual identifiability, paired with technical separation; and flexibility, coupled with supervision.

A regulatory model that prioritises institutional control over the perimeter, resists technical harmonisation, and subtly narrows research eligibility risks, undermining that balance. The question is not whether data protection should be strong. It should. The question is whether preserving interpretive dominance at the boundary of “personal data” serves data subjects better than enabling safer, clearer, and more predictable innovation pathways. Innovation does not fail loudly. It quietly relocates. If Europe wants both robust rights and competitive data-driven industries, the answer is not definitional contraction by ambiguity. It is clarity, proportionality, and incentives to build privacy into research infrastructures from the ground up.

There are those who will reproduce the press narrative, emphasising the defence of rights without interrogating the structural implications. The difficulty is that the Joint Opinion often operates in precisely this register, invoking the language of fundamental rights and legal certainty in a way that foregrounds constitutional anxiety while leaving the deeper institutional consequences of its own position largely unexplored. This post takes the latter approach. When read closely, the Opinion raises a series of concerns that extend beyond doctrinal fidelity or drafting precision. It reveals a deeper anxiety about perimeter, competence, and institutional balance. Below, I outline seven broad concerns that emerge from that close reading of the EDPB/EDPS Joint Opinion, each of which suggests that institutional self-preservation is playing a more decisive role than the effective protection of data subjects.

1. Constitutional inflation of a definitional question.

The assertion that narrowing the definition of “personal data” would “adversely affect” the fundamental right to data protection (p.4) conflates definitional breadth with constitutional strength. That conflation is analytically unstable. Article 8 CFR protects the right to the protection of personal data. It guarantees lawful and fair processing, purpose limitation, access, rectification, and independent supervision. It does not mandate that the broadest possible category of data fall within the GDPR at all times. The Charter constitutionalises principles, not maximal reach. Scope calibration is not rights erosion. In any rights-based legal order, the intensity of regulation must correspond to the level of risk. Proportionality is the organising principle. If data are not identifiable in a meaningful way for a particular actor, or if processing does not materially implicate autonomy, dignity, or privacy, insisting on the full GDPR machinery does not automatically strengthen rights. It may instead dilute enforcement focus, overload supervisory capacity, and generate formalistic compliance rituals that obscure genuinely harmful practices. Fundamental rights are not strengthened by attaching more regulatory mass to them. They are strengthened when safeguards are targeted, proportionate, and enforceable in relation to real harms. Treating definitional narrowing as constitutional regression assumes that maximal perimeter equals maximal protection. That is a regulatory instinct; it is not a constitutional axiom. A mature rights framework recognises that boundaries are part of design. Precision does not weaken rights. It makes them credible.

2. Over-constitutionalisation of current jurisprudence

The assertion that the proposal “does not accurately reflect and clearly goes beyond” CJEU jurisprudence, particularly SRB (p. 10, para. 16), is presented as a decisive objection. The Joint Opinion relies on the Court’s confirmation that data may become personal when placed at the disposal of a recipient with means reasonably likely to identify the data subject, and that in such circumstances the data may be personal both for the recipient and, indirectly, for the entity making them available. That summary of SRB is accurate. The difficulty lies in the inference drawn from it.

The Opinion treats the Court’s reasoning as if it conclusively fixes the architecture of identifiability across all contexts, such that any legislative clarification distinguishing between the perspective of the initial entity and that of a subsequent recipient must necessarily “go beyond” the case law. But SRB did not constitutionalise a single immutable model of relational identifiability. It interpreted the GDPR as drafted, in the context of the facts before it. The Commission’s proposal attempts to clarify how the “means reasonably likely” test operates from the perspective of a particular entity. Whether that clarification is desirable is open to debate. But to characterise it as inherently incompatible with SRB assumes that the Court’s reasoning leaves no room for legislative refinement of how indirect identifiability should be treated in complex, multi-actor processing chains. That is a much stronger claim than the Opinion explicitly defends.

To say that legislation “goes beyond” case law is not, in itself, a constitutional indictment. Courts interpret existing provisions. Legislatures are entitled to stabilise, clarify, refine, or recalibrate those interpretations within constitutional limits. That is not doctrinal heresy. It is the ordinary constitutional dialogue between the legislature and the court in the EU legal order. Codification is always selective. No legislative text reproduces the full complexity of judicial reasoning. It distils. It emphasises. It occasionally recalibrates. The relevant constitutional question is not whether the amendment mirrors every nuance of SRB, but whether it remains within the outer boundaries of Article 16 TFEU and Article 8 CFR. By treating the Court’s reasoning in SRB as effectively freezing the perimeter of “personal data” against legislative adjustment, the Joint Opinion risks transforming interpretive guidance into constitutional immutability. Jurisprudence evolves. Legislative response is part of that evolution. Treating the present configuration as immune from refinement collapses the distinction between constitutional principle and regulatory preference and converts case law into a vehicle for perimeter preservation rather than principled analysis.

.3. Institutional perimeter defence disguised as independence.

The Opinion repeatedly frames definitional clarification and the possibility of Commission implementing acts as threats to supervisory authority competence and independence. The language is constitutional in tone. The subtext is institutional. Article 8(3) of the CFR provides that compliance with data protection rules is subject to independent supervision. It does not guarantee that supervisory authorities enjoy exclusive interpretive control over the boundary of those rules. Independence protects against political interference in enforcement. It does not entrench regulatory ownership over the scope of primary legislation. What is striking is the intensity of the resistance. The concern is not merely that the Commission might poorly clarify the scope. It is that any mechanism capable of influencing the perimeter of “personal data” outside the supervisory ecosystem is portrayed as constitutionally suspect. That is a far stronger claim than is doctrinally necessary.

In my earlier Substack post on the EDPS/EDPB Joint Opinion on the Digital Omnibus in the AI context, I observed that the tone read less like measured constitutional caution and more like a regulator anxious to retain centrality in an evolving digital governance landscape. The same dynamic is visible here. When definitional clarification is treated as an existential threat, the debate shifts from protecting data subjects to preserving institutional primacy.

There is a difference between defending rights and defending jurisdiction. If the Commission were to gain a constrained ability to clarify scope through legislatively authorised instruments, subject to judicial review, that would not abolish independent supervision. It would recalibrate the institutional balance. The Joint Opinion resists even that possibility. At a high level, the pattern suggests a regulatory reflex: perimeter equals power. If the boundary of “personal data” narrows, so does supervisory reach. If implementing acts are possible, the interpretive monopoly weakens. Framed as constitutional defence, this looks principled. Viewed structurally, it resembles institutional self-preservation. Protecting data subjects requires effective oversight, proportional safeguards, and enforceable standards. It does not require freezing the regulatory perimeter under exclusive supervisory control. When independence rhetoric becomes a shield against legislative clarification, the line between constitutional vigilance and power retention becomes uncomfortably thin.

4. Weak or Asymmetric Proportionality and Impact Reasoning.

The Joint Opinion repeatedly raises concerns about fundamental rights and criticises the Commission for an insufficient impact assessment. It frames the proposed clarification as potentially “adversely affecting” Article 8 CFR. Yet the Opinion itself does not perform the structured proportionality analysis it implicitly demands. There is no rigorous articulation of the three classic questions:

• What is the legitimate objective of the amendment?

• Is the measure suitable and necessary in relation to that objective?

• Do the benefits of clarification outweigh any rights impact, in light of competing constitutional interests?

Instead, we see an assumption: narrower scope equals weaker protection. That assumption is never interrogated. A mature proportionality assessment would require granular analysis. It would examine context-specific identifiability, actor-relative risk, enforcement capacity constraints, and systemic compliance burdens. It would distinguish between high-risk profiling ecosystems and low-risk, de facto non-identifiable contexts. It would assess whether over-extension dilutes supervisory focus. It would consider whether formal coverage without meaningful enforcement capacity may undermine credibility. None of this appears.

The Commission is faulted for insufficient impact assessment. Yet the Joint Opinion does not quantify harm, model enforcement consequences, or provide empirical evidence that the proposal would, in practice, increase rights violations. It asserts regression. It does not demonstrate it. Equally telling is the asymmetry in how “legal certainty” is treated. Codification is described as destabilising, while further EDPB guidance is presented as stabilising. But, by definition, guidance is discretionary, evolving, and dependent on supervisory interpretation. Legislative clarification, even if imperfect, may offer more predictable boundaries than iterative soft law. The Opinion does not grapple with that trade-off. The rhetorical oscillation between describing the amendment as “targeted” and “significant” illustrates the deeper issue. The amendment is framed as technical when downplayed, and as structurally dangerous when justified. Adjectives substitute for demonstration. More fundamentally, the current perimeter of “personal data” is not neutral. It is itself the product of interpretive expansion over time. To describe recalibration as regression presumes that the present configuration represents an optimal equilibrium of rights protection. That premise is neither self-evident nor argued.

Proportionality is not a slogan. It is a method. If the Commission must justify scope adjustment through disciplined rights balancing, then the same standard must apply to those who resist it. Otherwise, “fundamental rights” becomes a rhetorical shield rather than an analytical tool. At a high level, the concern is not that the Joint Opinion defends rights. It is that it invokes proportionality language while avoiding proportionality reasoning. That weakens the normative force of the objection and shifts the debate from constitutional analysis to institutional instinct.

5. Elevation of drafting issues into structural objections.

Concerns about negative definitions, undefined terms, or selective codification are presented as destabilising to the structure of EU data protection law. The tone suggests systemic fragility. The reality is far more ordinary. These are drafting questions. Calibration questions. Textual refinement questions. A “negative definition” is not a constitutional rupture. It is a legislative technique. Undefined terms such as “entity” are not structural threats. They are placeholders awaiting precision. Selective codification is not doctrinal sabotage. It is how legislation interacts with case law. All of these issues are resolvable within the ordinary legislative process. Through amendment. Through clarification. Through cross-reference. Through recital refinement. This is what Parliament and Council exist to do. Elevating such matters to the level of existential objections risks distorting the scale of the debate. It converts technical disagreement into a structural alarm, shifting from analysis to posture. When drafting imperfections are framed as a constitutional danger, it suggests that the objection lies not in the wording but in the direction of travel. The anxiety is not about syntax; it is about scope. Measured legal analysis distinguishes between curable textual issues and fundamental incompatibility. Conflating the two blurs that distinction. It strengthens rhetoric, and it weakens the argument.

6. Conceptual overextension of “personal data” as a universal switch.

By treating “personal data” as the master regulatory switch for digital governance, the Opinion entrenches the centrality of the GDPR as if it were the constitutional backbone of the entire digital acquis. That move is not analytically neutral. It ensures that every emerging risk must be channelled through the lens of identifiability. I have written extensively on this in my Substack posts and in my editorial in rebuttal to Professor Purtova. Modern digital harms increasingly arise from modelling, prediction, optimisation, and behavioural engineering. Systems do not need to know your civil identity to shape your outcomes. They need to know your cluster, your predicted responsiveness, and your inferred vulnerabilities. The architecture operates on probability distributions and behavioural correlations. Identification, in the traditional sense, is often incidental.

When regulators stretch the definition of “personal data” to capture every structural risk, they risk conflating identity with influence. The conceptual frame becomes distorted. The GDPR was designed as an information governance instrument. It is not a universal instrument for regulating digital power. By insisting that every systemic risk must pass through the gateway of “personal data”, we avoid confronting the possibility that some harms require different tools (i.e., competition interventions, architectural constraints, sector-specific duties, or entirely new regulatory instruments). If “personal data” remains the universal gateway concept, we end up defending the perimeter of an instrument rather than interrogating the architecture of the system. That may preserve institutional centrality. It does not necessarily enhance conceptual clarity or improve protection outcomes. Definitions are regulatory tools. They should evolve in light of technological realities. They should not become proxies for institutional preservation.

7. Enforcement convenience framed as rights protection.

A broader definition preserves regulatory reach and investigative leverage. Narrowing the perimeter would require sharper legal theories, clearer evidence of identifiability, and more disciplined case construction. It is unsurprising that regulators prefer maximal reach. But enforcement convenience is not synonymous with constitutional necessity.

Taken together, these themes point to a deeper issue. The Joint Opinion reads less like a neutral constitutional warning and more like an institutional defence of the status quo. Maintaining maximal perimeter preserves regulatory centrality. It keeps GDPR as the primary gateway instrument. It avoids reopening foundational questions about the limits of identifiability as the organising concept of digital law. But preserving the perimeter is not the same as protecting people. For data subjects, over-extension can dilute enforcement focus, entrench formalistic compliance, and distract from structural harms that do not map neatly onto identifiability. For SMEs and industry, definitional opacity and ever-expanding scope create uncertainty, compliance overhead, and chilling effects without necessarily delivering clearer protection outcomes.

A mature regulatory system must be capable of calibrating its boundaries without treating every adjustment as constitutional regression. Precision is not deregulation; it is governance design. If the debate is framed as “rights versus simplification,” we miss the real question. The real question is whether defending institutional territory serves data subjects, SMEs, and industry? Or whether it simply preserves the comfort of a familiar perimeter?

“If you have to keep telling people you’re king, you’re not really king.”, Tywin Lannister, Game of Thrones

Therefore, the EDPB and EDPS Joint Opinion 1/2026 should be read not as a defence of data protection as such, but as a regulatory counteroffensive. Rather than responding to the Commission’s proposals on their own terms, it recasts targeted simplifications as existential threats to fundamental rights, thereby shifting the terrain of debate from implementation to constitutional principle. In doing so, the Opinion deploys the language of rights not primarily to protect individuals, but to reassert institutional centrality, supervisory reach, and interpretive authority within the emerging AI governance framework. It is a carefully constructed exercise in reconstitutionalisation, one that treats any recalibration of competence or enforcement logic as a rights regression, and uses that framing to reclaim administrative territory that the Omnibus implicitly places elsewhere.

The “Gravitational Field” of Data Protection

The core claim running through this post’s analysis is that the EDPB seeks to keep the AI Act within the gravitational pull of data protection constitutionalism. That position is reflected throughout the Joint Opinion. Simplification is repeatedly treated as acceptable only insofar as it does not alter the level of protection afforded to fundamental rights. The practical consequence is that GDPR concepts, thresholds, and supervisory priorities are treated as the default reference point whenever the AI Act introduces a different regulatory calibration.

On this reading, the AI Act is not approached as an autonomous regulatory regime with its own logic of risk management and enforcement, but as a subsidiary framework whose operation remains contingent on continued alignment with GDPR doctrine. This can be seen in the insistence that data protection authorities (hereafter DPAs) be formally involved in EU-level sandboxes, that standards of strict necessity be preserved even where the legislature has opted for a broader formulation, and that transparency obligations retain priority irrespective of technical readiness. Across these positions, the GDPR serves as the controlling framework, with the AI Act operating in a subordinate role whenever personal data processing is implicated, which, in the context of AI systems, is almost always the case (but also not as much as one might think).

The Strategy of “Normative Overhang”

By insisting that the AI Act reproduce the GDPR’s level of doctrinal density and rights granularity, the EDPB engineers a condition of normative overhang. The AI Act’s institutional design is anchored in product safety logic: ex-ante risk classification, conformity assessment, technical documentation, and post-market surveillance carried out by specialised authorities. The Joint Opinion nonetheless reads these instruments through a fundamentally different lens, treating them as vehicles for the continuous vindication of individual fundamental rights.

In doing so, it assigns to the AI Office and market surveillance authorities tasks they are neither conceptually nor procedurally equipped to perform, such as assessing proportionality, necessity, or abstract rights impacts at the level of individual data subjects. That mismatch is not incidental. Once product safety tools are declared insufficient to discharge these demands, the conclusion follows that only data protection authorities possess the requisite competence.

The Joint Opinion invokes “competent” and “competence” thirty-three times. This does not resolve uncertainty about enforcement. It reveals it. The lady doth protest too much, because what is really being defended is institutional power.

The effect is to justify an expanded supervisory remit across the AI lifecycle, not because the legislature has conferred it, but because no other authority can meet standards imported from an adjacent constitutional framework. The result is a systematic recharacterisation of the AI Act as an extension of data protection law rather than a parallel regime, transforming it, in functional terms, into “GDPR Plus”.

Recasting Rights as Jurisdiction: How the Joint Opinion Converts Protection into Power

The EDPB’s rhetoric relies on a specific trick: they treat “fundamental rights” and “data protection compliance” as synonyms. By equating the broad protection of rights (which the AI Act aims to achieve through safety) with the specific procedural rituals of the GDPR (DPIAs, strict necessity), they delegitimise the AI Act’s own mechanisms. What is striking, when the Joint Opinion is read on its own terms, is how openly it converts the language of safeguards into a doctrine of institutional indispensability. Again and again, the EDPB and EDPS insist that any adjustment that reduces their direct visibility, anticipatory reach, or procedural leverage must be resisted, as it would significantly decrease accountability or undermine the protection of fundamental rights.

But their own text shows that what is really at stake is not the level of protection, but who gets to operationalise it. They argue, for example, that providers who lawfully rely on Article 6(3) AI Act must still publicly register their systems because this allows the public, DPAs, and fundamental rights bodies to intervene before market placement, explicitly invoking reputational pressure and early enforcement as virtues of the regime. That is not a safety argument. It is a claim for permanent upstream surveillance that clearly would chill innovation. Likewise, in relation to bias mitigation, they stress that DPAs would first and foremost be competent to supervise any processing of special category data, even where the AI Act creates a specific, self-contained derogation designed to facilitate compliance. On sandboxes, they accept the innovation rationale in principle, only to insist that competent DPAs must be “associated” with EU-level sandboxes, that their GDPR cooperation mechanisms must remain fully intact, and that the EDPB itself should acquire an advisory role and observer status on the AI Board.

This is competence expansion by accumulation, not coordination.

Even where the Omnibus grants the AI Office exclusive competence over general-purpose AI, the Joint Opinion immediately conditions this exclusivity on constant coordination with DPAs whenever privacy or data protection risks are present, a category so broad that it collapses exclusivity in practice. The most revealing passage comes where they warn that MSAs must not be allowed to assess the necessity or proportionality of requests by fundamental rights bodies, lest this “affect the independence and powers of DPAs”.

The concern is not duplication, delay, or over-enforcement, but dilution of authority. Taken together, the Joint Opinion reads less like a proportionality check and more like a reassertion of primacy. Fundamental rights are treated as synonymous with GDPR supervision, and GDPR supervision is treated as something that must remain omnipresent, even within a regulation deliberately designed to shift enforcement logic toward product safety, ex post surveillance, and centralised competence. This is not about preventing a race to the bottom; rather, it is about preventing a redistribution of power.

The EDPB’s Defence: Registration as Rights Infrastructure

The EDPB and EDPS reject outright the Commission’s proposal to remove the obligation to register AI systems that are formally listed in Annexe III but, under Article 6(3) of the AI Act, assessed by the provider as not high risk. In their view, allowing such systems to remain unregistered would “significantly decrease accountability” and create an “undesirable incentive” for providers to rely on the exemption. What matters here is not the exemption itself, which the Joint Opinion accepts in principle, but the refusal to treat it as a genuine carve-out. Registration is defended not as a technical necessity for market surveillance, but as a mechanism to preserve public visibility and early intervention. The Opinion is explicit that registration enables DPAs and fundamental rights bodies to identify systems before market placement, request documentation, and initiate scrutiny at an anticipatory stage, with reputational exposure framed as a legitimate regulatory tool rather than a collateral effect.

Once framed this way, the disagreement is no longer about administrative burden. It is about whether a lawful exemption can operate without continuous upstream disclosure. The Commission’s proposal aligns the AI Act with standard product safety practice, where compliance is presumed, documentation is held on file, and enforcement is triggered by evidence of risk. The EDPB’s response rejects that logic. By insisting that exempt systems must still be publicly registered, the Joint Opinion transforms Article 6(3) from an exemption into a provisional status, one that remains subject to permanent visibility and contestation. This is not a dispute about safety thresholds. It is a refusal to relinquish a surveillance infrastructure that keeps data protection authorities positioned upstream of innovation decisions.

The Registry of Innocence

Taken seriously, this logic produces a perverse outcome. Providers who rely on a lawful derogation must publicly announce that reliance, justify it in advance, and accept reputational risk as the price of using an exemption expressly provided by the legislature. The effect is a registry not of danger, but of asserted safety. A provider must effectively declare “this system is not high-risk” in order to prove that it deserves not to be treated as such. That is not how product safety law normally operates. In the New Legislative Framework, compliance is presumed unless evidence suggests otherwise. Enforcement is triggered by risk, not by the absence of risk.

