EU Council Rejects Changes to GDPR 'Personal Data' Definition in Leaked Digital Omnibus Draft

In a significant pivot for European digital policy, a leaked compromise text from the Council of the European Union suggests that member states are moving to block proposed changes to the definition of "personal data" under the General Data Protection Regulation (GDPR). The document, dated February 20, 2026, and circulated by the Cypriot presidency, indicates a firm preference for maintaining the status quo over the European Commission’s more expansive—and controversial—revisions.

The draft, which surfaced just ahead of high-level diplomatic meetings in Brussels, marks a critical juncture for the so-called "Digital Omnibus." This legislative package was intended to streamline the EU’s digital rulebook and adapt it for the era of advanced artificial intelligence and ubiquitous edge computing. However, the decision to strip out the revised definition of personal data suggests that member states are wary of reopening the "Pandora’s Box" of fundamental privacy definitions.

The Stability of the Status Quo

For nearly a decade, the definition of personal data has served as the bedrock of European privacy law. Under the current GDPR, personal data is defined as any information relating to an identified or identifiable natural person. The European Commission’s original proposal for the Digital Omnibus sought to refine this, potentially broadening the scope to include more nuanced categories of metadata and behavioral identifiers that are increasingly generated by AI systems.

The Council’s decision to eliminate these revisions reflects a "safety first" approach. By sticking to the existing text, member states avoid the massive legal uncertainty that a new definition would trigger. For businesses, a change in the definition would have meant re-evaluating every database, every consent form, and every data processing agreement currently in place. The Council appears to have prioritized regulatory stability over the Commission’s desire for technical precision.

Why the Definition Matters

To understand why this move is so significant, one can think of the definition of personal data as the "jurisdictional hook" of the GDPR. If a piece of information falls within that definition, the full weight of EU privacy law applies. If it falls outside, the data can be moved, sold, or analyzed with far fewer restrictions.

Critics of the proposed expansion argued that a broader definition would have inadvertently captured "anonymized" data that is currently used for medical research and infrastructure planning. On the other hand, privacy advocates worry that by keeping the old definition, the EU is failing to address the "re-identification" risks posed by modern machine learning, where seemingly anonymous data points can be stitched together to unmask an individual.

The Cypriot Presidency’s Balancing Act

Cyprus, currently holding the rotating presidency of the Council, has the unenviable task of finding a middle ground between twenty-seven member states with diverging digital priorities. The leaked compromise text suggests that the Cypriot team is focusing on "procedural harmony" rather than "definitional overhaul."

By removing the contentious personal data revisions, the presidency is likely trying to clear the path for the rest of the Digital Omnibus. This package includes vital updates on cross-border enforcement and cooperation between National Data Protection Authorities (DPAs). If the definition of personal data remained on the table, it could have stalled the entire legislative process for years.

Implications for the Tech Industry

For the tech sector, this leak is largely being viewed as a reprieve. The industry has long argued that the GDPR is already complex enough to navigate. A shifting definition of its most fundamental term would have created a "compliance moving target."

What Happens Next?

The draft was reportedly discussed by member state diplomats on February 27. If the Council maintains this position, the next stage will be the "trilogue" negotiations between the Council, the European Parliament, and the European Commission. The Parliament has historically been more protective of data subject rights and may fight to reintroduce some of the broader protections the Commission originally envisioned.

However, the Council’s unified front on this issue sends a strong signal: Europe’s national governments are not currently in the mood for a radical redesign of privacy fundamentals. They want the rules to work better, not necessarily to be wider.

Practical Takeaways for Organizations

While the definition of personal data may stay the same, the enforcement landscape is still shifting. Here is what organizations should focus on as the Digital Omnibus moves forward:

• Audit Your Data Mapping: Even if the definition doesn't change, the interpretation by courts (like the CJEU) continues to evolve. Ensure your data inventory is up to date.
• Focus on Procedural Compliance: The Digital Omnibus is likely to introduce stricter timelines for responding to DPA inquiries. Review your internal reporting workflows.
• Monitor the Trilogue: The final text isn't set in stone. Keep a close eye on the European Parliament’s response to this Council draft over the coming months.
• Invest in Anonymization: Regardless of the legal definition, the best way to reduce risk is to ensure that data is truly anonymized using state-of-the-art techniques that resist re-identification.

Sources

• European Council: Council of the European Union Overview
• Euractiv: Digital & Media Policy Reports
• Politico Europe: Tech and Data Protection Coverage
• European Commission: GDPR Procedural Rules and Digital Omnibus Documentation
• Official Journal of the European Union: GDPR Text and Definitions