If the Digital Omnibus is to reduce unnecessary friction and support the effective functioning of the digital economy, it must address the areas where the GDPR’s application no longer reflects technological and economic realities, beginning with these two: the scope of personal data, and how to approach special category data. Both are threshold questions, and read too broadly, neither delivers stronger protection. They direct finite compliance resources away from the risks that actually matter to individuals.
This report presents three recommendations:
- Codify a relative, context-dependent approach to identifiability in Article 4(1), consistent with the Court’s reasoning in EDPS v SRB. The same data can be personal for one actor and not for another.
- Anchor that threshold in law, complemented by practical guidance. Case law alone will not stabilise it.
- Align the trigger for special-category data with actual use, intent, and risk of harm, rather than the mere presence of sensitive attributes. This matters for bias mitigation, healthcare, safety, and AI.
Effective protection of individuals and responsible innovation are not competing objectives. The task is to design a framework, anchored in law and informed by supervisory guidance, that delivers both.
Download the Discussion Draft
Download NowMore like this
Key Takeaways from the CIPL Roundtable on Simplifying Europe’s Digital Framework
Find out more