The Joint Opinion dismisses the Commission’s own impact assessment on this point, noting that the administrative savings are modest. But that misses the structural issue. The question is not whether registration saves a few hundred euros per firm. The question is whether the regulatory architecture should incentivise providers to over-classify systems as high-risk simply to avoid public scrutiny and contestation. Faced with the choice between quiet internal documentation and public exposure to challenge, many providers will rationally opt into the high-risk category, flooding the system with compliance noise and undermining the very risk prioritisation the AI Act is meant to achieve.

Surveillance Logic Disguised as Accountability

What the registration debate ultimately exposes is a clash between two regulatory philosophies. The Commission’s approach treats Article 6(3) as a genuine exemption, policed through ex post market surveillance and sanctions for abuse. The EDPB’s approach treats the exemption as inherently suspect and insists on compensating for it through continuous visibility and early intervention. Accountability is equated with being seen, rather than with being demonstrably safe. In this sense, the defence of registration is not about aligning obligations with risk. It is about preserving a surveillance infrastructure that allows data protection authorities and allied bodies to remain upstream of innovation decisions.

Seen in that light, the resistance to deleting the registration obligation is entirely consistent with the broader pattern identified above. It is another instance in which product safety logic is rejected in favour of procedural exposure, not because the latter manages risk better, but because it sustains supervisory reach. The database becomes less a tool of market regulation and more a standing invitation to contestation. This is not transparency in the service of safety. It is transparency as a mode of control.

Ultimately, the EDPB is arguing that without registration, there is an “undesirable incentive” to cheat. But in product safety law, the deterrent against cheating is post-market surveillance (heavy fines, recalls), not pre-market confession. The EDPB’s distrust of the ex-post enforcement model has led them to demand a surveillance infrastructure (the database) that covers even safe products. The Commission’s removal of this requirement is a correct alignment with the logic of Article 114 TFEU: We regulate risks, not the absence of risks.

In the next post, I turn to the point where this logic does its most tangible damage: regulatory sandboxes. What are presented, in the AI Act, as spaces for supervised experimentation and learning are reimagined in the Joint Opinion as controlled derogations from rights protection, requiring constant oversight, preserved enforcement powers, and institutional co-governance. The result is a concept that looks like a sandbox in name only, but functions as a pre-compliance audit with the threat of sanctions never far away. That shift matters because it exposes the deeper incompatibility between an innovation regime built on iteration and failure and a supervisory mindset that treats any relaxation of control as a constitutional risk.

This is the first in a short series of posts in which I try to do two things at once. First, to explain what is actually going on beneath the surface of the Digital Omnibus debate, stripped of the press releases, slogans, and ritual invocations of “fundamental rights”. Second, to explain why the reaction to the Omnibus has been so unusually tense, so juridified, and so frankly hostile. Much of that tension only really makes sense once you read the EDPB-EDPS JOINT OPINION 1/2026 (Digital Omnibus on AI) closely. It is not just a technical disagreement about simplification or safeguards. It is a struggle over who gets to define the governing logic of EU digital regulation going forward, and who gets to remain at the centre of it. In that sense, the Omnibus debate is as much about institutional power and regulatory identity as it is about AI, data protection, or innovation.

The European Commission’s proposal for a Digital Omnibus Regulation, introduced in November 2025, marks a pivotal moment in the evolution of European technology governance. Presented as a package of targeted simplification measures intended to reduce administrative burdens and smooth the implementation of the AI Act Regulation (EU) 2024/1689, the Omnibus has instead become the focal point of a deeper constitutional struggle. This dispute is not primarily about compliance schedules or documentation formalities. It reflects a clash between two fundamentally different legal epistemologies: the market-oriented, technocratic logic of product safety associated with the New Legislative Framework, and the rights-centred, procedural logic of data protection constitutionalism.

This Substack offers an analysis of that conflict. It argues that the AI Act was structurally conceived as a product safety instrument, a technical regulatory regime governing market access, risk classification, and conformity assessment under Article 114 TFEU. By contrast, the European Data Protection Board and the European Data Protection Supervisor, acting through their Joint Opinion 1/2026, are engaged in a strategic and sophisticated effort to reconstitutionalise the AI Act from within. By asserting the primacy of data protection principles such as strict necessity, data minimisation, and the central supervisory role of data protection authorities, the EDPB seeks to anchor AI governance firmly within the gravitational field of fundamental rights law, thereby reshaping and effectively overriding the Act’s product safety foundations.

The analysis suggests that the Commission’s Omnibus proposal, while taking some necessary steps towards simplification, including the removal of registration obligations for specific lower-risk systems and adjustments to the legal basis for bias detection, does not go far enough to insulate the AI Act from this normative overhang. Accordingly, this post tries to explain how the EDPB’s interpretive strategies risk paralysing the AI Act’s enforcement architecture by imposing a surveillance-oriented logic on a framework intended to operate under a safety-oriented one. It argues that the Commission should have adopted a far more robust approach by explicitly codifying statistical necessity as a form of legal necessity, removing data protection authorities from co-governance roles within regulatory sandboxes, and introducing a supremacy clause designed to shield the product safety regime from the chilling effects of the GDPR.

The Constitutional Coup: The AI Act’s Identity Crisis

To understand the stakes of the Digital Omnibus and the EDPB’s Joint Opinion, one must first dissect the structural identity of the AI Act. The friction we observe today is not accidental; it is the result of a legislative experiment that attempted to graft a fundamental rights narrative onto a product safety chassis. This section explores the “legal DNA” of the Act and the conflicting “regulatory grammars” that are now colliding.

The Legal DNA: Product Safety and the New Legislative Framework

The AI Act is, in its skeleton and muscle, a piece of product safety legislation. It relies on the “New Legislative Framework” (NLF), a regulatory model established by Decision 768/2008/EC and Regulation (EC) 765/2008. This framework was designed to facilitate the free movement of goods within the Single Market while ensuring high levels of user safety. Its primary legal basis is Article 114 of the Treaty on the Functioning of the European Union (TFEU), which empowers the EU to adopt measures to approximate national provisions to ensure the functioning of the internal market. The “regulatory grammar” of the NLF is specific, technocratic, and ex-ante. It consists of:

• Essential Requirements: The law sets high-level safety objectives (e.g., “the device must not overheat,” “the AI must be accurate”). These are performance goals, not moral prescriptions.

• Harmonised Standards: Private standardisation bodies (CEN/CENELEC) write the detailed technical specifications that presume conformity with the law. This delegates the “how” of compliance to engineering experts.

• Conformity Assessment: Manufacturers (or third-party notified bodies) verify that the product meets the standards before it enters the market (ex-ante).

• CE Marking: The physical (or digital) signal that the product is compliant, serving as a passport for entry into the 27 Member States.

• Market Surveillance: National authorities (Market Surveillance Authorities or MSAs) monitor products after they are sold, ordering recalls or withdrawals if they prove unsafe.

This system is inherently technocratic and risk-based. In the NLF, “risk” is a probabilistic calculation of physical harm or non-compliance, managed through engineering controls. It is not typically a moral adjudication of subjective rights violations. When a toy manufacturer self-certifies a doll under the Toy Safety Directive, they check for loose parts (choking hazards) and the doll’s chemical composition. They are not conducting a fundamental rights impact assessment on the child’s right to play or freedom from manipulation.

The “Fundamental Rights” Injection

The AI Act represents a mutation of the NLF. It takes this machinery, designed for elevators, pressure vessels, and toys, and applies it to “high-risk” algorithmic systems that impact fundamental rights (migration, employment, justice, democracy). Here lies the core tension. In the AI Act, fundamental rights function operationally as risk vectors. A “risk to fundamental rights” is treated as a safety defect, analogous to a risk of electric shock in a toaster or a brake failure in a car. The Act attempts to translate constitutional claims (e.g., non-discrimination, privacy, due process) into engineering and governance constraints (e.g., data governance, bias mitigation, robustness, human oversight). The mechanism for protecting rights under this model is technical compliance: if the system is built correctly according to harmonised standards, appropriately documented in the technical file, and marked with a CE, the legal assumption is that rights are protected. The manufacturer has discharged their duty.

The EDPB’s Counter-Narrative: Data Protection Constitutionalism

The EDPB, representing the collective will of the EU’s national data protection authorities (DPAs), operates within a fundamentally different legal framework. Their authority stems from Article 16 TFEU (the right to data protection) and Article 8 of the Charter of Fundamental Rights. In the view of the EDPB (as articulated in their guidance and the Joint Opinion 1/2026), “risk” is not a safety defect to be managed, but an interference with a fundamental right that must be continuously justified. This perspective is rooted in what scholars call “Data Protection Constitutionalism,” characterised by:

• Strict Necessity: Processing is prohibited unless it is essential for a specific purpose. Convenience, cost-saving, or “better performance” are not valid justifications.

• Minimisation: Using the least amount of data possible is a legal imperative, not an efficiency metric. The burden is always on the controller to prove they could not have achieved the result with less data.

• Proportionality: Every interference must be weighed against the objective, subject to strict judicial scrutiny.

• Justiciability: Individuals have subjective rights (access, deletion, objection) that can be enforced directly against the provider, regardless of technical certification.

The EDPB’s approach to the AI Act is to reject the “technicisation” of rights. They argue that compliance with technical standards (even harmonised ones) does not exhaust the obligation to protect fundamental rights. They seek to “reconstitutionalise” the AI Act from the inside by insisting that AI governance must remain tethered to the logic of the GDPR, where specific consent, strict necessity, and DPA oversight reign supreme.

The Digital Omnibus is the battlefield where these two logics (Product Safety (market efficiency, technical compliance) and Data Protection (rights restriction, strict justification)) collide. The Commission’s proposal aims to simplify the Act to make it workable; the EDPB’s opinion seeks to entrench its own interpretive authority to ensure that “simplification” does not mean “deregulation” of rights.

The Digital Omnibus Proposal: A Timid Step Toward Autonomy

The EC’s “Digital Omnibus” proposal did not emerge in a vacuum. It was a response to a crisis of competitiveness and regulatory complexity identified by the Draghi Report (2024) and the Commission’s own Competitiveness Compass (2025). These reports warned that the cumulative weight of the GDPR, AI Act, Data Act, and Cyber Resilience Act was stifling European innovation, creating a “regulatory thicket” that made it nearly impossible for SMEs to scale. The Omnibus aims to “simplify” the implementation of the AI Act. However, a close reading reveals that “simplification” is a euphemism for a tactical retreat from some of the Act’s more unworkable overlaps with the GDPR. The Commission is attempting to carve out space for the AI Act to function as a product safety regime, independent of the paralysing scrutiny of data protection formalism (some might say extremism).

The Rationale: Competitiveness and Coherence

The explanatory memorandum of the Omnibus explicitly frames the initiative as a “stress test” of the digital rulebook. The goal is to reduce administrative burdens by at least 25% (35% for SMEs) by 2029. The proposal identifies specific friction points where the AI Act’s requirements, when combined with the GDPR and other laws, create duplication or legal uncertainty. For example:

• Duplicative Reporting: Companies currently face incident reporting obligations under GDPR, NIS2, and the AI Act. The Omnibus proposes a “single entry point”.

• Overlapping Competence: Both DPAs and MSAs claim jurisdiction over AI systems involving personal data. The Omnibus seeks to clarify the AI Office’s “exclusive competence” in some instances.

• Impossible Timelines: The delay in harmonised standards (CEN/CENELEC) meant companies would be forced to comply with high-risk rules without the necessary technical specifications.

Key Simplification Measures in the Omnibus

The proposal introduces several amendments critical to this Substack’s analysis:

1. Registration Relief: Removing the obligation to register in the EU database for providers who rely on the Article 6(3) derogation (i.e., systems listed in Annex III that do not pose a “significant risk”).

2. Bias Detection Standard: Changing the requirement for processing special category data for bias detection from “strictly necessary” to “necessary” (New Article 4a).

3. AI Literacy: Downgrading the obligation for providers/deployers to ensure AI literacy to an obligation for Member States to “encourage” it.

4. Timeline Adjustments: Delaying the application of high-risk rules (Annex III and I) to 6–12 months after the availability of harmonised standards and support measures, with a backstop of Dec 2027/Aug 2028.

5. SME/SMC Benefits: Extending regulatory privileges (reduced fines, simplified documentation) from SMEs to “Small Mid-Caps” (SMCs).

These changes are not merely administrative; they are structural attempts to loosen the grip of the “rights-first” approach. By removing registration for low-risk systems, the Commission asserts that not every AI system needs to be visible to the public—a classic product-safety stance (we don’t track every safe toaster). By removing “strict” from necessity, it acknowledges that engineering reality often requires broad data usage to find bias, contradicting the GDPR’s minimisation dogma. However, as the subsequent analysis will show, the Commission’s “rescue operation” stops short of the necessary surgery. It leaves the “normative overhang” intact, allowing the EDPB to counter-attack through interpretation.

What makes the Joint Opinion so revealing is the way it repeatedly reframes every proposed simplification as a latent competence loss that must be clawed back through doctrinal insistence. Across the document, the EDPB and EDPS do not simply argue that data protection concerns must be respected. They insist that GDPR logic, supervisory presence, and interpretive primacy must remain structurally embedded at every critical junction of the AI Act, even where the Omnibus explicitly seeks to reallocate authority. This is most obvious in three moves.

First, on registration, the Board insists that even systems expressly deemed non-high risk under Article 6(3) must remain publicly registered, not because the AI Act requires it for safety oversight, but because registration enables anticipatory scrutiny by DPAs and fundamental rights bodies, complete with reputational pressure and early enforcement triggers. This is not about risk management; it is about preserving surveillance visibility and intervention capacity.

Second, on sandboxes, the Opinion treats EU-level innovation spaces as intolerable unless DPAs are formally “associated” with supervision and unless the EDPB itself acquires an advisory role and observer status on the AI Board. The argument is telling: because sandboxes may involve personal data, full GDPR governance must follow, even though the legal consequence is to neutralise the sandbox as a space of regulatory experimentation.

Third, on AI Office competence, the EDPB nominally accepts centralisation, only to hollow it out by insisting on constant coordination with DPAs whenever privacy or data protection risks are present, a condition so broad that it effectively preserves parallel jurisdiction over most general-purpose AI systems. Throughout the Opinion, competence claims are reinforced by an elastic use of “fundamental rights” language that collapses AI Act obligations into GDPR supervision, for example, by asserting that DPAs are “first and foremost competent” wherever personal data processing occurs, even when the AI Act has created a separate product safety regime. Read together, these positions do not reflect a narrow concern about safeguards. They reflect an institutional strategy to remain indispensable by ensuring that no meaningful simplification, centralisation, or decoupling can occur without reaffirming the authority of the DPA and the EDPB. In that sense, the Joint Opinion is less a response to the Omnibus than a defensive manoeuvre against regulatory displacement, using necessity, transparency, and rights rhetoric to reassert relevance and hold ground in an AI governance architecture that is slowly moving beyond them.

What this first post has tried to show is that the Digital Omnibus is not a marginal clean-up exercise, but a stress test of the EU’s entire digital regulatory settlement. The friction it has generated is not accidental, nor is it well explained by appeals to administrative burden or abstract rights protection alone.

It reflects a deeper conflict between two regulatory grammars that were never fully reconciled in the AI Act, and which the Omnibus now forces into the open. Legal arguments here are doing double duty as institutional defences. Simplification is framed as a constitutional threat not only for what it changes, but also for what it displaces. In the next post, I turn directly to the reaction itself. I unpack the EDPB and EDPS Joint Advisory Opinion as an entrenchment move, one that reveals a deeper anxiety about relevance and authority. Faced with an AI regime that reallocates competence and weakens traditional points of control, the EDPB doubles down on expansive competence claims and rights-based rhetoric to stay central to enforcement. The Opinion reads less like neutral guidance and more like a bid to reclaim gravitational pull, keeping AI governance tethered to data protection by insisting that nothing meaningful can happen without it.

At present, there is a real risk that the Digital Fairness Act will crystallise around a concept that has already reached the limits of its analytical usefulness: the notion of “dark patterns”. That term served an important purpose at a particular stage in the evolution of digital markets. It enabled regulators, courts, and scholars to describe why specific interface designs were not merely suboptimal or manipulative in a colloquial sense, but legally problematic. It helped bridge behavioural science and consumer law, allowing deception to be understood not only as false statements or misleading omissions, but as design practices that predictably steer users away from their own interests. In doing so, it allowed existing doctrines under the Unfair Commercial Practices Directive to be extended, rather than rewritten.

However, the very success of the concept now threatens to constrain regulatory imagination. “Dark patterns” implicitly locate unfairness at the level of the interface: at the button, the disclosure, the flow, the screen. It frames harm as occurring at identifiable moments of choice and suggests that it can be addressed by correcting discrete design elements. That framing no longer reflects how influence is exercised in digital markets. The most consequential forms of manipulation today are not localised, episodic, or even necessarily visible. They are systemic, cumulative, and architectural.

Modern digital platforms rarely rely on a single misleading design choice to shape behaviour. Instead, they operate through integrated systems that combine data extraction, behavioural inference, ranking, personalisation, timing, and monetisation into coherent strategies of influence. These systems function continuously rather than transactionally, and they adapt dynamically rather than statically. They do not merely present options; they structure the conditions under which options are perceived, evaluated, and acted upon. The resulting harm is not easily traced to a single interaction, nor is it experienced as deception in the traditional sense. It emerges over time, through habituation, fatigue, dependency, and the gradual recalibration of preferences in environments optimised for extraction rather than autonomy.

This distinction matters because regulatory approaches that remain anchored to the interface layer inevitably confuse symptoms with causes. A cancellation flow is not complex because a designer misjudged usability. It is difficult because the system has been optimised to minimise churn. A recommendation feed is not compulsive because of its colour palette or animation. It is compulsive because it has been trained, through continuous experimentation, to maximise engagement across inferred psychological states. Regulating the interface without interrogating the optimisation logic that produces it risks formal compliance without substantive change.

The Commission’s own consultation exercise illustrates this tension. The Digital Fairness Fitness Check was notable for its methodological ambition. Consumers were not asked to reason in legal terms, but to describe how digital systems feel to interact with. The resulting responses were remarkably consistent across categories. What consumers articulated was not frustration with isolated tricks, but a sense of being subjected to environments that systematically undermine autonomy. Choice felt engineered rather than offered. Consent felt ritualistic rather than empowering. Personalisation felt exploitative rather than beneficial. Attention felt treated as a resource to be mined rather than respected. These are not descriptions of poor UX decisions; they are descriptions of power asymmetries embedded in system design.

Yet the translation of these experiential insights into regulatory framing has so far remained cautious. The consultation questions themselves overwhelmingly framed unfairness in interface-centric terms: misleading defaults, confirm-shaming, urgency cues, and friction-laden cancellation processes. Even where broader concerns were gestured towards, the implied remedies remained rooted in transparency, disclosure, and choice architecture. The underlying assumption appears to be that if users are given clearer information and cleaner choices, autonomy will be restored. That assumption is increasingly untenable.

EU consumer protection law has long relied on an informed-choice model. Deception is prohibited because it interferes with the consumer’s ability to make a rational decision. Aggressive practices are prohibited because they impair freedom of choice through pressure or coercion.

The corrective logic is informational and procedural: restore symmetry, remove friction, and the market will function fairly. That model strains under contemporary conditions for at least three reasons. First, many of the most influential digital practices do not operate by withholding or distorting information, but by structuring environments through ranking, defaults, and personalisation. Second, even where information is provided, it is often functionally unusable due to cognitive overload and decision fatigue, leading users to disengage rather than deliberate. Third, personalisation undermines the premise of a stable, generalisable consumer, rendering uniform assessments of fairness systematically incomplete.

These limitations are well recognised in data protection law, particularly in debates surrounding consent under the GDPR. What is striking is how little those insights have migrated into consumer protection discourse, despite the increasing convergence of data-driven inference and commercial influence. The result is a regulatory gap: practices that are deeply manipulative in effect, yet difficult to capture through doctrines designed for a different era.

