Analysis
Europe changes the definition of personal data
“Part of the message that Europe is sending to the rest of the world is that it is open to pressure from tech companies and other nations. I would say that this undermines its credibility.”
“The most obvious change” made to European regulations on privacy, data processing and artificial intelligence by the so-called “Digital Omnibus” act presented on Wednesday by the European Commission concerns “changes to the definition of personal data,” says Lukasz Olejnik, an independent technology consultant and researcher at King's College London. The definition now takes into account the “entity” that can access the data and identify the “natural person” linked to it.
In short, personal data will lose the “absoluteness” enshrined in the GDPR (General Data Protection Regulation, one of the regulatory frameworks the omnibus aims to “simplify”) and will become relative to the organization accessing it, and to the latter’s ability to trace the identity of the natural person through it.
Olejnik calls the new bill a security measure introducing both machine-readable consent signals, a “legitimate interest route for AI, limited to only residual sensitive data,” and “a new possibility to treat certain pseudonymised datasets as non-personal for specific entities.”
This means, the researcher continues, “that GDPR obligations will ‘switch on’ or ‘switch off’” depending on the actor involved in the data collection and the dataset in question, “based on what that specific actor can do to identify the individuals” linked to the collected data. “The same dataset may be considered non-personal for a small company with limited means, but become personal for a larger entity with more powerful tools. At first, it will be chaos, with the possibility that some data breaches will occur.”
The “legitimate interest for AI training” provision is the point that many see as the capitulation of European institutions to the interests of Big Tech, so as not to cut Europe off from the “digital revolution” ushered in by artificial intelligence (as Executive Vice President Valdis Dombrovskis called it at Wednesday's presentation).
Pseudonymized datasets – i.e., personal data that cannot be directly traced back to a specific user, hitherto protected at the highest level under the umbrella of absolute privacy protection – will also now be open to this “legitimate interest.”
At the presentation of the omnibus act, words such as “simplification,” “high-quality data” and “clarification” sounded much like Trojan horses meant to undermine European regulations – which, despite all their flaws, are among the few laws in the world to contain the power of Big Tech over our lives. The rhetoric of simplification, Olejnik notes, “brings real improvements regarding the cookie consent nightmare” (for which the omnibus sets out clearer communication for the user). “However, changing the definition of personal data could lead to a transfer of power to large companies, unless the safeguards are treated seriously.”
Speaking to Politico – which had published a first draft of the new European digital framework – Natali Helberger, a professor of law and digital technology, said: “Part of the message that Europe is sending to the rest of the world is that it is open to pressure from tech companies and other nations. I would say that this undermines its credibility.”
The fact that Europe – threatened by tariffs and terrified of “falling behind” the U.S. and China – had changed its tone was already evident at the Paris summit on AI earlier this year, where the discussion was no longer about safeguards, but about how to jump aboard the moving AI train. “Officially, this follows the Draghi report and numerous similar reports over the last 20 years. The agenda now prioritizes ‘not missing the AI wave’. It is certain that geopolitics and industrial pressures have also played a significant role,” concludes Olejnik.
Originally published at https://ilmanifesto.it/cambia-la-definizione-di-dati-personali on 2025-11-20