The battle for data is officially underway. In their first compromise on the GDPR part of the digital simplification package (see EUROPE 13785/2), the EU27 have quite simply deleted the revised definition of personal data, as amended by the European Commission in its proposal. They are also repealing the new Article 41(a) on the use of pseudonymisation of data.
By deleting the two main amendments proposed by the European Commission, the Member States are effectively burying the institution’s desire for simplification and the reopening, albeit in a targeted manner, of GDPR.
In the few additions made to the text, the EU27 have reinstated more stringent safeguards for the protection of fundamental rights and privacy, as well as strengthening specific tasks of the European Data Protection Board (EDPB).
With regard to the pseudonymisation of data, the compromise text instructs the committee “to issue guidelines, recommendations and best practices (...) on pseudonymisation, clarifying circumstances whether a natural person is identifiable and means reasonably likely to be used to identify a natural person, and specifying the means and criteria to determine whether data resulting from pseudonymisation may no longer constitute personal data for certain entities”.
This is a way of bypassing the European Commission’s legal justifications on the issue (see EUROPE 13702/24), which do not seem to have convinced the Member States.
This U-turn comes as no great surprise. Several delegations had expressed significant doubts about amending this part of the legislation, believing that such a revision would constitute a “substantial change” to GDPR (see EUROPE 13756/20).
The Cyprus Presidency of the Council of the EU were aware of the stumbling blocks that the negotiations would encounter, and therefore issued a working paper in advance in an attempt to clarify the expectations of the most reticent Member States and reassure those who were worried about a broad reopening of the regulation. It has to be said that the EU27 are remaining reluctant about this.
The current compromise removes all substance from the European Commission’s proposal and clearly renders null and void its desire to revise GDPR. What is at stake with regard to the regulation – which is seen by many as the cornerstone of the EU’s data protection framework – appears to be too high: Europe’s digital simplification project could reach its limit here.
See the compromise: https://aeur.eu/f/kur (Original version in French by Isalia Stieffatre)