This is why the Digital Fairness Act must move beyond dark patterns and confront deceptive design at the system-architecture level. Deceptive design, in this sense, does not depend on proving intent in a colloquial or moralised sense. It concerns the strategic organisation of systems in ways that predictably and systematically undermine user autonomy, exploit cognitive vulnerabilities, or entrench power asymmetries, even in the absence of explicit misrepresentation. It is deception produced by optimisation, not by statement.

Importantly, this is not a radical departure from existing legal principles. EU law has never required deception to take the form of a false assertion. The UCPD already accommodates misleading omissions and aggressive practices. Competition law addresses abuse by its effects rather than by form. Data protection law increasingly grapples with inference, profiling, and behavioural prediction as sources of harm independent of disclosure. What is lacking is not doctrinal capacity, but a willingness to apply these principles to system-level design rather than interface artefacts.

If the Digital Fairness Act confines itself to codifying a catalogue of prohibited dark patterns, it may be enforceable and politically attractive, but it will be structurally backwards-looking. Screens can be audited; systems cannot be reduced so easily. Platforms will comply at the surface and compete below it, shifting influence more profoundly into ranking logic, timing strategies, cross-service integration, and monetisation architectures. The result will be a familiar pattern of formal compliance coupled with substantive evasion.

By contrast, a Digital Fairness Act that explicitly targets deceptive system design would force a different regulatory conversation. It would require authorities to assess how influence is produced over time, how incentives are aligned within platforms, and how cumulative effects on consumer autonomy should be evaluated. It would also encourage genuine coordination across consumer protection, competition, and data protection regimes, rather than treating fairness as a problem of UX hygiene.

The Digital Fairness Fitness Check implicitly recognised that the object of regulation has changed. Digital unfairness today is not primarily about misleading screens, but about how systems are designed to shape behaviour across contexts and over time. European consumers have already articulated this reality in their own words. The question now is whether the Digital Fairness Act will be willing to regulate where power actually resides, rather than where it is easiest to see. If it does not, it risks becoming a meticulous response to a problem digital markets have already moved beyond.

It is in this context that I recently wrote to Commissioner Michael McGrath to urge caution against allowing the Digital Fairness Act to crystallise around the language of dark patterns alone. The letter does not argue against regulating manipulative interfaces; it argues that doing so is no longer sufficient. If the Commission accepts, as the Fitness Check implicitly does, that systems rather than screens increasingly produce consumer harm in digital markets, then the regulatory response must follow the same logic. The choice facing the Digital Fairness Act is therefore not whether to act decisively, but whether it is willing to regulate where influence is actually engineered: in the integration of data, inference, ranking, timing, and monetisation into architectures of behavioural control. The letter is an invitation to treat digital fairness not as a problem of design hygiene, but as a question of structural power, and to ensure that the Act speaks to the realities of contemporary digital markets rather than to the residue of an earlier one. A copy of my letter can be downloaded here:

The Digital Fairness Act And The Limits Of Studying Screens

220KB ∙ PDF file

Download

Download

Subscribe now

The emerging reaction to the European Commission’s Digital Omnibus Regulation[1] has followed a familiar pattern. Commentators rooted in the privacy establishment have described it as a deregulatory surge, a dilution of rights, a capitulation to the supposed technocratic ambitions of the Data Union Strategy.[2] Yet this reading collapses once one steps back from doctrinal reflex and views the system through the lens of regulatory design. A system is defined not only by the content of its rules but by the precision of its triggers. For years, the European digital-regulatory architecture has operated under conditions of conceptual inflation, with the definition of personal data[3] expanding to encompass virtually every digital artefact.[4] The result was regulatory bloating: a structure in which the GDPR attempted to govern the entire informational environment, leaving its overseers unable to distinguish genuine privacy threats from ambient technical noise. The so-called Law of Everything was not a sign of regulatory ambition. It was a symptom of systemic overload.

The Digital Omnibus must, therefore, be understood not as an erosion of rights but as a necessary corrective. By adopting a relative approach to personal data through the codification of the Single Resolution Board judgment[5], the Commission has begun pruning the semantic overgrowth that had rendered the GDPR’s conceptual machinery increasingly unusable. This narrowing is the prerequisite for genuine enhancement. It creates space for the system to redirect attention to the syntactic threats that define the contemporary digital economy, including algorithmic bias, structural manipulation, and model-level systemic risks. These challenges are not governed by data classification but by the regulation of outcomes and practices. These challenges are not governed by data classification but by the regulation of outcomes and practices. They are addressed only partially and indirectly by the GDPR, and are more coherently and directly governed through the intersection of the AI Act, the Digital Services Act, and the emerging regime of systemic-risk oversight that the GDPR was never designed to carry on its own.

A Systems Failure: The Paralysis of the Law of Everything

To understand why simplification is vital, one must accept the basic systems diagnosis. Leading scholars such as Purtova and Newell have long argued that the GDPR’s foundational target became too broad to function as a meaningful regulatory boundary.[6] When a dynamic IP address, a hashed identifier, or a weight in a neural network is treated with the same conceptual gravity as a genomic marker[7] or a psychotherapy record[8], the law ceases to discriminate between vastly different forms of informational risk. In other words, the signal is lost in the noise.

The consequence for enforcement was predictable. Data Protection Authorities became consumed by disputes of minimal substantive importance, such as whether a particular cookie identifier contained personal data or whether a pseudonymisation technique met an impossible anonymisation threshold. Their mandate expanded, not because of legislative design, but because the category of personal data had swollen to the point of incoherence. With workloads dictated by definitional sprawl rather than actual harm, authorities were left with insufficient capacity to confront high-risk algorithmic practices, such as the discriminatory scoring systems used in financial access, opaque recommendation engines that shape democratic discourse, or automated workplace management systems that determine conditions of labour. This was not a failure of diligence. It was a failure of architecture.

The Semantic Trap and the Category Error of AI Governance

A core strand of Purtova and Newell’s critique is that the GDPR’s paralysis stems from its deep entanglement with semantic conceptions of data. On their account, the Regulation presumes that the harms it governs arise from the handling of information that carries human-interpretable meaning about an identifiable person. That assumption no longer maps cleanly onto the way contemporary digital systems operate. Many of the most consequential harms produced by modern AI systems arise from syntactic operations rather than semantic content: correlations, embeddings, clustering, and high-dimensional statistical inference that do not rely on meaning in any ordinary sense. When an AI system produces discriminatory creditworthiness scores because of skewed training distributions, the harm does not depend on whether the dataset contains names, identifiers, or even directly intelligible attributes. Likewise, when a platform’s ranking systems systematically demote the speech of minority groups, or when insurers deploy behavioural prediction models derived from mobility or transaction patterns, the operative mechanism is inferential structure rather than personal meaning.

Where I part company with the way this critique is often taken forward is in the proposed response. Purtova is right to insist that the GDPR does not, and cannot, “tackle harms” in the abstract. It was never designed to do so. But the conclusion to be drawn from that insight is not that the GDPR must be stretched further to accommodate syntactic and system-level harms. That move reproduces the problem under a different vocabulary. Attempting to govern discrimination, manipulation, or market power by insisting that these phenomena must first be reframed as personal data problems is precisely what turned the GDPR into a conceptual bottleneck. It diverts attention toward metaphysical debates about identifiability while leaving the underlying practices largely untouched.

There is, moreover, a well-established body of law that is structurally better equipped to address certain classes of these harms directly. Discrimination law, for example, is explicitly oriented toward outcomes, effects, and group-level disadvantage rather than toward the semantics of information processing. Treating these harms as privacy problems has not strengthened protection; it has weakened it by forcing regulators to use tools that were never designed for the task. The point of restoring conceptual discipline to the personal data category is therefore not to deny the reality of syntactic harms, but to stop pretending that privacy law is the proper or sufficient vehicle for governing them.

Furthermore, the fact that inferences can harm people does not mean that inferences must be included in the definition of personal data. Doing so collapses the distinction between semantic and syntactic operations and reproduces the very overextension that hollowed out the GDPR’s effectiveness. If every dataset capable of supporting a sensitive inference is treated as personal data, then the Regulation once again becomes a universal solvent, governing everything and therefore governing nothing well. More importantly, expanding the personal data category to capture inferential risk does not regulate inference. It regulates storage and access conditions while leaving the inferential machinery itself largely untouched.

This is precisely why the inference problem strengthens, rather than undermines, the case for restoring conceptual discipline. Inferences are practices. Models, optimisation functions, ranking systems, and feedback loops produce them. Their harms arise at the level of outcomes and effects, often at the group or population scale. They are therefore more coherently governed by regimes designed to interrogate the logic of decision-making, its discriminatory impact, manipulation, and systemic risk. Consumer protection law targets behavioural influence and deception. Competition law confronts data-driven market power. The AI Act directly regulates high-risk inferential systems, including their training, deployment, and impact. Treating inference as a reason to inflate the personal data category is not protective; it is evasive. It allows the system to argue endlessly about whether a dataset is personal while the inferential practices that actually shape people’s lives continue largely unexamined.

Attempting to regulate such harms through the conceptual machinery of personal data is therefore a category error. It forces regulators into abstract debates about whether a vector, a probability, or an embedding constitutes personal data, all while the actual societal harm occurs downstream in the model’s deployment. The Omnibus recognises this misalignment by narrowing the GDPR’s scope and implicitly acknowledging that AI harms require a governance architecture beyond privacy law. Once this conceptual separation is restored, regulatory attention can shift from a fixation on inputs to a focus on outcomes, from semantics to systems.

The Relative Standard as a Regulatory Valve for the AI Economy

The central innovation of the Digital Omnibus is the adoption of a relative and context-sensitive definition of personal data, reflecting the Court of Justice’s reasoning in the SRB judgment[9]. Under this standard, information is personal only if the actor in possession of it has the means reasonably likely to identify an individual. This creates a more modular data ecosystem. A hospital that retains re-identification capabilities must continue to treat its pseudonymised patient records as personal data, whereas a medical research team receiving the duplicate records under strict organisational and technical isolation need not bear the full weight of GDPR compliance. The relational nature of identifiability finally becomes visible in law.

This shift unlocks the latent promise of the Data Union Strategy. Data can now flow to where its societal value is highest, including research institutions, public bodies conducting social analytics, and AI developers working on models that address public-interest challenges. Crucially, the GDPR continues to govern the upstream processing where identifiability remains real, but it no longer obstructs downstream innovation in places where the identifiability risk is structurally neutralised. The gain is both conceptual and operational. Regulators recover the bandwidth needed to address systemic harms, while innovators avoid being trapped in administrative loops that absorb resources without advancing privacy protection.

Answering the Absolutists: Why Context Does Not Erase Rights

Critics, including Sophie Stalla-Bourdillon, warn that this relative standard generates what they describe as Schrödinger’s Data, information that is somehow both personal and non-personal depending on the observer.[10] Stalla-Bourdillon and other critics argue that this invites confidentiality washing, allowing actors to reclassify personal information through clever organisational structuring.

The deeper error in the absolutist critique is its failure to reckon with how regulation actually operates under conditions of scarcity. Data protection authorities are not abstract guardians of metaphysical risk; they are institutions with limited staff, limited budgets, and legally bounded mandates. Over the past decade, enforcement patterns across the Union have been dominated by high-volume, low-risk disputes over cookies, consent mechanics, and marginal identifiability questions, while structurally harmful practices such as behavioural targeting architectures, algorithmic ranking systems, and extractive data markets have escaped mainly sustained intervention. Treating every downstream data flow as personal data does not close this gap; it widens it by locking regulators into endless threshold disputes while the underlying systems continue to operate. Nor does this approach meaningfully constrain AdTech. On the contrary, it benefits the most sophisticated actors, who can absorb compliance friction, litigate definitional ambiguity, and weaponise uncertainty against enforcement. A disciplined, contextual definition of personal data does not create a loophole for surveillance capitalism; it removes the camouflage. It allows regulators to stop arguing about whether data might be personal in theory and to start acting against practices that demonstrably produce harm, whether through the GDPR, where identifiability is real, or through competition, consumer, platform, and AI regulation, where it is not. Protection is not maximised by insisting that one statute do all the work. It is maximised when each instrument is allowed to operate at the point where it can bite hardest.

A context-sensitive standard does not withdraw protection; it restores its proportionality.

Where a downstream actor lacks both the legal authority and the technical means to re-identify individuals, the capacity to treat data as personal information in any meaningful sense does not exist. In those settings, regulatory responsibility does not vanish but is reallocated. Obligations attach through enforceable contractual constraints, organisational and governance controls, sector-specific access regimes under the Data Act, and model-level risk and impact obligations under the AI Act. This redistribution of regulatory attention reflects a mature understanding of risk, not a deregulatory impulse. It brings European law into closer alignment with pragmatic, operationalised standards found elsewhere, including the United States’ HIPAA Expert Determination framework[11] and Quebec’s Law 25[12], both of which reject hypothetical identifiability in favour of demonstrable exposure. Far from hollowing out rights, this approach ensures that intervention tracks where harm can actually occur, preserving legal force where it matters and avoiding the ritualised overextension of protection to contexts where it can no longer do meaningful work.

Enhanced Regulation: The Natural Consequence of Simplification

Once the definitional sprawl of what counts as personal data is brought back into a disciplined, contextually grounded form, the digital regulatory landscape begins to reorder itself in ways that had previously been structurally impossible. A simplified GDPR does not hollow out protection. Instead, it creates the conditions under which the broader constellation of digital regulation can finally operate as designed. Simplification is therefore not the end of regulatory ambition but its necessary precondition. By removing the conceptual clutter that forced the GDPR to masquerade as a universal governing statute, the Digital Omnibus creates space for a more mature, practice-focused model of oversight that is far better suited to the risk vectors of contemporary socio-technical systems. It is only once the GDPR ceases to function as the gravitational centre of the regulatory universe that other regimes can begin to exert their intended normative authority.

A Shift from Input-Based to Output-Based Regulation

The GDPR has always been structured around the governance of inputs. It concerns itself with the collection, organisation, and handling of information. For a long time, this approach made sense because data collection was a discrete act and informational harms were typically linked to clear violations of relational privacy norms. In a digital environment where sensing is ambient, and data is generated continuously as a by-product of participation in economic and social life, regulating inputs is no longer a stable proxy for safeguarding individuals. The Omnibus, therefore, marks the beginning of a structural transition toward output regulation, a form of regulatory logic that focuses on the consequences and externalities of digital systems rather than on policing every informational atom that flows through them.

This is precisely why the AI Act emerges as the natural inheritor of responsibilities that the GDPR can no longer meaningfully discharge. By clarifying that certain forms of AI training data fall outside the GDPR’s full scope, the Omnibus ensures that the GDPR continues to govern relational informational practices. In contrast, the AI Act governs systemic technological behaviours. A clear example is the automated creditworthiness assessment. Under the old approach, a regulator might scrutinise whether the training data was pseudonymised correctly. Under a simplified approach, the regulator shifts attention to the model itself, evaluating whether its outputs systematically discriminate against particular demographic groups, whether the proxy variables used in the model replicate structural inequities, and whether the training process embeds feedback loops that magnify existing societal distortions. The locus of protection shifts from metaphysical worries about data to real, measurable concerns about outcomes.

The strategic trade-off here is both principled and proportionate. The European Union relinquishes a fixation on input monitoring that constrained innovation without providing equivalent gains in protection. In return, it secures far more serious scrutiny of outputs such as discriminatory scoring, unsafe automated decision-making, manipulative design patterns, and the propagation of systemic risk. This shift reflects a governance environment that has finally recognised that protecting people often requires intervening at the level of systems, models, infrastructures, and social consequences rather than at the level of individual data points.

Addressing the Risks: A “Trust but Verify” Model of Governance

Simplification is not without risks, but those risks are manageable if the regulatory system is designed with procedural safeguards rather than conceptual absolutism. A systems-based architecture manages vulnerabilities through targeted oversight, well-defined institutional competency, and relational controls.

Contractual Cascades and Relational Accountability

The relative definition of personal data shifts the centre of gravity from the intrinsic nature of data to the relational structures that define who can do what with it. Accountability becomes less about hypothetical identifiability and more about verifiable constraints. The Data Act and the Data Governance Act formalise the infrastructure for trusted data spaces where access is tiered, contractual obligations are enforceable, and technical safeguards are embedded throughout the pipeline. A practical example is cross-border research collaborations in health genomics. Under the old GDPR framework, even highly pseudonymised genomic indicators were treated as personal data by all parties, creating significant friction. Under a relational model, upstream actors are accountable for ensuring that re-identification is impossible, while downstream researchers, who lack the means or legal authority to re-identify, operate under a different regulatory logic that better reflects their actual risk profile. The motivated intruder test (mentioned in my last post) does not disappear. It is repositioned. It becomes a diagnostic instrument rather than the foundational definitional rule. Regulators can still punish entities that fail to secure pseudonymised data or attempt to circumvent de-identification protocols, but they no longer treat all pseudonymised data as inherently dangerous.

Sectoral Precision and the Rebalancing of Regulatory Labour

Purtova’s call for sector-specific legislation is not a critique of simplification. It is its corroboration. (I should probably add here, I’ve also said in every class I’ve ever taught on data protection over the past ten years that if I had my way, I would have had a narrow GDPR and sector-specific rules rather than the bloated behemoth that we have now). A narrowed GDPR creates the institutional space for sectoral regimes to mature. Workplace surveillance can be governed through labour law grounded in power asymmetries and collective bargaining principles. Manipulative design can be governed through, amongst other things, consumer protection doctrines that address coercion and distortion of choice. The European Health Data Space[13] can confront the risks of biomedical inference that the GDPR was never built to address. Competition authorities can examine the accumulation of behavioural datasets through the lens of market power and exclusionary conduct rather than shoehorning these concerns into profiling provisions. The Omnibus is the mechanism that enables this redistribution of regulatory labour. It returns the GDPR to its constitutional domain and forces other legal orders to govern the harms that fall within their normative remit.

Conclusion: The Emergence of a Mature Regulatory Order

The Digital Omnibus marks a pivotal transition in European digital governance. For more than a decade, the GDPR has been asked to perform the functions of a privacy statute, a competition instrument, a consumer protection regime, a labour regulation framework, and a platform governance tool. No system could remain coherent under such pressures. Simplification is the necessary corrective. By adopting an SRB-aligned, contextual, relational definition of personal data, the Commission restores the internal logic of data protection and strengthens the broader regulatory ecosystem. The result is not a diminution of rights but a reinforcement of them through a governance architecture that is more modular, more risk-aware, and more institutionally aligned.

This is not deregulation. It is the transition from a brittle, overextended system to one capable of addressing systemic harms with clarity and precision. It is how Europe avoids becoming a digital jurisdiction defined by conceptual sprawl and practical stagnation. And it is how the real work of digital governance can finally begin.

In the coming posts this week, I will take this argument further by examining how contextual identifiability does not merely coexist with strong data protection but actively enhances it. One strand will focus on Privacy Enhancing Technologies, showing how a disciplined definition of personal data creates incentives for genuine de-identification, architectural minimisation, and privacy-by-design practices that have been systematically undermined by absolutist scope. Another will return inside the GDPR itself, to show how provisions such as Article 25 and the Article 5 principles regain practical force once they are reconnected to real identifiability rather than hypothetical exposure. The broader claim running through the series remains the same: the future of European data protection does not lie in stretching the GDPR until it fractures, but in refining its scope so that it can operate with doctrinal integrity, enforcement credibility, and systemic coherence within a genuinely polycentric regulatory order.

[1] Digital Omnibus Regulation Proposal at https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal

[2] https://digital-strategy.ec.europa.eu/en/policies/data-union

[3] Article 4 (1), GDPR.

[4] Breyer v Bundesrepublik Deutschland (C-582/14, 2016); Nowak v Data Protection Commissioner (C-434/16, 2017); Jehovan todistajat (C-25/17, 2018); Wirtschaftsakademie Schleswig-Holstein (C-210/16, 2018); Fashion ID (C-40/17, 2019)

[5] SRB v EDPS (C-413/23 P, 2024/2025)

[6] Nadezhda Purtova & Bryce Newell (2024), “Against Data Fixation: Why ‘Data’ Fails as a Regulatory Target for Data Protection Law and What to Do About It,” discussion draft (27 June 2024).

[7] Kuru, T. (2021). Genetic Data: The Achilles’ Heel of the GDPR?. Eur. Data Prot. L. Rev., 7, 45.

[8] Tobias Mayer, Neha Warikoo, Oliver Grimm, Andreas Reif and Iryna Gurevych, ‘GDPR-Compliant Collection of Therapist–Patient Dialogues’ (arXiv preprint, 22 November 2022) arXiv:2211.12360 https://arxiv.org/abs/2211.12360

[9] Paras 75-79, SRB v EDPS.

[10] Sophie Stalla-Bourdillon (2025), “Déjà vu in data protection law: the risks of rewriting what counts as personal data,” Privacy & Data Protection 26(2), 9–13.

[11] US Department of Health and Human Services, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the HIPAA Privacy Rule (HHS, 2012, updated) https://www.hhs.gov/hipaa/for-professionals/special-topics/de-identification/index.html

[12] Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25 (Quebec).

[13] https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space-regulation-ehds_en

SRB as Systems Engineering, Not Just Doctrinal Pivot

The Court’s judgment in EDPS v Single Resolution Board[1] has already been analysed for its implications for pseudonymised information. For present purposes, what matters is how SRB reconfigures the allocation of burdens under the GDPR among different actors in the same processing chain. SRB formalises a relational test. Information does not acquire “personal” status in the abstract; it becomes personal in the hands of a particular actor who has, in practice and in law, the means reasonably likely to identify the person. That might look like a narrow doctrinal point, but as a piece of systems engineering, it performs three critical moves.

First, it introduces a form of modularity into the regime. A dataset can be personal for the originating institution that holds the key and non-personal for a downstream recipient that does not. That modularity matters because it allows different layers of the system to carry different compliance obligations without pretending they are in the same risk position. It is the difference between treating everyone as a potential re-identifier and acknowledging that capability is unevenly distributed.

Second, SRB changes the informational assumptions built into enforcement. Before SRB, regulators and litigants often argued about what hypothetical adversaries might do with data. The Court instead focuses on what specific actors can realistically do, given their context, resources, and legal constraints. That shift from hypothetical to situated analysis is classic systems thinking; it ties the trigger for regulation to the actual causal structure of risk rather than to thought experiments.

Third, SRB implicitly invites a redesign of data governance inside organisations. Controllers that wish to take advantage of the relational conception of personal data must be able to demonstrate that their internal separation of roles, technical measures, and contractual arrangements genuinely prevent re-identification. Contextual identifiability is not a free pass. It is an engineering challenge: design your systems so that the boundary between identifiable and non-identifiable is real, enforceable, and auditable.

Taken together, these moves point away from the image of the GDPR as a monolithic wall and toward a layered system in which duties follow from an actor’s position in the architecture. That is the landscape into which the Digital Omnibus proposal now steps.

The Digital Omnibus as Blueprint for Scoped Simplification

Where SRB operates as judicial calibration, the Digital Omnibus functions as a legislative blueprint.[2] It writes entity-specific identifiability into Article 4(1) and extends the logic of contextuality into adjacent domains, notably AI training and low-risk processing. At a design level, two aspects of the proposal are particularly significant.

The first is the attempt to tie the definition of personal data to tools and capacities. Information is not personal for a given entity if that entity lacks means reasonably likely to be used to identify the person. The controversial move here is not the notion of relativity itself, which SRB already endorsed, but the decision to codify it in a general definition rather than leave it to case law. In governance terms, codification is a commitment device: it tells controllers, DPAs, and courts that contextuality is not a marginal doctrine but a structural feature of the regime.

The second is the way the Omnibus uses that refined trigger to redesign specific compliance burdens. The headline example is AI training. By clarifying that incidental special category data in large training sets need not trigger the full panoply of GDPR obligations when those data are not used to make decisions about individuals, the proposal seeks to disentangle syntactic, large-scale modelling from semantic, person-level decision-making. From a systems perspective, this is less about favouring innovation for its own sake than about placing the heavy artillery of data protection where it can actually bite.

These moves are not risk-free, and critics are right to be suspicious of legislative rhetoric about simplification. But it is essential to see that the Omnibus is not simply “shrinking” the GDPR. It is repointing its scope, using the SRB logic as a hinge. The open question is whether the surrounding architecture is strong enough to carry the functions that fall outside that scope.

Calibration Across Regimes: What the Comparisons Really Tell Us

Any discussion of definitional reform now triggers the comparative reflex: how does this look next to the UK GDPR’s “motivated intruder” test[3], or HIPAA’s twin tracks of safe harbour and expert determination?[4] The risk is that comparative law becomes a beauty contest about who has the strictest anonymisation standard. A systems view asks a different question: how do these standards shape the system’s behaviour as a whole?

The UK’s motivated intruder test explicitly assumes an adversary with determination, resources, and a realistic chance of success. It is a vivid heuristic that has helped practitioners think more concretely about the risk of re-identification.[5] HIPAA, by contrast, wraps de-identification in either a checklist of removed identifiers or a requirement for expert statistical assessment.[6] Both regimes embed an expectation that someone will perform and document a structured analysis.

The emerging EU model will look different if the Omnibus passes in anything like its current form. Entity-specificity, contextual assessments, and implementing acts that can set sectoral or purpose-specific benchmarks together form a more distributed architecture. Instead of a single test applied everywhere, we get a configurable set of criteria that can be adjusted over time and across domains.

The trade-off is clear. The checklist and motivated intruder models offer legibility: everyone knows the game. The SRB–Omnibus model offers plasticity: the game can be altered as technology and practice evolve. Plasticity is powerful but dangerous. It requires institutions capable of setting, updating, and enforcing standards at a pace that does not lag too far behind the technologies they govern.

What matters, in other words, is not only the letter of the definition but the governance capacity that surrounds it. The EU’s advantage is its dense web of expert bodies, from the EDPB to sectoral regulators and standardisation organisations. Its challenge is coordination.

Systems-Based Efficiency: Reallocating Scarce Attention

If we take seriously the idea that regulation is a system, then the most precious resource in that system is not legal text but attention. DPAs have finite bandwidth. So do controllers’ legal and engineering teams. The promise of SRB plus Omnibus is that, by tightening the trigger for when the GDPR applies, the system can reallocate attention away from low-risk, low-impact processing and toward the practices that actually matter.

The early evidence, although anecdotal, points in that direction. Public bodies report fewer full-scale DPIAs for routine pseudonymised consultations and surveys. Ethics committees in universities and research institutes have begun to distinguish sharply between projects in which identifiability is genuinely possible and those in which technical and organisational measures render it remote. Legal advice circulated in professional networks now treats relational identifiability as a serious consideration rather than as a speculative thought experiment.

This is not to romanticise practice. There will be controllers who use contextuality as camouflage, and regulators who are tempted to accept that camouflage at face value. But from a systems standpoint, the key question is whether the overall pattern of attention shifts. If DPAs can spend less time on high-volume, low-stakes complaints and more time on systemic infringements, the regime becomes more than the sum of its parts.

A refined scope also has knock-on effects for other areas of law. When less is pulled into the gravitational field of personal data, competition authorities, consumer protection agencies, labour inspectorates, and sectoral regulators find more room to act without worrying that they are trespassing into GDPR territory. That is the deeper efficiency gain: not that any single case becomes easier, but that the architecture as a whole can specialise.

Balancing Innovation and Rights Without Manichaean Narratives

Discussions of simplification in EU data law tend to polarise into suspicious binaries: either one is “pro-innovation” and therefore cavalier about rights, or “pro-rights” and consequently hostile to any easing of burdens. A systems-of-regulation perspective undercuts that framing.

On the innovation side, the SRB–Omnibus package reduces friction for specific processing categories. The most obvious beneficiaries are AI developers and research institutions that can credibly demonstrate they operate with pseudonymised or otherwise non-identifiable data in environments where re-identification is neither technically feasible nor legally permitted. For those actors, the shift from an absolute to a contextual definition reduces the need for elaborate compliance choreography that was never well calibrated to their actual risk profile.

On the right side, the same package can be read as redistributing protection rather than diluting it. The ability to treat some processing as outside the scope of GDPR has meaning only if other instruments are equipped to address the harms that fall through that gap. That is where the parallel evolution of the AI Act, the Digital Services Act, and sectoral frameworks matters. If these instruments are enforced with seriousness, the net effect can be greater protection for individuals and groups, even if fewer operations are formally classified as personal data processing.

The hard work, then, is not to declare oneself on one side or the other of an innovation-versus-rights divide, but to ensure that the overall regulatory system does not leave pockets of risk unaddressed. That is an institutional design problem, not a definitional one.

Governance Trade-offs and the Question of Trust

A relational definition of personal data necessarily imports relational forms of trust. If a dataset is only non-personal because a recipient is constrained from re-identifying, the system’s efficacy depends on those constraints being authentic and enforceable. That raises familiar concerns about contractual governance, technical compliance, and cross-border enforcement. From a systems angle, there are at least three trade-offs to acknowledge:

The first concerns verification. Regulators will need tools and authority to audit claims about identifiability. That may mean more frequent use of on-site inspections, technical testing, and independent certification schemes. It also suggests a larger role for ex post enforcement: punishing breaches of contextual constraints rather than relying solely on ex ante categorial rules.

The second concerns fragmentation. As contextuality hardens into practice, there is a risk that different sectors develop divergent standards for when information ceases to be personal. Health data spaces, financial services, mobility ecosystems, and platform environments may each craft their own understanding. Some diversity is healthy; it allows regulation to track sector-specific risk. Too much diversity, however, creates uncertainty and incentives for forum shopping. The Omnibus’s reliance on implementing acts and EDPB input is an attempt to keep that diversity within a coordinated framework, but the test will be institutional agility.

The third concerns legitimacy. A recalibrated GDPR will only command public trust if people can see that simplification is not a euphemism for abandoning protection. That is a narrative challenge as much as a legal one. Explaining why specific flows are treated as low risk and which other instruments guard against harm will become a central task for regulators and policymakers. Silence will be read as weakness.

Toward Part IV: Simplification as Precondition for Enhanced Regulation

This fourth instalment has treated SRB and the Digital Omnibus as components of a systems update. Together, they refine the scope of the GDPR, alter how identifiability is understood in practice, and redistribute regulatory attention across the broader digital law ecosystem. They do not resolve, once and for all, the tension between expansive and restrained visions of personal data that Part I mapped, nor do they settle the sector-specific controversies explored in Part II. What they do is create the preconditions for a different style of regulation, one that is less fixated on data as such and more comfortable with practice-based, output-oriented control. The following post in the series picks up that thread directly. Part IV, “The Necessary Retreat: Why the Digital Omnibus Saves European Regulation from Itself”, develops the argument that this scoped simplification is not merely tolerable but essential. It makes the case that only by stepping back from the law of everything can European data protection and digital regulation mature into a modular, resilient, and genuinely effective system.

[1] Case C-413/23 P European Data Protection Supervisor v Single Resolution Board EU:C:2025:645 (Judgment of the Court (First Chamber), 4 September 2025).

[2] Digital Omnibus Regulation Proposal at https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal

[3] ICO, “How do we ensure anonymisation is effective?”, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/anonymisation/how-do-we-ensure-anonymisation-is-effective/#motivatedintruder

[4] Modes of De-identification, https://pmc.ncbi.nlm.nih.gov/articles/PMC5977668/

[5] Office of National Statistics: https://www.ons.gov.uk/methodology/methodologytopicsandstatisticalconcepts/disclosurecontrol/guidanceonintrudertesting also see the guidance: “the ‘motivated intruder’ is reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquiries of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward”

[6] U.S. Department of Health & Human Services, ‘Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’ (HHS, 3 Feb 2025) https://www.hhs.gov/hipaa/for-professionals/special-topics/de-identification/index.html accessed 12 December 2025.

Introduction

A recalibrated conception of personal data does more than tidy up definitional ambiguity. It forces a reconsideration of the governance architecture in which the GDPR operates and, by extension, the role that data protection can realistically play in Europe’s broader digital regulatory constitution. For years, the GDPR has functioned not just as a privacy statute but as the gravitational centre of EU digital law. Competition authorities, consumer protection agencies, media regulators, labour inspectorates, and cybersecurity bodies have interpreted their mandates through, or against, the conceptual structure of the GDPR. This was never intentional. It was an emergent consequence of a legal system whose definitional trigger expanded to cover almost all modern data processing. As the GDPR expanded beyond its design, it warped the surrounding regulatory ecosystem, producing the phenomenon Purtova warned about: the “law of everything”.[1] The system began to treat personal data as the universal substrate of digital life and the GDPR as the universal solvent for digital harms.

Subscribe now

This section examines the governance implications of stepping back from that universalism. The move from an absolute notion of personal data to a contextual, SRB-aligned[2] understanding is not simply a doctrinal refinement. It is a redistribution of regulatory authority. It determines which instruments govern which harms, how institutional competencies are allocated, and whether Europe ends up with a coherent, polycentric digital regulatory[3] system or a fragmented patchwork in which multiple instruments compete for jurisdiction.

Anchors and Alternatives: Two Models of Regulatory Intervention

The central debate can be framed as a question of anchoring. Should regulatory intervention hinge on whether information qualifies as personal data? Or should the trigger be the nature of the practice and the harm it generates, regardless of the informational substrate involved? Purtova and Newell push hard for the latter, arguing that the data anchor inherently misaligns regulatory effort by tying intervention to a category that no longer predicts where digital harms arise.[4] In their view, the GDPR’s conceptual architecture cannot serve as the backbone of modern governance because harms now emerge from inference, modelling, and system-level dynamics, not from the handling of identifiable information as such.

What this argument underplays, however, is that the collapse they describe is not the inevitable consequence of anchoring but of overextension. It was the inflation of “personal data” into a universal solvent that destabilised the architecture: once everything became personal data, the GDPR was forced to operate simultaneously as a labour law, a consumer protection regime, an antitrust instrument, a platform governance statute, and a general-purpose algorithmic accountability framework. No legal system can carry that much conceptual freight without deforming under the strain. Yet, in this sense, collapse is not terminal. It is reversible precisely because it arises from a definitional distortion rather than a structural impossibility. By recalibrating the trigger, through SRB’s contextual identifiability[5] and the Omnibus’s clarification of entity-relativity[6], the system can be restored to functional coherence. The GDPR can return to its constitutional domain while the surrounding regulatory ecosystem reclaims the terrain that should never have been ceded to data protection in the first place.

As I have argued in my previous posts, the dichotomy (data-anchored regulation versus practice-anchored regulation) collapses under closer scrutiny. Data protection is one instrument within a multi-instrument governance framework, and the real question is how this instrument interacts with the others. The failure of the pre-Omnibus system was not that the GDPR had a data anchor. It was that the anchor had been attached to a category so vast that it rendered itself meaningless. When personal data becomes synonymous with information, the GDPR becomes structurally misaligned. It must either attempt to regulate every digital harm or contort its doctrines to address harms that fall entirely outside its normative scope. Under such conditions, any anchor would fail, not because anchoring is wrong, but because it was tied to everything at once.

SRB as the Reconstitution of a Viable Anchor

Once the definitional perimeter becomes real rather than theoretical, the anchor stabilises. Personal data becomes a legally and conceptually intelligible category again. Within that sphere, the GDPR’s architecture operates with remarkable internal coherence. Purpose limitation, fairness, transparency, minimisation, rights, obligations, and accountability hang together precisely because they are designed for the relational management of person-linked information. Outside that sphere, the GDPR’s tools lose traction. They were never intended to regulate harms that do not turn on identifiability or personal information.

Consider the now-common situation in which a public authority transmits a fully pseudonymised dataset to an academic research team that lacks any technical or legal means to re-identify the subjects. Under the pre-SRB absolutist model, this transfer triggered full GDPR compliance, from data subject rights to DPIAs, despite the receiving actors having no capacity to link the data back to individuals. Regulators and institutions spent disproportionate time navigating theoretical privacy risks rather than evaluating the study’s substantive research ethics or societal impact. Post-SRB, that same flow can be treated as non-personal from the recipient’s perspective, allowing the GDPR to govern the authority’s upstream processing while freeing downstream actors from obligations that served no protective purpose. The result is not deregulation but doctrinal precision: the GDPR applies where its logic fits and recedes where its machinery is orthogonal to the activity’s actual risk profile.

(Thanks to Peter Craddock for this example) Consider a weekly grocery shop. A woman buys tampons and a pack of paracetamol. The shop’s till system inevitably produces an itemised receipt, and (if the store uses a loyalty card) logs that transaction in her profile. From a purely formalistic, pre-SRB lens, the mere fact that this could reveal something about her reproductive status drags the whole thing into Article 9 territory. The data controller must suddenly imagine itself handling quasi-clinical health data because someone, somewhere, could infer a biological fact from a menstrual-related purchase.

Carried to its logical extreme, the shop would need explicit consent to print a receipt, plus a DPIA for the loyalty programme, because the metadata might whisper something about ovulation cycles. This is where legal formalism turns into a parody of itself, treating ordinary retail logistics as a high-risk health dossier. Once you reintroduce SRB’s contextual actor-perspective, the fog clears. The supermarket processes a purchase to take payment, manage stock, and show the customer what she bought. None of these purposes creates a meaningful intrusion. Nothing is being inferred, profiled, or actioned. There is no downstream vulnerability exploitation. So even if a “health inference” is theoretically latent, the supermarket’s handling of the receipt data poses essentially no risk, and the GDPR’s special-category machine would add no real protection.

Shift the context, though, and the legal picture changes. Imagine the same supermarket deciding to run an “early-fertility optimisation” micro-targeting programme: analysing menstrual-adjacent purchases as signals, and then pushing ads for fertility supplements, prenatal vitamins, or pregnancy-related services. This is no longer routine retail processing. This is a new purpose, an inferential leap, and a profiling use that exploits a sensitive dimension of her private life. The risk increases, autonomy is pressured, and the GDPR’s protective logic now fits the activity. The same underlying data becomes regulated because what the actor is doing with it crosses into a domain where harms become real rather than theoretical.

In other words, it is not the purchase of the tampon that matters; it is the social choreography around its use. Receipts are boring. Profiling vulnerabilities is not. The GDPR should conserve its energy for the latter. Introducing meaningful regulation of risk, rather than reflexive regulation of inputs, actually strengthens data subject rights across the entire ecosystem. When the law stops burning cycles on phantom hazards (routine receipts, inert pseudonymised datasets, clerical artefacts) it can concentrate supervisory and institutional capacity on the domains where asymmetric power, behavioural influence, and opaque inference genuinely threaten autonomy. This is not a dilution of protection but its redistribution toward the places where rights are most at stake. A system that distinguishes low-risk processing from high-risk manipulation equips regulators to intervene earlier, design obligations more intelligently, and preserve the GDPR’s legitimacy by aligning its machinery with lived reality. In that sense, SRB doesn’t shrink data protection; it clears space for it to do the job it was always meant to do.

Polycentricity Enabled: The Governance Consequence of a Disciplined Boundary

The systemic benefit of a disciplined boundary is that it reconfigures the governance landscape into a genuinely polycentric one. Instead of allowing the GDPR to function as an accidental regulatory monopoly, expanding by default into every gap left by definitional ambiguity, a clarified perimeter redistributes authority across the digital regulatory stack. The gravitational distortion caused by an unbounded personal data concept recedes, and with it the pathological tendency for every digital harm to be linguistically reframed as a privacy harm. In its place emerges a regulatory ecosystem in which the GDPR governs the domain it was designed for and adjacent regimes can exert their intended normative force without being pulled into orbit around data protection:

• Consumer protection law governs manipulation, dark patterns, and behavioural exploitation.

• Competition law governs data-driven dominance, exclusionary conduct, and structural power.

• Platform regulation (DSA) governs systemic risks in ranking, recommender systems, and intermediated speech.

• Labour law governs algorithmic management, worker surveillance, and informational asymmetry.

• Sectoral regimes (financial services, mobility, health, education) govern domain-specific risks.

None of these domains requires the convenient fiction that digital harms must constantly be rerouted through the idiom of privacy. That fiction emerged only because “personal data” had swollen into a universal trigger, forcing heterogeneous problems into the narrow frame of data protection simply because no other regime could get normative traction against a concept so overextended. Restoring proportionality by shrinking the scope of the definition is therefore not a retreat from protection, but a rebalancing of the constitutional order of digital regulation. It reanimates the distributed governance architecture the EU has been deliberately constructing, from the DSA’s systemic-risk framework to the DMA’s competition remedies and the AI Act’s risk-tiered oversight, by ensuring that each instrument can operate on the terrain it was built to govern, rather than being suffocated by the conceptual spillover of an unlimited personal data category.

Systems Efficiency and Institutional Competence

From a systems perspective, SRB-aligned simplification is not a deregulatory gesture. It is a structural enhancement of regulatory capacity or an architectural correction that restores the division of labour across the digital governance ecosystem. Once the GDPR ceases to sprawl across every informational surface and no longer acts as the default venue for all digital harms, the system’s institutional roles sharpen. Each regulator can operate on the layer of the stack it is institutionally engineered to govern, rather than being forced to reinterpret privacy law to cover gaps it was never designed to fill:

• DPAs focus on genuine information rights and the risks of identifiability.

• Market regulators focus on power asymmetries, data-driven advantage, and exclusionary practices.

• Consumer authorities tackle deception, coercion, and behavioural exploitation.

• Platform regulators address systemic risks, algorithmic curation, and societal scale effects.

The governance system becomes more legible. The conceptual fog that once blurred the boundaries between regulatory domains begins to lift. Ambiguity contracts rather than metastasises. Compliance becomes more predictable because the trigger for legal intervention is no longer a matter of metaphysics but an assessment grounded in actual identifiability, meaningful risk regulation, and institutional competence. Regulators are no longer pulled into endless, low-risk, high-volume disputes that generate administrative noise without corresponding protective value. Instead, regulatory attention reaggregates around the loci where harms are structurally anchored (market power, manipulation, algorithmic opacity, workplace asymmetries, systemic risk), allowing each regime to deploy its tools with precision rather than improvisation.

Re Regulation, Not Deregulation

What emerges from this recalibration is not a thinner regulatory state but a smarter one. A system in which the GDPR is no longer treated as the law of everything becomes a system better equipped to enforce only what genuinely requires intervention. This is not deregulation. It is re-regulation - redistributing burdens so that each legal instrument governs what it is structurally, normatively, and institutionally equipped to govern. A well-defined personal data category is not the enemy of data protection. It is the precondition for its survival as a meaningful and enforceable field of law.

The implications of this realignment point directly toward the next step in the series. Part IV will shift from conceptual and governance analysis to system-engineering analysis, examining how SRB and the Digital Omnibus interact not simply as doctrinal adjustments but as mechanisms that reconfigure the GDPR’s operational logic. If Part III explains why a disciplined anchor is necessary for a polycentric system, Part IV will explain how the combination of judicial reasoning and legislative reform rewires the machinery of the GDPR itself, changing the allocation of burdens, the distribution of risk, and the practical incentives that shape behaviour across the data economy.

[1] Purtova, N. (2018). The law of everything. Broad concept of personal data and future of EU data protection law. Law, Innovation and Technology, 10(1), 40-81.

[2] Case C-413/23 P European Data Protection Supervisor v Single Resolution Board EU:C:2025:645 (Judgment of the Court (First Chamber), 4 September 2025).

[3] Black, J. (2008). Constructing and contesting legitimacy and accountability in polycentric regulatory regimes. Regulation & governance, 2(2), 137-164.

[4] Purtova, N., & Newell, B. C. (2025). Against data fixation: Why ‘data’fails as a regulatory target for data protection law and what to do about it. Oxford Journal of Legal Studies, gqaf038.

[5] Paras 75-79, SRB v EDPS.

[6] Article 3: Amendments to Regulation (EU) 2016/679 (GDPR): Article 4 is amended as follows: (a) in point 1, the following sentences are added: ‘Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.’

Subscribe now

Theoretical Foundations: Systems of Regulation and Data Fixation

Any meaningful assessment of the Digital Omnibus proposals and their interaction with the SRB judgment[i] must begin with the theoretical foundations of regulatory design. A systems perspective refuses to treat legal definitions in isolation. It examines how rules interact with technological architectures, market incentives, and organisational behaviour to determine whether regulatory aims can be achieved efficiently and coherently. This broader frame is familiar to scholars of digital regulation. Lawrence Lessig’s modal analysis of law, norms, architecture, and markets illustrates that regulation succeeds only when the chosen lever aligns with the causal mechanisms of behaviour.[ii] Christopher Hood’s NATO model of nodality, authority, treasure, and organisation similarly highlights that states regulate through multiple instruments whose effectiveness depends on the appropriateness of the target at which they are aimed.[iii] When these frameworks are brought into conversation with contemporary data protection debates, it becomes clear that definitional choices about personal data shape the entire regulatory ecosystem. They determine not only what the law governs but also which institutional actors gain or lose responsibility.

It is in this context that Purtova and Newell’s critique of data fixation resonates.[iv] As discussed in my previous post, their paper argues that anchoring regulatory intervention to the concept of personal data introduces imprecision by conflating two analytically distinct problems. Semantic problems arise where meaning is constructed around identifiable persons and therefore connect naturally to the GDPR’s core normative concerns. Syntactic problems arise where harm emerges from structural features of information processing, such as inference, aggregation, or modelling, irrespective of whether the underlying data can be linked back to identifiable individuals. Their central claim is that the GDPR attempts to govern both domains simultaneously through a single definitional trigger and therefore ends up mismatched to the causal pathways that produce many digital harms. They propose shifting regulatory attention away from data categories and toward the practices and effects of processing.

This critique is compelling, but a systems analysis reveals that the SRB judgment[v] and elements of the Omnibus reform already represent an incremental move in precisely that direction. SRB introduces contextuality into the identifiability analysis by clarifying that pseudonymised data is not personal for entities that lack the means to re-identify, either because re-identification is prohibited by law or because it is impossible in practice.[vi] This relational model directly counters the over-inclusiveness that Purtova warned against, where the definitional expansion of personal data created what she described as a law of everything.[vii] Under SRB, identifiability turns on actual organisational position, access, and capacity, rather than speculative possibilities external to the actor. This reduces the strain on regulators, aligns the legal test with real-world incentives, and prevents the system from becoming unmanageably broad.

Stalla-Bourdillon cautions that codifying SRB within the Omnibus risks creating a déjà vu effect by weakening thresholds and neglecting state-of-the-art controls, such as motivated intruder testing.[viii] Yet this critique overstates the rigidity of the legislative architecture. The Omnibus introduces new mechanisms for adaptability, including the implementation of acts under Article 41a, which allow the Commission to integrate evolving methodologies and empirical evidence into technical standards. From a systems perspective, this dynamic capacity is essential. It enables the regime to absorb innovations in anonymisation, threat modelling, and statistical disclosure control without becoming ossified or doctrinally brittle.

Empirical evidence emerging in the post-SRB landscape already shows that contextual identifiability reduces unnecessary compliance burdens for low-risk processing, such as public consultations and non-sensitive administrative exchanges, while preserving transparency and accountability where they are needed.[ix] The Omnibus extends this rationalisation by excluding incidental special category data encountered in AI training when that data is not being used to make decisions about individuals. This addresses under-inclusiveness in syntactic scenarios like synthetic data production or bulk ingestion, where subjects are not meaningfully implicated, yet compliance obligations remain disproportionately heavy. The result aligns with Purtova and Newell’s semantic and syntactic divide. It shifts regulatory attention away from blanket assumptions about data types and toward the practices that actually generate risk, thereby improving the coherence and precision of data governance.

A more precise and more disciplined trigger for when the GDPR applies reshapes the system in ways that extend far beyond definitional housekeeping. By grounding identifiability in the real capacities and constraints of specific actors rather than in abstract hypotheticals, the law aligns its scope with the causal structures that actually produce risk. This stabilises expectations for controllers and regulators alike, reduces noise in enforcement priorities, and prevents the GDPR from being stretched across domains it was never designed to govern. At the same time, embedding adaptive mechanisms into the definitional architecture ensures that the system can evolve with emerging technologies and threat models without losing internal coherence. What emerges is a regime that can focus its normative force where personal implications truly arise, while allowing other parts of the regulatory ecosystem to govern the broader range of digital practices that do not hinge on identifiability.

Therefore, the reforms do not abandon the data anchor. They refine it. They operationalise contextuality. They incorporate systems adaptability into definitional architecture. In practical terms, this means the GDPR’s trigger becomes more tightly coupled to the real-world conditions under which identifiability emerges, rather than to hypothetical or universalised assumptions about what data might mean in abstract. A contextual and adaptive anchor enables the law to distinguish between processing that implicates people and processing that merely passes through information structures without personal consequence. It also ensures that the GDPR can absorb future technical developments through mechanisms that update interpretive standards without reopening the statute each time. In this configuration, the data anchor becomes not a rigid boundary but a calibrated regulatory hinge that opens or closes depending on the risks presented in a given setting. This is what allows the regime to move toward a more functional, practice-oriented model while preserving the conceptual core that makes data protection coherent: the commitment to regulate meaningfully personal information wherever it genuinely connects to the individual.

The systems analysis outlined above reframes the role of personal data within a broader regulatory ecosystem and reveals how SRB-aligned contextuality stabilises the definitional trigger on which the GDPR depends. Yet nowhere are the stakes of this recalibration more visible than in the AdTech ecosystem, which has long functioned as the gravitational centre of debates about identifiability, pseudonymisation, and the limits of anonymisation. AdTech is frequently treated as the acid test for any proposed reform, and it is often invoked as the reason the definition of personal data must remain as expansive as possible. The following section turns directly to this terrain, examining whether AdTech truly requires an unbounded personal data concept or whether a systems-grounded SRB approach can provide stronger, more targeted protection without perpetuating the dysfunctions of the law of everything.

Beyond AdTech and Anonymisation: What is the Real Aim of Data Protection

A systems-centred reading of EU data protection reveals something that tends to disappear in doctrinal debates about identifiability and anonymisation. The GDPR was never designed to be a general law of digital conduct. It was intended as a structural safeguard for a specific category of activity, namely the processing of information that relates to an identified or an identifiable natural person.[x] That is the terrain in which its principles, its rights, and its institutional machinery make sense. What has happened in the intervening years is that interpretive expansion, driven by a combination of CJEU jurisprudence[xi] and academic insistence that anything that is conceivably linked to a person is personal data[xii], has pushed the GDPR far beyond the functional perimeter for which it was designed.

Stalla-Bourdillon, Purtova, and Newell all recognise that the landscape is dysfunctional, but they narrate the symptoms rather than the underlying systemic failure. Stalla-Bourdillon worries that a narrow definition will limit the law’s reach in contexts such as AdTech, where identification is technically obscured, but profiling harm is real. Purtova and Newell diagnose a different pathology, namely that the GDPR has swollen into a regime so conceptually inflated that it cannot meaningfully target digital harms. Both perspectives assume that the broadness of the personal data definition is a virtue. Both assume that the Commission’s simplification risks undoing the GDPR’s protective fabric. Yet both positions falter when examined through a systems lens.

The central problem is not that the definition of personal data has become capacious. It is that the definition became conceptually unbounded. Recital 26’s open-textured reference to “all means reasonably likely to be used” evolved into an interpretive invitation to imagine increasingly remote identification scenarios. The outcome was a drift toward a quasi-metaphysical conception of personal data, in which the analytical question became not “is this data meaningfully about a person in this context” but “could someone somewhere with unknown auxiliary information and unspecified motivation treat this as linkable to a person”. That approach may satisfy academic exercises in hypotheticals, but it does not produce a stable or workable regulatory system. It produces precisely what Purtova calls the “law of everything”.[xiii] It produces a regime that, in theory, must regulate every byte of information that traverses a modern computing environment. No legal system can survive that burden without collapsing into incoherence or shallow proceduralism.

This is where the SRB judgment becomes transformative.[xiv] The Court did not dismantle the GDPR’s protective architecture. It reanchored it. SRB clarifies that identifiability must be understood in relation to the specific actor and in light of the means that are reasonably likely to be used by that actor in the concrete circumstances of processing.[xv] This is not a deregulatory gesture. It is a return to functionalism. It restores the relational character of personal data. It ensures that the concept tracks actual capacity, intention, and context, rather than theoretical possibility.

Appropriately understood, an SRB-aligned definition does not weaken protection in AdTech or similar environments. That is because some of the relevant actors in those ecosystems, the ones who are capable of targeting individuals and who are capable of causing harm to individuals, do in fact possess the means, incentives, and business models that render reidentification both technically feasible and commercially routine. The SRB framework requires that identifiability be assessed honestly rather than abstractly. It prevents actors from disclaiming identifiability where their organisational structure, data assets, or technical tools plainly contradict such claims. Far from opening loopholes, SRB closes the gap between legal doctrine and empirical reality.

Where SRB makes a decisive systemic contribution is in removing the conceptual fog that previously forced the GDPR to behave as a universal regulatory solvent. Once personal data is tied to actual identifiability in context, the GDPR returns to its proper constitutional domain. It ceases to absorb every conceivable informational activity. It ceases to stand in as the de facto law governing algorithmic accountability[xvi], competition harms[xvii], consumer deception[xviii], platform power[xix], workplace surveillance[xx], and every other digitally mediated phenomenon that scholars previously attempted to squeeze through the frame of “personal data”.

What this reveals, once you step back from doctrinal skirmishes, is that the real cost of the old, inflated definition was not merely analytical confusion but a kind of regulatory imperialism. By treating almost every digitally mediated harm as a problem of personal data, the system quietly recoded structural questions about algorithmic accountability into GDPR disputes about lawful bases and DPIAs; it translated competition harms into arguments about data portability and consent; it reframed consumer deception as transparency and information duties; it squeezed platform power into discussions of profiling and automated decision making; it tried to domesticate workplace surveillance through notice and proportionality tests designed for quite different settings. In each case, the underlying harm migrated into the privacy vocabulary, which is elegant but poorly matched to issues such as market structure, design manipulation, systemic risk, or labour exploitation. The result was not more protection but thinner, more distorted protection, because the wrong normative toolkit was being applied to the wrong layer of the stack. SRB’s contextual turn breaks that spell: by insisting that the GDPR only bites where identifiability is real, it forces other regimes to step up on their own terms instead of hiding behind the language of data protection.

A simplified and disciplined definition, therefore, strengthens the system. It does not shrink the protective perimeter. It sharpens it. It frees the GDPR to perform its function with greater intensity and with greater conceptual integrity. It shifts the regulatory burden for non-identification-based harms away from a single overextended statute and toward the broader digital governance ecosystem where those harms properly belong. AdTech remains regulated where it should be regulated. But the GDPR is no longer forced to act as an all-purpose remedy simply because the concept of personal data was allowed to float without an anchor.

The fundamental aim of data protection, when viewed through a systems lens, has never been to police every act of information processing. Its purpose is far more precise. It is to intervene only where data meaningfully attaches to an identifiable person and where the handling of that data creates risks that warrant legal constraint. Everything beyond that perimeter falls under other regulatory logics and institutional competencies. The SRB-aligned conception of identifiability clarifies this boundary. It rescues the GDPR from the gravitational pull of the law of everything and repositions it as a targeted, high-intensity regime for genuinely personal processing. In doing so, it recovers the coherence, proportionality, and normative force that the GDPR was intended to possess, and which it can only exercise once its scope is disciplined rather than universalised.

[i] Case C-413/23 P European Data Protection Supervisor v Single Resolution Board EU:C:2025:645 (Judgment of the Court (First Chamber), 4 September 2025).

[ii] Lessig, Lawrence. Code and Other Laws of Cyberspace. New York: Basic Books, 1999.

[iii] Hood, Christopher. The Tools of Government. London: Macmillan, 1983.

[iv] Nadezhda Purtova & Bryce Newell (2024), “Against Data Fixation: Why ‘Data’ Fails as a Regulatory Target for Data Protection Law and What to Do About It,” discussion draft (27 June 2024).

[v] https://curia.europa.eu/juris/documents.jsf?num=C-413/23%20P

[vii] Purtova, The Law of Everything (2018): https://www.tandfonline.com/doi/full/10.1080/17579961.2018.1452176

[viii] Sophie Stalla-Bourdillon (2025), “Déjà vu in data protection law: the risks of rewriting what counts as personal data,” Privacy & Data Protection 26(2), 9–13.

[ix] European Law Institute, Towards a Targeted Revision of EU Data Protection Law – ELI Response to the European Commission’s Call for Evidence “Simpler, fairer and more effective – strengthening the foundations of the digital transition” (14 October 2025); Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, 42. Tätigkeitsbericht 2024 (23 April 2024) 48–49 (anticipating revised anonymisation guidance and referencing EDPS v SRB as a key case for practice) at https://www.datenschutzzentrum.de/uploads/tb/uld-42-taetigkeitsbericht-2024.pdf

[x] Article 4(1), GDPR.

[xi] CJEU Case C-582/14 (Breyer) (criteria for identifiability); Nowak v Data Protection Commissioner (C-434/16);

[xii] Purtova & Leenes (2023), “Code as personal data: Implications for data protection law and regulation of algorithms,” Int’l Data Privacy Law 13(4): 245–261

[xiii] Purtova, The Law of Everything (2018): https://www.tandfonline.com/doi/full/10.1080/17579961.2018.1452176

[xiv] CURIA, EDPS v SRB Press Release (September 2025): https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250107en.pdf

[xv] Paras 75-79, SRB v EDPS.

[xvi] Busuioc M et al, ‘Accountable Artificial Intelligence: Holding Algorithms to Public Account’ (2020) Public Administration Review 81(3) 601–615.

[xvii] Interactions between EU Competition Law and Data Protection in Digital Markets: Striving for Coherence Klaudia Majcher (2024, Research Handbook on Competition and Technology)

[xviii] Calo R, ‘Digital Market Manipulation’ (2014) 82 George Washington Law Review 995; Yeung K, ‘Hypernudge: Big Data as Behavioural Control’ (2017) 20 Information, Communication & Society 118.

[xix] Petit N, Big Tech and the Digital Economy: The Moligopoly Scenario (OUP 2020); Geradin D, ‘Platforms and the Abuse of Data Dominance’ (2021) Journal of Competition Law & Practice.

[xx] De Stefano V, ‘Negotiating the Algorithm: Automation, Artificial Intelligence and Labour Protection’ (2019) 40 Comparative Labor Law & Policy Journal 471.

Introduction

Europe’s data protection regime stands at a crossroads. On 19 November 2025, the European Commission unveiled a sweeping “Digital Omnibus” package comprising two proposals: one to amend cornerstone data protection laws (including the GDPR, the ePrivacy Directive, and others), and another to revise the EU’s nascent AI Act.[i] Marketed as a simplification drive to cut red tape[ii] and to address Drahi’s recommendation that the EU boost innovation[iii], these proposals have instead ignited intense concern among privacy advocates and civil society groups. Critics warn that the changes would flout EU case law and effectively gut the GDPR’s core protections. The Austrian privacy NGO noyb magically produced a 71-page analysis comparing the Commission’s draft with existing law, flagging numerous departures from the GDPR’s logic and from CJEU jurisprudence.[iv] Alongside Schrems’ rather provocative post suggesting that if you disagree with him, you must have gone to a rubbish law school, Noyb’s report claims that the amendments could undermine fundamental principles, thereby weakening individuals’ rights and straining enforcement systems. Schrems even blasted the Omnibus as “the biggest attack on Europeans’ digital rights in years”, likening the myriad tweaks to a “death by a thousand cuts” to privacy[vi].[vii] To gauge professional sentiment, noyb also launched a survey to collect early feedback from data protection officers, privacy lawyers, and other experts on the implications of these reforms.[viii]

In this moment of regulatory upheaval, engaging with scholarly critiques becomes especially urgent. Sophie Stalla-Bourdillon’s recent article, tellingly titled “Déjà vu in data protection law”[ix], directly addresses the Omnibus proposals and cautions that the amendments risk reviving old pitfalls. By ignoring the state of the art in anonymisation and statistical disclosure control, she warns, the reform could invite dangerously permissive interpretations of what counts as “personal data,” thereby eroding hard-won safeguards. Indeed, one of the Commission’s most striking moves is to narrow the very definition of personal data. According to Stalla-Bourdillon, under the proposal, whether data are “personal” would depend on what a specific entity claims it can reasonably do with the information.[x] In her view, this marks a sharp departure from the current standard (which looks to whether anyone could identify a person) and cherry-picks [PC1] a recent court ruling while ignoring many others.[xi] Such an entity-specific test opens a backdoor for companies to deem data “non-personal” by technicality; a shift that, as Stalla-Bourdillon suggests, feels like déjà vu to privacy experts and could significantly weaken protection in practice. Meanwhile, Nadezhda Purtova and Bryce Newell’s “Against Data Fixation”[xii] challenges an even deeper assumption: they argue that an obsession with “data” as the object of regulation leads to imprecision and ineffectiveness in data protection law.[xiii] The concept of personal data drives the GDPR’s entire framework, and Purtova & Newell contend that this focus stands in the way of addressing digital harms through other legal avenues. Their critique urges regulators to rethink the very target of regulation; a provocative stance at a time when the EU is attempting to tweak definitions and exemptions in the hope of easing compliance and fostering AI innovation.

Why critical engagement now?

The significance of this regulatory moment cannot be overstated. Stalla-Bourdillon’s and Purtova/Newell’s contributions offer vital lenses for scrutinising these developments. Stalla-Bourdillon’s argument underscores the danger of weakening conceptual and technical rigour in the law, reminding us that how we define personal data and anonymity is pivotal to preserving privacy. Purtova and Newell invite us to ask whether the Commission’s fixes are addressing the right problem at all, or simply rearranging deck chairs on a proverbial ship.

In short, a critical engagement with both positions is necessary right now to frame the debate: Will the Omnibus reforms fortify data protection principles in line with technological realities, or do they signal a step back, i.e., a retreat from the very principles that made the GDPR a global benchmark? My analysis of Stalla-Bourdillon’s and Purtova/Newell’s arguments aims to answer that question in light of the current regulatory crossroads. This piece marks the beginning of a broader series unpacking the deeper conceptual, legal, and regulatory tensions at stake in these reforms. Each post will tackle a different facet of the arguments raised by Stalla-Bourdillon, Purtova, and Newell, tracing their implications for the future architecture of EU data governance. However long the series ultimately becomes, this first instalment sets the foundation for a sustained, critical engagement with the shifting terrain of data protection law.

Competing Approaches to Defining ‘Personal Data’

What is personal data, and who decides? At the heart of both articles lies this question, but Stalla-Bourdillon and Purtova/Newell approach it from opposite directions. Stalla-Bourdillon’s piece is prompted by a very concrete development that reorganises the GDPR under the banner of “simplification and competitiveness”.[xiv] Among the changes, the Commission seeks to redefine the GDPR’s material scope by clarifying when information is (or is not) “personal data” for a given entity. In essence, the proposal would codify a relative concept of personal data:

“Information ... is not personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to identify the person”.

This is presented as aligned with the Court of Justice’s case law (notably the EDPS v SRB decision from 2023[xv]) and aimed at reassuring data controllers that if they cannot identify individuals in a dataset, they need not treat it as personal data, even if someone else (now or later) could identify those individuals.

Stalla-Bourdillon views this development with deep scepticism. In her view, the Commission, driven by a “pro-innovation” agenda, is effectively trying to rewrite the GDPR’s most fundamental concept in a way that “strikes at the very heart of data protection law”. She notes a sense of déjà vu: the UK’s post-Brexit attempts to trim the GDPR’s definitions (initially floated in the UK Data Protection and Digital Information Bill) foreshadowed this move. Those UK plans were ultimately dropped from the final Data Protection Act 2025, but now the EU Commission appears to be treading a similar path. By seeking to impose its own interpretation of what counts as personal data (under the guise of codifying CJEU rulings), the Commission risks undermining the coherence of the entire framework, according to Stalla-Bourdillon.

Crucially, she argues the new definition could be read in “several ways, some considerably more radical than others”. The most concerning interpretation would significantly narrow the GDPR’s scope, making it easier for companies to claim data is “anonymous” or “non-personal” in their hands and thus escape GDPR obligations. For example, an online advertising vendor might argue that because it only has pseudonymous user IDs and no direct names or emails, it “cannot identify” the individuals; therefore, the behavioural data it holds is not personal data at all, even though another entity (say, an ad exchange or identity broker) could re-identify those individuals by linking identifiers. Stalla-Bourdillon warns that such an approach, if endorsed, would create dangerous inconsistencies: “the legal test would then fall below the threshold established by some other privacy laws”, and it “would become highly artificial to justify any form of restriction on international data transfers”. In other words, if Europe lowers its bar for what counts as personal data, it not only undercuts its own high standards but may unravel mechanisms (like cross-border data transfer rules) predicated on robust data protection.

By contrast, Purtova and Newell come from a more theoretical angle, questioning whether using “data” (and specifically the personal/non-personal data dichotomy) as the trigger for regulation is wise at all. They observe that over the past decade, Europe has seen an “avalanche of new ‘data law’” – the GDPR, the Data Governance Act, the Data Act, the AI Act, the Digital Services Act, etc. These are all premised on controlling data in various ways. The GDPR, in particular, is a “broad range” omnibus regime that attempts to tackle myriad digital issues (from privacy to security to fairness) through rules “triggered by the concept of personal data”. This approach, they argue, has led to regulatory imprecision and ineffectiveness. In their words, “framing digital problems as data problems” is a category error: it diverts attention from the actual causes of harm and “stands in the way of modernising other legal domains, such as consumer, administrative, or labour law” for the digital age. By forcing all sorts of issues into the personal data mould, we risk both over-regulating trivial or non-risky activities and under-regulating serious harms that happen to fall outside the personal data net. (As a point of note – this author has long argued that the GDPR should have had a structure akin to the UCPD with a banned practices list akin to Annex I of that law, so I’m kind of happy to see Purtova et al. come around to my thinking 😉)

But again, I digress.

Purtova’s name is already well-known for articulating the “law of everything” critique of personal data. Back in 2018, she warned that the concept of personal data had become so broad that “everything will be or will contain personal data”, turning the GDPR into an almost universal regulation of the digital world. The CJEU’s expansive interpretations (i.e., treating even dynamic IP addresses, cookie strings, or license plate numbers as personal data), coupled with Recital 26’s mandate to consider “all means reasonably likely” to identify, mean that “there is no information that by definition cannot be or become ‘personal data’” under EU law. Indeed, Purtova’s scholarship has demonstrated how even weather measurements[xvi] or computer code might meet the definition in context. For example, sensor data on local temperature could be personal data in a smart city if it is linked to identifiable household energy usage, and software code can be personal data if it “relates to” individuals (e.g. code that encapsulates someone’s behaviour or is used to make decisions about a person). Her 2023 work (with Ronald Leenes) argued that “all software is information and so, in principle, all software may become personal data” if it can be linked to an individual by content, purpose or effect.[xvii]

The overinclusive reach of “personal data” troubles Purtova and Newell not merely as a theoretical purity issue, but because it dilutes the effectiveness of data protection law. If literally everything is personal data, the GDPR’s requirements must either be applied to every digital operation (which is infeasible and would make data protection an “uneconomic exercise”), or organisations will start treating the rules as pesky formalities to be bypassed. In practice, as they note, many controllers already take a narrow, often incorrect, view of what personal data encompasses, either out of ignorance or as a strategy. They highlight phenomena like “transient data processing,” “synthetic data,” and “confidentiality computing” as techniques used to evade GDPR coverage. For instance, companies might claim that if they only process data in encrypted form or only for a split second without storing it, it’s not “personal data” subject to GDPR, a grey area some exploit. Similarly, labelling datasets as “anonymous” because direct identifiers are removed (while leaving unique profiles intact) is a common tactic to skirt the scope of the law. Purtova and Newell point out that the concept of personal data itself is riddled with “uncertainties” (terms such as “information,” “relating to,” and “identification” still lack definitive definitions from courts), which further undermines enforcement. If it’s unclear at the margins what data is in or out of scope, controllers can rationalise non-compliance, and regulators struggle to draw bright lines.

In sum, Stalla-Bourdillon champions the classic broad scope of personal data as essential to the GDPR’s protective mission, cautioning against a regulatory rollback that could create gaps. Purtova & Newell, on the other hand, critique that very breadth as a sign of misaligned regulatory design, arguing that GDPR’s identity as a catch-all data law is both overinclusive and underinclusive – too broad in theory, yet too easily dodged or not covering collective and non-identifiable harms in practice. Next, we delve deeper into each perspective: the risks of narrowing “personal data” too far versus the dangers of expanding it to cover nearly everything.

The Risks of Narrowing vs Expanding the Notion of Personal Data

Striking the right balance in defining personal data is a classic Goldilocks problem. Define “personal data” too narrowly, and harmful data practices may fall outside the law’s scope entirely. Define it too broadly, and the law either overburdens benign data uses or becomes so stretched that it loses focus. Both articles grapple with these trade-offs, albeit from different ends.

Normative and Practical Risks of Narrowing (Too Much Exclusion): Stalla-Bourdillon’s critique of the Commission’s Omnibus proposal highlights the dangers of tilting the balance toward excessive exclusion[CP2] . If organisations can easily deem data “not personal to us” because they lack direct identifiers or claim limited means, they can escape GDPR obligations by design. This raises several concerns:

Loopholes for Pseudonymisation: The GDPR currently treats pseudonymised data as still within scope (albeit subject to somewhat relaxed provisions) because pseudonyms can often be re-linked to identities. The Commission’s approach, however, suggests pseudonymised data might “no longer be considered personal data for certain entities” under certain circumstances.[xviii] Without very stringent conditions, this could become a massive loophole. Stalla-Bourdillon notes the proposal’s silence on safeguards: it “makes no explicit reference to purpose” or obligations on third-party recipients. In contrast, other regimes impose strict criteria for treating data as deidentified; for example, California’s CPRA defines “deidentified” information as that which cannot reasonably be linked to a consumer and requires the business to publicly commit not to reidentify it and to bind any recipients to the same contractually.[xix] The EU proposal, as described, would allow an entity to declare data non-personal merely by looking at its own perspective, regardless of what others could do. Stalla-Bourdillon argues this is “hard to reconcile with a threat modelling approach” that considers motivated adversaries and modern re-identification techniques. In effect, it could reward willful blindness: companies might avoid learning of any methods or auxiliary data that could identify individuals, so they can claim ignorance and treat data as exempt.

Undermining Technical Standards: By de-emphasising “state-of-the-art statistical disclosure control” (the technical and organisational measures to truly anonymise data), a narrow approach might disincentivise robust anonymisation efforts. Stalla-Bourdillon contrasts the Commission’s low-bar approach with the higher standards elsewhere. She points to the UK Information Commissioner’s Office guidance and US privacy laws as having stronger tests for when data is deemed anonymous. For instance, under HIPAA (U.S. health privacy law), health data is only considered de-identified if either an expert applies rigorous statistical methods to certify minimal re-identification risk, or if a long list of direct identifiers is removed and the entity has no actual knowledge of residual identification risk. These standards acknowledge that anonymisation is hard and contextual. The Digital Omnibus draft, as summarised by Stalla-Bourdillon, seems to assume anonymisation is a simple binary state and that identity risk can be localised to each holder alone. The “dangerous oversimplification” she warns of is that regulators will accept superficial anonymisation claims without requiring the “rigour and transparency” needed to substantiate them. Indeed, she stresses that anonymisation is always a trade-off. It can protect privacy but at the cost of data utility, and its robustness should be proportionate to the sensitivity of the data and the purposes of processing. Declaring data “not personal” too readily could short-circuit this careful balancing.

Enforcement and Coherence Risks: Narrowing the scope of personal data could hamper enforcement in areas such as online tracking and AdTech. These domains are where companies often argue that they do not really know the identities of users they track. Stalla-Bourdillon is clearly concerned that the AdTech ecosystem will seize on a relaxed definition to claim that their massive profiling databases are outside the scope of GDPR. Notably, she cites the recent CJEU ruling in IAB Europe (regarding the online advertising Transparency & Consent Framework), which held that a user’s consent preference string, stored in a cookie, is personal data because it can be tied to a user via a unique identifier and used to build a profile. In other words, even opaque identifiers can become personal data when used for “evaluating or predicting” individuals.[xx] If the law were narrowed, there is a risk that such data might be incorrectly deemed non-personal, allowing invasive profiling to continue unchecked under the GDPR. This bleeds into broader systemic concerns: data protection law, as it stands, provides baseline rules (transparency, legal basis, purpose limitation, etc.) whenever personal data is processed. Suppose large swathes of data (e.g. pseudonymised clickstream data, aggregated location trails, etc.) are declared out of scope. In that case, we might see a regulatory race to the bottom, with companies shifting practices just enough to avoid being classified as personal data and thus avoid oversight. Stalla-Bourdillon explicitly notes that endorsing the Commission’s formulation would put EU law below other frameworks and call into question restrictions on data exports. Her conclusion: the attempt to codify case law in this manner “appears rushed” and risks incoherence in pursuit of a pro-innovation agenda. In short, be careful what you cut out – narrowing definitions could invite exactly the kinds of problems the GDPR was meant to forestall.

Normative and Practical Risks of Expanding (Overinclusive)

On the flip side, Purtova and Newell illuminate the perils of an ever-expanding concept of personal data. An overbroad scope can be just as problematic, in their analysis, because it blurs the regulatory mission and imposes costs or complications without commensurate benefit. Some key risks of expansion include:

“Law of Everything” – Loss of Focus: If virtually all information is or can be linked to a person, and thus becomes subject to the GDPR, the law risks becoming a victim of its own ambition. Purtova earlier coined the phrase “the law of everything” to describe this scenario. The danger is that when a law is seen as applying to every interaction or every piece of data, it may end up effectively regulating nothing well. Resources (both for regulators and for organisations) are finite. An overinclusive scope means that trivial or low-risk processing (e.g., innocuous data about weather patterns or machine performance that only tangentially relates to individuals) formally requires the same compliance steps as high-risk processing of sensitive personal data. This can breed cynicism and compliance fatigue. Organisations may go through the motions of GDPR paperwork for harmless data, while hazardous processing doesn’t get the careful, case-by-case scrutiny it warrants. Purtova and Newell note that many commentators feel the concept of personal data has grown “too broad at the expense of the effectiveness and identity of data protection law.” If GDPR tries to be everything, it might end up being “ineffective”. In other words, a jack of all trades, master of none.

Opportunity Costs – Neglecting Other Legal Tools: A subtler, but important, point in Against Data Fixation is that the primacy of personal data in EU law may have stunted the development of other regulatory approaches. The authors argue that treating all “digital problems” as “data problems” has “stood in the way of modernising other legal domains”. For example, issues of online manipulation or discrimination could be addressed through consumer protection or anti-discrimination law; workplace surveillance matters might be better discussed in labour law; competition law might tackle abuses of data dominance. If policymakers rely on GDPR to solve everything, those domains do not get updated for the digital age. An overexpansive personal data regime can thus act as a form of regulatory overreach that paradoxically leaves gaps. Because the GDPR, even if broad, is not a panacea for problems like algorithmic bias or manipulation that only partly involve personal data. The authors specifically mention that GDPR’s focus on data may not map well to “modern data analytics and profiling [that] happen at the population level”, where harm can occur even without identifying specific individuals; for instance, an AI system could infer traits or make decisions affecting groups or anonymous profiles then the GDPR might not clearly apply if no individual is singled out. Yet, the impact on people can be tangible (think of credit scoring models or targeted ads that discriminate without using names). Over-reliance on personal data as the hook means these “group privacy” or collective harms remain underregulated – a point some scholars have raised as a weakness of the individual-centric GDPR.

Practical Under-Enforcement: Purtova and Newell also observe that in practice, controllers often do not follow the expansive letter of the law, sometimes out of confusion, sometimes intentionally. If the law says everything is personal data, but a company decides, for example, that IP addresses or device identifiers are not really personal data “in context,” they might simply not apply GDPR to those. Unless regulators catch and correct that (which is difficult at scale), the overinclusive definition may exist “on the books” but not on the ground, leading to patchy enforcement. The authors cite reports that many organisations lack guidance on when AI-related data is personal or not, leading to inconsistent application. Furthermore, the temptation to label data as “anonymous” increases when the definition is comprehensive – giving rise to what they call “undertheorized uses of information concepts in law”. Purtova has characterised some debates as a “false debate” between anonymous vs personal data, because almost any dataset can potentially be traced back to people.[xxi] Nonetheless, clinging to the idea that some data is “not personal data, therefore no harm” can be perilous; it may cause missed protections when they’re needed (the under-inclusiveness problem). In short, an overinclusive stance can prompt either overreaction (treating mundane data use as high risk) or evasion (ignoring the law due to its perceived overbreadth). Neither outcome is desirable.

In evaluating these two extremes, it’s clear there is a tension: Stalla-Bourdillon fears the erosion of data protection via narrowing, whereas Purtova/Newell fear the dilution or misapplication of data protection via overexpansion. Both perspectives agree on one thing: the way “personal data” is delineated is crucial to the efficacy of the regulatory system. The sweet spot must protect individuals’ rights without either leaving loopholes or drowning everything in red tape. How to find that balance is where their prescriptions differ markedly, as you will see in my next Substack post, in their examination of the underlying assumptions each makes about data protection’s role, especially regarding AdTech and anonymisation in one case, and the very structure of regulation in the other.

The next instalment in this series, titled “Beyond Adtech and Anonymisation: What’s the Real Aim of Data Protection?”, will begin to outline the systems-based critique in earnest. That post will explore how a more disciplined and SRB-aligned conception of personal data can counterbalance the excesses of the so-called law of everything and ultimately produce a GDPR that is more coherent, more enforceable, and better able to fulfil its intended role. By repositioning data protection within a broader regulatory ecosystem rather than treating it as a universal solution, the series will begin to explain why simplification, properly understood, may be precisely what the system requires.

[i] https://www.reuters.com/sustainability/boards-policy-regulation/critics-call-proposed-changes-landmark-eu-privacy-law-death-by-thousand-cuts-2025-11-10/#:~:text=EU%20antitrust%20chief%20Henna%20Virkkunen,Data%20Act%2C%20on%20November%2019

[ii] https://commission.europa.eu/document/download/8556fc33-48a3-4a96-94e8-8ehttps://commission.europa.eu/topics/competitiveness/draghi-report_encacef1ea18_en?filename=250201_Simplification_Communication_en.pdf

[iii] https://commission.europa.eu/topics/competitiveness/draghi-report_en

[iv] https://noyb.eu/en/digital-omnibus-first-analysis-select-gdpr-and-eprivacy-proposals-commission

[v] https://www.linkedin.com/feed/update/urn:li:activity:7401709269638709248/?originTrackingId=n76LegQAh2rGT60Bh5DbDw%3D%3D

[vi]https://iapp.org/news/a/european-commission-proposes-significant-reforms-to-gdpr-ai-act

[vii] https://www.reuters.com/sustainability/boards-policy-regulation/critics-call-proposed-changes-landmark-eu-privacy-law-death-by-thousand-cuts-2025-11-10/#:~:text=,noyb%20said%20in%20a%20statement

[viii] https://survey.noyb.eu/index.php?r=survey/index&sid=973679&lang=en

[ix] https://researchportal.vub.be/files/142369597/Deja_vu_in_data_protection_the_risks_of_rewriting_what_counts_as_personal_data_by_Sophie_Stalla-Bourdillon_Privacy_Data_Protection_Volume_26_Issue_2.pdf

[x] https://www.eff.org/deeplinks/2025/12/eus-new-digital-package-proposal-promises-red-tape-cuts-guts-gdpr-privacy-rights#:~:text=whether%20data%20is%20%E2%80%9Cpersonal%E2%80%9D%20depends,that%20have%20considered%20the%20issue

[xi] https://www.eff.org/deeplinks/2025/12/eus-new-digital-package-proposal-promises-red-tape-cuts-guts-gdpr-privacy-rights#:~:text=whether%20data%20is%20%E2%80%9Cpersonal%E2%80%9D%20depends,that%20have%20considered%20the%20issue

[xii] Purtova, N., & Newell, B. (2024). Against Data Fixation: Why ‘Data’ Fails as a Regulatory Target for Data Protection Law and What to Do About It. SSRN: ssrn.com/abstract=4878564.

[xiii] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4878564#:~:text=This%20paper%20critiques%20the%20fixation,from%20theories%20of%20regulation%20and

[xiv] https://www.whitecase.com/insight-alert/gdpr-under-revision-key-takeaways-from-digital-omnibus-regulation-proposal#:~:text=On%2019%20November%202025%2C%20the,1

[xv] https://curia.europa.eu/juris/liste.jsf?language=en&td=ALL&num=T-557/20

[xvi] Purtova, The Law of Everything (2018): https://www.tandfonline.com/doi/full/10.1080/17579961.2018.1452176

[xvii] https://academic.oup.com/idpl/article/13/4/245/7308779?login=false

[xviii] https://www.whitecase.com/insight-alert/gdpr-under-revision-key-takeaways-from-digital-omnibus-regulation-proposal#:~:text=On%2019%20November%202025%2C%20the,1

[xix] https://www.consumerprivacyact.com/section-1798-140-definitions/#:~:text=%E2%80%9CDeidentified%E2%80%9D%20means%20information%20that%20cannot,with%2C%20or%20be%20linked%2C

[xx] GDPR, Recital 30

[xxi] https://academic.oup.com/idpl/article/13/4/245/7308779

It is hard not to admire the performative privacy: the leak was presented as a shocking revelation, even though Schrems had already read the script. Yet, behind the selective framing and inevitable social media outrage lies a fundamental legal debate about scope, proportionality, and enforceability within European data protection law. The question is whether simplifying the GDPR’s definitions and structures would weaken rights or, conversely, make those rights more intelligible and enforceable in practice. The open letter from EDRi, ICCL, and noyb (co-signed by Schrems) views any attempt to simplify the GDPR as equivalent to deregulation and a reduction of rights. I am no shill for big tech, but I do believe EDRi and its partners have misjudged this moment. As much as it pains me to criticise an organisation for which I have deep respect, their analysis misses the point. Simplification is not a synonym for surrender. It can, and should, be a tool for strengthening protection where it actually matters.

Setting the Record Straight

The Courts have warned about the over-expansive nature of the GDPR. Advocate Generals have cautioned about the absurdities it is starting to cause. And let me check my notes – the GERMANs want simplification?!? Surely something is needed. We get a bold response from the EC, and what seems like every NGO working in digital rights is screaming about deregulation.

[Side note: There is a deeper problem here that extends beyond this particular proposal. The data protection field has developed a chronic imprecision about language itself. We have spent years explaining that adequacy is not the same as equivalence, and now we find ourselves repeating another linguistic correction: simplification is not the same as deregulation.]

The European Commission’s leaked proposals are indeed bold. They suggest refining core definitions and easing certain obligations. But simplification is not the same as capitulation. Streamlining complex rules can strengthen enforcement by sharpening focus, not weakening it. The Commission’s stated aim is to “increase legal certainty and strengthen enforcement” while helping smaller businesses with compliance. In other words, this is a tune-up of the GDPR’s engine after seven years on the road, not a strip-down of its safety features. Even the European Data Protection Supervisor (EDPS) acknowledges that reducing administrative burden is a valid goal “as long as this does not lower the protection of individuals’ fundamental rights”. The targeted nature of the changes – if done right – means core principles remain intact, contrary to the open letter’s alarmist tone.

Yet the letter assumes any change is a slippery slope to deregulation. It warns that once the GDPR is reopened, a flood of erosions will follow, calling simplification efforts “deregulatory efforts” in disguise. This cynical view ignores the possibility that clarity can enhance protection. Overly expansive and fuzzy definitions have, in practice, led to confusion and uneven enforcement. Smart adjustments, far from trading away rights, could make those rights more actionable. Remember, a law that tries to cast too wide a net can end up catching very little – or entangling the wrong fish. Legal certainty matters: when everyone knows exactly what constitutes personal data or sensitive data, regulators can enforce compliance more decisively, and companies have fewer excuses to circumvent the system.

The open letter posits that any simplification will “lower standards” and undermine trust. But trust in the GDPR comes from both its strength and its practicality. A rulebook perceived as needlessly convoluted or misaligned with real-world technology can erode trust just as fast as a weak one. Indeed, sustainable competitiveness depends on trust and fairness – but also on laws that make sense. Europe doesn’t preserve its “digital dignity” by freezing the GDPR in amber; it does so by keeping the law effective in practice. Simplification, done carefully, is about making the GDPR work better, not abandoning its core values.

Before diving into specifics, let’s outline the key claims from the EDRi/ICCL/noyb letter that deserve scrutiny:

• Claim 1: “Entity-relative” personal data = legalised tracking. The letter argues that changing the definition of “personal data” to be relative to each controller’s ability to identify an individual will create a loophole that allows pervasive tracking outside the GDPR’s reach.

• Claim 2: Clarifying “directly reveals” guts sensitive data protection. It’s alleged that restricting special category data to what is directly revealing of traits (like health, religion, sexuality) will erase protections for sensitive inferences about people.

• Claim 3: AI training exception = carte blanche exploitation. The draft’s new allowances for using personal data (even sensitive data) in AI model training are portrayed as a blank check for Big Tech to “suck up” data with impunity.

• Claim 4: GDPR tweaks will undermine EU competitiveness and public trust. By “lowering standards,” the letter suggests, the EU would damage its digital credibility and lose the confidence that underpins its tech sector.

Let’s examine each in turn, and see whether these arguments hold up – or whether simplification might, in fact, coexist with strong data protection.

Will an “Entity-Relative” Definition of Personal Data Legalise Tracking?

This has been one of the most charged claims emerging from the simplification debate. The proposal would clarify that information qualifies as personal data only where the controller has means reasonably likely to identify the individual. Schrems and his colleagues describe this as a loophole that allows controllers to escape the GDPR simply by replacing names with identifiers. They warn that entire sectors will declare themselves outside scope on the basis that they cannot personally identify the individual behind a cookie or an advertising identifier. The rhetoric is dramatic, but the underlying legal picture is far more nuanced.

First, the proposal is not an untested novelty. The CJEU has already moved toward a more context-specific and controller-specific interpretation of identifiability. In EDPS v Single Resolution Board, the Court confirmed that data are personal only where the controller has real means available to identify a person. This stands in contrast to the earlier Breyer ruling, in which the Court held that a dynamic IP address was considered personal data to a website operator because an entirely different actor could assist in identification through legal channels. Breyer reflected a pre-GDPR directive era in which the scope of personal data was interpreted expansively. The SRB ruling refines this by emphasising the practical means available to the controller itself.

The recent Scania decision reinforces this context-specific reading. The Court held that a vehicle identification number may or may not be personal data depending on whether the entity in possession of it can realistically identify the driver or owner. Suppose the controller cannot connect the number to a natural person without disproportionate effort or without access to additional databases that it does not control. In that case, the number is not considered personal data in its possession. Scania therefore confirms that identifiability is not an abstract or universal quality. It is relational. It depends on whether the specific controller can turn the information into a reference to an identifiable person. This is precisely the logic that the Commission’s draft seeks to codify.

The Advocate General’s Opinion (Case C‑245/20) illustrates why this evolution is necessary. In paragraphs 55 to 62, he describes the increasingly absurd consequences of interpreting personal data and processing so broadly that virtually every human interaction becomes subject to the GDPR. He notes that gossiping about a neighbour in a public pub could constitute unlawful processing because it involves disclosure outside the household exemption and without a lawful basis. He warns that, under the current reading, neither the nature of the operation, nor the amount of data, nor the method of disclosure matters. Almost any activity becomes processing. The result, he argues, is a regulatory framework so broad that ordinary people unknowingly violate it, which undermines the law’s legitimacy. His assessment is clear: If the Court maintains the current conceptual overstretch, the GDPR risks becoming one of the most widely disregarded instruments in the European legal order.

Against this backdrop, the Commission’s entity relative approach appears less like deregulation and more like a correction to doctrinal imbalance. It narrows the inquiry to whether the controller, or persons acting under its authority, genuinely possesses identification means. If the controller is capable of re-linking data, then the information remains personal, regardless of the label it uses. If the controller cannot identify individuals from the dataset, and no one acting on its behalf has the means to do so, the data may fall outside the scope for that controller alone. Regulators will assess these claims rigorously. A controller that can, in practice, combine data to identify a person will not escape the GDPR by asserting that it does not intend to do so.

Integrating the Advocate General’s concerns shows why this recalibration is needed. Under the current jurisprudence, even everyday data points can be transformed into sensitive information by inference. Consider the supermarket example. A supermarket that retains a receipt showing a customer bought tampons could theoretically be accused of processing health data, as one could infer that the customer is not pregnant. If taken literally, supermarkets would require explicit consent before issuing receipts. This reductio ad absurdum is not hypothetical. It is the inevitable endpoint of an approach that treats any possible inference as processing of special category data.

The same pattern exists in the digital environment. Facebook or Google would need to treat every like, query, and connection as special category data because their algorithms can infer protected characteristics. This would mean that the everyday use of these services requires explicit consent that has never been obtained. A law that renders most online platforms permanently unlawful in theory does not enhance protection. It creates systemic instability and regulatory paralysis.

In this context, the entity relative proposal does not legalise tracking. It restores a clear perimeter that makes the GDPR enforceable. Controllers who can identify individuals will still be within scope. Controllers who genuinely cannot, will not. This is consistent with EDPS v SRB. It is consistent with Scania. It resolves the overreach identified by the Advocate General. It creates incentives for genuine pseudonymisation by giving controllers a reason to design systems that prevent identification in the first place.

Nor does this “exempt entire sectors”. Even where a controller cannot identify data subjects, the ePrivacy regime continues to apply to any access to information on a device. Consent remains required for most tracking. The Commission’s proposal to merge ePrivacy into the GDPR will retain these substantive protections while streamlining their enforcement. In addition, profiling that produces legal or similarly significant effects remains restricted under Article 22. Manipulative or discriminatory targeting remains regulated by consumer law, competition law, equality law, and the AI Act, which is now in force and whose obligations will progressively apply over the next two years.

In summary, the entity-relative definition does not weaken rights. It strengthens them by ensuring that the GDPR applies where it should apply and does not overreach where it cannot be meaningfully enforced. It preserves the legitimacy of the framework, responds to the doctrinal concerns raised by the Advocate General, aligns with recent CJEU jurisprudence, including Scania, and focuses regulatory attention on genuinely harmful processing rather than theoretical identifiability. Far from legalising tracking, it renders the law more coherent, more focused, and more enforceable.

But first, I digress: Schrems has now doubled down with another LinkedIn Post triumphantly claiming to have produced a legal analysis that is “ninety per cent accurate.”

[Personal note: It is challenging to know which is more revealing: the statistical confidence or the underlying assumption that accuracy is self-declared. Here is hoping my own legal precision proves at least as dependable.]

The suggestion that the transposition of Article 5(3) of the ePrivacy Directive into the GDPR would undermine the confidentiality of communications is not borne out by the legislative text or by the interpretative logic of Union law. The draft proposal does not repeal or dilute the existing substantive guarantees. Instead, it consolidates overlapping and partially redundant provisions into a single, internally coherent regulatory framework. The conditions governing the storage of, or access to, information on terminal equipment, including cookies, software development kits, and telemetry identifiers, would continue to be subject to the well-established principles of proportionality and necessity. These obligations would be administered within the same procedural architecture that already governs the processing of personal data under the GDPR. The scope of protection would therefore remain substantively identical, while the administrative complexity that currently hinders enforcement would be reduced.

This consolidation also ensures greater vertical coherence between the GDPR and the Digital Markets Act. The latter already provides legally precise definitions of web browsers, operating systems, and media services, concepts that the 2002 ePrivacy Directive could not have meaningfully anticipated. In this context, the proposal represents a form of legislative harmonisation that aligns data protection, market regulation, and platform accountability within a common interpretative framework. To portray this as deregulation is to mistake codification for repeal. The persistent weakness of the ePrivacy regime has never been its normative content, which is strong, but rather its fragmented national transposition and the resulting procedural uncertainty over the respective competences of telecommunications regulators and data protection authorities, as well as the fragmented approach to situations that do not require consent. Integrating its operative principles into the GDPR would therefore reinforce legal certainty, unify oversight, and provide a more straightforward procedural route for enforcement actions. In substantive terms, this would elevate the protection of user confidentiality by subjecting it to the GDPR’s established system of rights, duties, and remedies, including the consistency mechanism and the corrective powers of supervisory authorities. What noyb presents as erosion is, in truth, a rational and legally sound modernisation consistent with the principles of proportionality, effectiveness, and coherence that underpin the Union legal order.

Inferences vs. Direct Data: Does “Directly Revealed” Mean Lost Protection?

Another significant criticism in the letter is that the Commission wants to limit the definition of special category (sensitive) data to what is “directly revealed” by the data, thereby overturning CJEU case law that includes inferences. Special categories of data (Article 9 GDPR) include information such as racial or ethnic origin, health status, political opinions, religious beliefs, and sexual orientation. The current GDPR text states that “personal data revealing” those traits is sensitive. The CJEU has indeed read this broadly. In OT v Vyriausioji, the Court explicitly held that even data which only allows sensitive information to be inferred falls under the protections of Article 9. For example, publishing the name of a public official’s same-sex partner could reveal sexual orientation, even though that fact was an inference from the relationship. Likewise, analysis of someone’s shopping habits might reveal health issues or religious beliefs. The Court reasoned that, given the GDPR’s aim of high protection, “sensitive data is not only data immediately and directly disclosing [the sensitive trait]”. This broad interpretation means a massive amount of data could be considered sensitive, especially in the age of Big Data and AI. As one commentator noted,” for tech giants with sophisticated analytics, “most of the data processed… may [now] be sensitive” because they can infer so much. If virtually any data can potentially tell something about your health, sex life, or beliefs, then under a strict reading, vast swathes of modern data processing require the high official’s protection (usually explicit consent, or very narrow exceptions).

Privacy advocates welcomed the Court’s broad interpretation as a means to close loopholes, but it also created significant uncertainty and, at times, led to conceptual overreach. If taken literally, a company such as Facebook or Google would have to classify much of its routine data (likes, search queries, social connections, or photographs) as sensitive information, because its algorithms could infer traits such as religion, political views, or health status. The same logic would extend far beyond the tech sector. Consider this more mundane example: a supermarket that keeps purchase receipts showing that a customer bought tampons could, in theory, be deemed to process health data, since that record allows one to infer that the individual is not pregnant. Does that mean supermarkets are engaging in prohibited processing in the absence of explicit consent? Of course not, yet that is where an unbounded definition leads. The point is not to go easy on Big Tech, but to recognise that a legal framework that turns every inference into sensitive data risks collapsing under its own breadth, making enforcement inconsistent and trivialising the very category it seeks to protect.

Enter the Commission’s proposal: clarify that only data which directly reveals a sensitive trait counts as a special category. For example, a medical diagnosis or lab result (which directly indicates health status) is considered sensitive; a tweet saying “I have cancer” also directly reveals health, but data from which an illness could be inferred (like frequent purchase of pain medication) would not automatically be treated as Article 9 sensitive data. The open letter criticises this approach as weakening vital protections. It gives the example that “people who directly reveal they are pregnant… need this protection less than people about whom such sensitive information can only be deduced”. In other words, those who keep their health or orientation private are more at risk (e.g., from profiling or covert discrimination) than those who openly disclose it – so the law should protect the former, not just the latter. It’s a compelling point on the surface. However, it assumes that categorising inferred data as “special category” is the only or best way to shield people from harmful profiling. There may be alternative methods to address those harms without extending Article 9 indefinitely.

Firstly, the GDPR was initially drafted with a more specific understanding of sensitive data. Recital 51 of the GDPR even warns that not everything that hints at sensitive information should automatically be classified as such. It provides an example that “the processing of photographs should not systematically be considered to be processing of special categories of personal data”, even though a photo can reveal race or health (for instance, a wheelchair in the photo could imply a disability). Only if a photo is used as biometric data (specific technical processing) does it become sensitive. This indicates that the law’s intention was nuanced: context and purpose are essential. The recent CJEU stance essentially stated that any data can be sensitive if the tools exist to extract sensitive insights. The Commission is pushing back to establish a more precise boundary – not to suggest that inferred sensitive information should be ignored, but to treat it differently.

Does “directly reveals” remove all protection from inferences? Not quite. Even if Article 9’s heightened safeguards (such as requiring explicit consent) don’t apply to inferred data, the GDPR still shields individuals from misuse of any personal data, inferred or not. Inferred data remains personal data, subject to fairness, transparency, purpose limitation, and security principles under Articles 5 and 6. For example, suppose a company profiles you as pregnant to decide to dismiss you. In that case, it might breach GDPR’s ban on processing that causes unfair or discriminatory outcomes, or infringe labour and equality laws. Profiling that has legal or similarly significant effects on you activates your rights under GDPR Article 22 – meaning you can challenge an automated decision based on inferred traits. Additionally, sector-specific laws (such as employment or credit law) may directly prohibit specific uses of inferred data — for instance, firing someone for pregnancy is outright illegal discrimination. In brief, the concern about covertly inferring sensitive traits to exploit individuals should be addressed directly, rather than categorising every data point as “sensitive”.

The scenario described in the letter, where an employer uses big data to infer that a woman is pregnant and then dismisses her, is clearly unlawful on multiple grounds, regardless of GDPR’s special categories. Narrowing Article 9’s scope does not suddenly make such exploitation legal. It simply means that enforcement would rely on other provisions, possibly a combination of the GDPR’s general principles and other laws, rather than the straightforward “sensitive data” rule, which was a blunt instrument.

From an enforcement perspective, treating everything as sensitive data could actually weaken protection. If a regulator must handle a grocery shopping record (which could imply diet and possibly health conditions) with the same strictness as a medical record, they will be spread too thin. By prioritising specific protection for data that is clearly sensitive by its nature, the law can ensure it gets the strict handling it deserves (e.g., requiring explicit consent, higher security, etc.). Conversely, other data that may indirectly reveal sensitive information is managed through a risk-based approach. The Commission’s proposal clarifies the definition of “data concerning health” to explicitly mean information that directly discloses someone’s health status, thereby avoiding overly broad interpretations seen in case law. This doesn’t mean companies can freely infer your health and do whatever they want with that knowledge. It means they might not need your explicit consent just because an algorithm has guessed something about you. They still owe you fair, lawful, and transparent processing under the GDPR in general.

AI Training: ”A Blank Check for Exploitation, or a Needed Clarification?

The open letter and its amplifiers (including Reuters coverage quoting Schrems) have fixated on the idea that the proposals give AI companies a “blank cheque to suck up Europeans’ personal data” for training artificial intelligence models. This imagery of carte blanche exploitation evokes fears of Big Tech indiscriminately scraping our data without oversight. Let’s analyse what the Commission draft actually suggests for AI training and whether it genuinely is an unchecked free-for-all.

According to reports on the leaked draft, the Commission would amend GDPR Article 6(1) (lawful bases) and Article 9(2) (sensitive data exceptions) to explicitly allow processing of personal data for the development and operation of AI systems. In practice, this means companies like Google, Meta, and OpenAI may be able to rely on legitimate interests as a legal basis for using personal data (including publicly available data) to train their models. Furthermore, the strict ban on processing sensitive data would have an exception “in order not to disproportionately hinder the development and operation of AI”, taking into account the controller’s capacity to identify and remove special categories of data. In plain terms: if an AI training dataset might contain some sensitive info, and it’s not feasible for the developer to perfectly filter it out, the law would not flat-out prohibit the processing – provided the developer makes efforts to minimise such data and implements safeguards.

This is a nuanced carve-out, not a blanket permission. The draft highlights principles of data minimisation and the need for safeguards when using data for AI. The text is indeed a bit vague on what safeguards (no detailed technical standards are set in the draft. However, the GDPR often relies on principles-based regulation, leaving specifics to guidelines or industry practices. Crucially, any use of legitimate interest as a basis comes with the built-in requirement of striking a balance between the controller’s interest and the individual’s rights, as well as respect for proportionality. Legitimate interest is never a “blank check” – it can be challenged by regulators and in court. The company must demonstrate that its data use is necessary and not overly intrusive. If an AI company decided to harvest, say, all European social media posts, including private ones, for training, it would struggle to argue that it does not seriously impact privacy or that users would not expect it. The letter of the law may provide a legal basis, but the spirit and oversight mechanisms of the GDPR remain in place.

The noyb analysis cynically asserts that the only protection offered is a theoretical “right to object” that won’t work in practice. Exercising the right to object to AI training uses could indeed be challenging. The average person may not be aware that controllers are used to train individuals to contact OpenAI’s GDPR team. But that’s an argument for better transparency and mechanisms (perhaps a centralised opt-out registry or improvements via the AI Act’s provisions on data governance), rather than an argument never to allow AI training on personal data. As it stands, many AI developers have operated in a grey area, scraping publicly available data without a legal basis under GDPR. The Commission could be seen as an attempt to bring clarity: to say, okay, you can do this based on legitimate interest, but you must minimise data, avoid sensitive information if possible, inform people, and give them a way to object. Those conditions matter. They turn a wild-west scenario into a regulated activity – one that can be supervised and, if abused, sanctioned.

Is this favouring AI developers over other data users? Schrems claims it “privileges one risky technology” (AI) over traditional databases. It could also be viewed as recognising that AI development is socially and economically significant, and that a balanced approach is necessary to enable it within the rule of law. Europe is simultaneously implementing the AI Act, which will specify requirements for high-risk AI systems (transparency, risk assessment, possible restrictions on specific data uses such as biometrics, etc.). The GDPR change does not stand alone; it complements a broader policy that governs AI with particular rules. In that context, allowing GDPR’s general regime to cover AI training under a lawful basis makes sense. You don’t want a de facto ban on using any personal data in AI, as that would halt much beneficial innovation (and frankly, most AI needs some personal data to operate, even if indirectly).

Importantly, “legitimate interest” is not a free pass. Data protection authorities can and will step in if companies misuse it. The Commission’s draft doesn’t eliminate the need for necessity, proportionality, or fairness. And for sensitive data: the new exception doesn’t mean “go ahead and exploit people’s health or religion for AI.” It indicates that if, for example, you’re training a language model on internet text, you’re not automatically breaking the law if some sensitive personal data is included in the training data, even if you didn’t intend it and perhaps can’t easily remove it. The draft even hints at the controller’s “capabilities… to identify and remove” sensitive data – suggesting that if you can detect and eliminate sensitive information, you should, and only if you cannot, is there an allowance to proceed cautiously. This is a far cry from “anything goes.” It aims to be practical: completely preventing sensitive data from being included in large data training sets is nearly impossible, but we can require proper diligence and safeguards rather than simply banning the activity.

Let’s also recall that GDPR already had some flexibility for research. Article 89 and its provisions for scientific/historical research allowed for certain relaxations (though AI training by private companies doesn’t neatly fit the “research” exemptions). The new rules for AI training can be seen as an evolution of that idea: enabling socially beneficial data processing under guardrails. Calling it a “blank check” is more rhetoric than reality.

So no, the proposals do not hand AI companies unchecked power. They must still comply with the core GDPR principles and any specific conditions outlined in the new provisions. Moreover, these changes will be debated by the European Parliament and Council – they’re not final by any means. We can expect added safeguards or clarifications to be inserted by lawmakers precisely to ensure this is not misused. The open letter’s scorched-earth opposition (“reject any reopening of GDPR, no matter how limited”) misses an opportunity to engage constructively on how to allow AI innovation to be done responsibly. Instead of “don’t change a comma of GDPR,” a more productive stance would be “here’s how to allow data use for AI with strong accountability.”

In summary, allowing the use of personal data for AI under legitimate interests with conditions is not an abdication of data protection; it’s an adaptation to reality. Europe can either clarify the rules and enforce them, or watch AI development shift to jurisdictions with looser privacy regimes. If anything, not addressing this issue would undermine GDPR in the long run, as companies either ignore the law (assuming it’s unworkable) or Europe falls behind in AI advancements that could be achieved in a privacy-respecting way. With clear rules, we can have both innovation and privacy – AI trained on data under careful constraints, and red lines against truly harmful uses.

Competitiveness and Trust: Are GDPR Adjustments an Own Goal for Europe?

The open letter issues a severe warning: that softening GDPR protections will “send a worrying message” that rights are dispensable for profit, damaging citizen trust and thus harming Europe’s competitiveness in the digital sphere. It’s a persuasive story – Europe as the moral actor risking its high ground – but it presents a false choice. It assumes that keeping GDPR exactly as it is equals high trust, and any change equals betrayal. The reality is more complicated.

First, let’s acknowledge a truth: Europe’s global reputation in digital policy is built on rights-based regulation. GDPR is often cited as a gold standard around the world. Undoubtedly, if the European Union were to dismantle privacy rights, it would cause serious harm to its reputation and to public confidence. Yet the proposals currently under discussion do not dismantle rights; they refine and clarify them. None of the core principles of data protection, including lawfulness, purpose limitation, data minimisation, security, and accountability, is being repealed or weakened. Individuals will continue to enjoy the full range of substantive rights, including the rights of access, erasure, and objection. The only modifications under consideration concern procedural matters related to how and when certain rights may be exercised, which is a separate and more technical discussion. Even the letter’s authors acknowledge that many of the current difficulties stem from inconsistent implementation and could be resolved through more effective enforcement supported by greater clarity. That term, clarity, is the operative word. Providing it is precisely what the proposed reforms seek to achieve.

Clarity in law fosters trust. When citizens and businesses understand the rules, and those rules target meaningful risks, compliance improves, and enforcement becomes easier. Conversely, if people perceive that the law is too complex or imposes unnecessary hurdles (such as the fatigue caused by pop-up consent forms), this can erode trust in the regulatory system. Some might argue that GDPR’s social licence is strained by excessive bureaucracy in certain areas. For instance, requiring every small website to display an exhaustive privacy notice that few read does not necessarily enhance user trust. The proposals reportedly simplify some requirements when “the context is obvious”. Is this a reduction in protection or a sensible adjustment that actually makes “privacy info more digestible”? I believe it’s the latter. A user is more likely to trust a system that offers clear, concise privacy information when needed, rather than being overwhelmed with paperwork at every turn.

On competitiveness: The letter frames it as “trust, accountability, and fairness drive innovation, not lower standards”. Absolutely, a race to the bottom is not the way for Europe to compete. But there’s a difference between lowering standards and refining standards. Keeping GDPR effective in the age of AI, big data, and global data flows is pro-competitive, as it ensures the law doesn’t become an unrealistic drag or a litigation minefield. European businesses, especially startups and SMEs, have voiced legitimate concerns about GDPR’s complexity and cost. The Commission’s own evaluation reports have noted areas where additional legal certainty or flexibility could be beneficial. By responding to these without scrapping the fundamentals, the EU actually strengthens the credibility of its regulatory model. It shows that rights-based regulation can adapt and doesn’t inherently stifle innovation.

The open letter asserts that “deregulatory pressures” often start small and then expand. That is a fair caution. But there’s also a counter-risk: if regulators never adjust and modernise rules, public support for those rules can wane, or worse, future policymakers might swoop in with a sledgehammer instead of a scalpel. Engaging in a calibrated reform now could prevent more extreme measures later. It’s about balance. Europe can maintain high standards while removing demonstrably low-value or outdated requirements. Not every change is a slippery slope; some are stepping stones to a more resilient framework.

Notably, even within Europe’s privacy community, there isn’t unanimous opposition to all tweaks. The EDPB, which represents all national DPAs, welcomed certain simplifications like raising the threshold for record-keeping obligations for small entities, noting that this “does not affect core principles and other obligations under the GDPR”. In other words, you can ease administrative burdens without sacrificing fundamental rights. The sky doesn’t fall; instead, compliance can become more focused. That focus, in turn, builds trust: citizens see that enforcement energy is spent on the things that matter (such as going after major breaches, unfair profiling, and security lapses) rather than on paperwork formalities.

Now it is worth turning to the EU’s credibility on the global stage. The letter warns that any refinement of the GDPR will signal that the EU is “abandoning its standards under pressure”, offering encouragement to governments or corporations abroad who would prefer weaker rules. Yet the more compelling narrative is the opposite. What if a willingness to adjust the GDPR in light of evidence shows not fragility, but regulatory maturity? After more than five years of operation, it is entirely reasonable to examine what functions well and what creates friction.

[Side note: Much of this has been explored in my own co-edited volume, “Critical Reflections on the EU’s Data Protection Regime”, which documented precisely these structural tensions].

A further inconvenient truth sits beneath the surface. Many of the leaked changes do not originate from some Brussels attempt to appease industry. They mirror positions that Germany has been advocating for years. That alone complicates the simple story presented by the letter writers, who frame every modification as a capitulation. If a founding member state with one of the world’s toughest data protection cultures is pushing for targeted adjustments, the picture is clearly more nuanced.

Surgical revisions can, in fact, enhance confidence in the European model. They demonstrate that the EU is pragmatic rather than doctrinaire and committed to ensuring that rights protection is effective in practice rather than merely on paper. The global influence of the GDPR is already evident. California, Brazil, India, and others have drawn heavily from it. If the EU adapts its framework to address new risks, such as AI, while reducing unnecessary burdens, that evolution may also become a template.

The greater risk lies in the opposite instinct. If the EU refuses to revisit a 2016 text despite significant technological shifts, it may inadvertently encourage other jurisdictions to treat the GDPR as a relic. A framework that cannot evolve eventually becomes one that others choose not to emulate.

Trust is not a fixed commodity secured only by constant laws. Instead, trust stems from people believing that the law will defend them when it matters. This requires the law to be adaptable and free from loopholes or contradictions. For example, a clear definition of personal data can strengthen trust if it results in more consistent enforcement. People will see the effects (such as real penalties for genuine privacy breaches) rather than just theoretical debates. Similarly, citizens concerned about AI and big technology want to see these firms regulated in meaningful ways, not merely barred from specific actions on paper while continuing to do them abroad. The proposed AI-related rules aim to regulate effectively (by including activities under the GDPR’s oversight via legitimate interest), rather than pretending we can halt AI data use through mere edicts. With proper communication, this strategy can sustain public trust: it reassures them that “we’re not giving in to Big Tech; we’re holding Big Tech’s practices accountable by imposing stricter legal obligations and oversight, rather than leaving them in legal limbo.”

Conclusion: A Rebuttal to the Alarmism – and a Call for Rational Debate

Max Schrems and his co-signatories have done significant work in the past, championing individuals’ privacy against the enormous powers of corporate and governmental entities. But in this instance, their sky-is-falling narrative around the GDPR proposals is misplaced. Yes, vigilance is needed to ensure simplification doesn’t turn into genuine dilution of rights. Some aspects of the draft (like limiting data subject rights usage in specific contexts, or overly broad device access exceptions) do warrant careful discussion. But the notion that any change equals “deregulation, not simplification” is a disservice to the nuance required in policymaking.

Simplification can support regulation: more precise definitions, proportionate obligations, and modernised rules can make the GDPR more effective for everyone – data subjects, regulators, and yes, even businesses trying to comply. Enforcement is more credible when the rules are not seen as arbitrary or excessively onerous in low-risk scenarios. By rebutting the letter’s key claims, we’ve seen that:

• An entity-relative personal data definition focuses on accountability, rather than letting trackers run wild. It aligns with emerging CJEU logic and can incentivise privacy-enhancing techniques, such as pseudonymisation, without compromising oversight.

• Restricting “sensitive data” to what is directly revealed corrects an overbreadth that could make everyday data suddenly “sensitive”. It doesn’t leave people helpless; it channels protections through other means and keeps special protections for truly sensitive info strong.

• The AI training provisions are not a giveaway to Big Tech, but rather an acknowledgement that GDPR must explicitly govern AI uses. Legitimate interest is a regulated path, not a free pass. With safeguards, this can bring more transparency and control to AI development than the status quo, where much happens in legal grey areas.

• Rather than undermining EU competitiveness and trust, thoughtful tweaks to the GDPR can enhance them by making the law more workable and future-proof. Europe isn’t abandoning its values; it’s refining how to uphold them in practice. Trust in regulation comes from seeing it deliver fundamental protections in the real world – something that clarity and enforceability will improve.

The open letter frets that reopening GDPR would “turn back the clock on hard-won rights”. But rights aren’t being removed or downgraded here. No one is saying you lose the right to access your data, or that consent is no longer needed for tracking, or that data breaches can go unreported. The core safeguards of the GDPR remain firmly in place. What’s being revisited are the edges – definitions, scope details, procedural streamlining, and alignment with new laws like the Digital Services Act, Data Act, and AI Act. If Europe can’t even discuss these without being accused of betrayal, we risk fetishising the text of a law over its purpose.

Rather than scaremongering over “deregulation,” privacy advocates should engage constructively: by all means, critique the draft, suggest improvements (e.g., ensure “legitimate interests” for AI come with strict transparency requirements; ensure pseudonymous data isn’t misused to skirt consent for tracking by strengthening ePrivacy provisions in tandem). That would do more to actually protect people than insisting that nothing in GDPR can ever be updated.

In the end, the GDPR simplification proposals are not about making GDPR “smaller” or weaker – they’re about making it smarter. Strong data protection and clear, innovation-friendly rules are not mutually exclusive. Europe can protect fundamental rights and enable responsible digital innovation by calibrating its regulatory tools to current realities. Don’t let the loudest voices frame this as a zero-sum game. Simplification, done right, upholds regulation – it doesn’t dismantle it.

It’s time to move past the dramatic leaks and incendiary open letters. Let’s have a sober, informed debate on how to evolve the GDPR for the better. In that debate, fear-mongering should give way to facts and solutions. Privacy law isn’t served by zealotry; it’s served by practical, enforceable rules that keep pace with technology while upholding their principles. The Commission’s proposals deserve fair consideration under that light. Europe’s commitment to privacy is unwavering – and precisely because of that, it must be willing to fine-tune the engine, not just polish the hood ornament.

This is the context in which the European Commission’s leaked proposals to reform the GDPR land. The reactions split into two predictable camps. Some critics view this as a capitulation to corporate interests, a “watering down” of data protection that facilitates the advancement of AI and platform capitalism. Others react with a reflexive defence of the status quo: any change appears as a threat to fundamental rights. Both positions flatten a complex problem. Both risk speaking past the core issue: clarity enables protection. Vagueness does not.

The GDPR is not a sacred text. It is the law. Laws require interpretation, operationalisation, and, crucially, application. If a legal definition becomes so broad that it captures almost everything, the definition stops doing work. When we treat all data as personal data, we dilute the meaning of personal data. When regulators and courts must treat training embeddings, synthetically generated representations, hashed identifiers, or intermediate model weights as “personal data” simply because some hypothetical actor could, in theory, re-identify them, we lose the ability to focus on the harms that actually matter: surveillance, manipulation, discriminatory inference, exclusion, profiling, and coercive design.

The proposal to make the definition of “personal data” entity-relative (identifiability requires assessment from the perspective of the specific controller and the means reasonably available to that controller) seeks to restore a sense of proportion. This is not a reduction of protection. It is a restoration of intelligibility. Current CJEU jurisprudence requires an assessment of identifiability using means likely to be used by controllers or other persons, which has resulted in some overreach. If any imaginable actor anywhere in the ecosystem can re-identify data, then everything becomes personal data. The proposed wording clarifies that responsibility follows capability. A controller can only be responsible for identification acts within their reach.

Critics argue that this invites opportunistic blindness. A controller might “pretend” that they lack means that they in fact possess via partners or subsidiaries. This risk deserves scrutiny. Yet the solution is not to maintain an unworkably expansive definition. The solution is to embed duties of reasonable inquiry, capability assessment, and accountability for wilful ignorance. Simplification need not mean naivety. It can mean sharper enforcement tools targeted at controllers who strategically fragment their processing capabilities to avoid legal obligations.

The same logic applies to special category data. The leaked text proposes that protected categories be limited to data that directly reveals the protected trait. Organisations processing proxy indicators (such as purchase patterns, location histories, and social graph data) may argue that indirect inference no longer counts. Critics warn that this would collapse protection for inference-based discrimination. The principle behind the concern is legitimate. The inference layer drives some of the most harmful uses of data today. Yet, the proposed change, if read carefully, does not necessitate deregulation. It demands that the law distinguish between data that inherently describe a protected trait and analyses or profiling that infer such traits from unrelated signals.

Those are distinct phenomena requiring distinct regulatory responses. The first is about information as such. The second is about what organisations do with the information. The second falls squarely under purpose limitation, fairness obligations, and the anti-manipulation principles that follow from Article 8 of the Charter. Regulation of inference does not require treating every underlying data point as a “special category”. It requires regulating the act of inference itself. Simplification enables that distinction. We stop fighting the data and start regulating the logic.

The leaked proposals on AI training show a similar structural move. They introduce tolerances for residual special category data in training corpora under strict conditions of avoidance, removal where feasible, and robust containment where removal requires disproportionate effort. This acknowledges that large-scale model training does not always allow perfect ex ante filtering of data. The proposal does not sanction free-for-all ingestion of sensitive data. It requires organisational and technical safeguards that prevent models from producing outputs that expose, reconstruct, or weaponise those attributes. It shifts the focus to outcome-level harm: what does the system reveal, infer, extract, or act upon?

This is where the argument often becomes emotional. Some react as if any tolerance for residual special category data represents a betrayal of the GDPR’s values. Yet law cannot operate on magical thinking. The alternative to proportionate tolerance is either

1. Total bans that collapse innovation in Europe, or

2. Regulatory fictions in which everyone knows the rules cannot be followed, so enforcement becomes arbitrary.

Neither outcome protects rights. A world in which only U.S. or Chinese firms can train models at scale is a world in which European citizens lose both the benefits of innovation and regulatory leverage.

Simplification also plays a role in resolving the “cookie banner hell” that every European user encounters on a daily basis. The leaked proposal to unify cookie/ePrivacy consent into browser-level machine-readable preference signals offers a clean regulatory logic. If a user sets a global preference (i.e., not being tracked for advertising across services), that preference should follow them. A banner becomes unnecessary. Consent becomes meaningful because it is expressed once and respected everywhere. Enforcement becomes automatic because refusal becomes a protocol-level action.

For the privacy community, this is the moment to recall why the GDPR exists. It exists to secure the conditions under which people can exercise their autonomy, dignity, and democratic agency within digital environments. It does not exist to punish businesses. It does not exist to impose ritualised compliance. It does not exist to generate paperwork. The Charter recognises the fundamental right to conduct a business. Regulation must enable a functioning market for privacy-preserving design, not smother it.

Clarity empowers regulators. If the scope of personal data becomes proportionate and intelligible, enforcement can focus on practices that actually harm people. Dark patterns that coerce consent. Manipulative recommendation architectures. Profiling schemes that assign risk or worth based on opaque behavioural scoring. AI systems that infer vulnerabilities to exploit them. These are not hypothetical harms. These are live issues in advertising, gaming, political micro-targeting, recruitment, insurance, and platform governance. Narrowing definitions helps target them. It does not weaken the framework. It strengthens it.

The same applies to business. Compliance becomes clearer. Organisations can structure their data governance with confidence. Innovation ecosystems thrive when rules are predictable and consistent. If European firms must litigate basic definitional questions every time they attempt to build, deploy, or audit a model, they will build elsewhere. If the GDPR evolves to match contemporary architectures and workflows, innovation can occur within European jurisdiction, under European oversight, and subject to European accountability norms.

We often forget that complexity itself can function as a deregulatory force. When a rule becomes so complex that no ordinary actor can follow it, enforcement becomes discretionary. Power accrues to the sophisticated, the well-resourced, and the well-advised. Small organisations drown. Public institutions fall behind. Citizens give up on the idea that law can protect them. Simplification is not surrender. Simplification is a redistribution of power, away from those who navigate complexity best, and towards those who need explicit guarantees.

The GDPR succeeded globally because it articulated a principled vision of data governance anchored in autonomy, fairness, and accountability. For that vision to endure, the framework must adapt to the realities of the systems now shaping lived experience. Models do not “process personal data” in the same sense that a CRM system does. The architecture of inference has changed. The logic of digital surveillance has shifted from data collection to behavioural prediction. If the law attempts to cling to outdated conceptual categories, it will fail to regulate the things that truly matter.

This is not a call for deregulation. It is a call for maturity. European data protection needs to improve at distinguishing between data, use, and impact. We must regulate harms, not metaphors. We must preserve rights, not rituals. We must ensure that the law remains legible, enforceable, and aligned with democratic values in a technological landscape characterised by machine learning inference, platform ecosystems, and ambient computation.

Simplification is not the enemy of data protection. It may be the only way to save it.