- in United Kingdom
- within Finance and Banking and Intellectual Property topic(s)
Personal data regulation is a familiar constraint. Both EU and non-EU companies struggle to comply with the General Data Protection Regulation (GDPR), which applies whenever data can be linked to an identifiable individual. From internal governance procedures to privacy policies and data processing agreements, the path to compliance is cumbersome and complex, even when planned in advance.
One of the main techniques used to manage this risk is pseudonymization: replacing direct identifiers (such as names or identification numbers) with artificial codes or aliases, so that data remains usable for analysis, research, and innovation while access to individual identities is deliberately restricted and segregated.
Under the current version of GDPR, however, this distinction has limited legal effect. Pseudonymized data is still treated as personal data, on the basis that re-identification is theoretically possible. Independently of pseudonymization, protecting individuals' rights through personal data privacy requires regulatory cost and operational risk in ways that many organizations experience as misaligned with how data is actually used.
A proposed legislative reform suggests that this allocation of risk may soon be adjusted. As part of the European Commission's Digital Omnibus pack, pseudonymization is being repositioned from a security measure into a factor that may influence whether certain data processing activities fall within the scope of the GDPR at all.
A Regulatory Recalibration, Not a Deregulatory Break
The European Commission presents the Digital Omnibus pack as an effort to ensure that EU digital regulation remains compatible with innovation and economic growth, while preserving its core protective aims. The focus is not on deregulation, but on refinement: simplifying requirements where risk is limited, and clarifying the boundaries of existing regimes.
Within this context, the GDPR occupies a central position. Its risk-based logic has always depended on the link between data and identifiable individuals. Yet in practice, many data-driven activities rely on information that does not require — and often should not allow — identification. AI training, digital services, and HR third-party services are some examples of activities that traditionally rely on pseudonymized data and still must comply with all GDPR obligations.
The Digital Omnibus proposal acknowledges this structural tension.
Pseudonymization as a Boundary Between Data and Identity
Pseudonymization is a data processing technique that replaces direct identifiers (such as names or identification numbers) with artificial codes or aliases. The data remains usable for analysis, research, and innovation, while access to individual identities is deliberately restricted and segregated.
Although the Court of Justice of the European Union argues that pseudonymized data may fall outside the GDPR in certain cases, GDPR is still indifferent to such reality. Pseudonymized data is still treated as personal data, on the basis that re-identification is theoretically possible, regardless of who controls the means to do so. As a result, extensive obligations continue to apply: privacy by design and by default, data protection impact assessments, detailed records of processing activities, internal policies, and ongoing compliance documentation.
This way, it does not matter if your company has the key or the technical means to reidentify pseudonymized data for the purpose of GDPR. The current understanding sponsored by the European Data Protection Supervisor is that pseudonymized data is always personal data subject to the GDPR, regardless of the person accessing it.
The proposed reform changes that logic.
The Subjective Test: Who Can Re-Identify, in Practice?
Under the Digital Omnibus proposal, pseudonymized data would no longer qualify as personal data in the hands of a controller or recipient that lacks the reasonable means to re-identify the individuals concerned.
This introduces a subjective assessment of identifiability. Applicability of the GDPR would depend not on abstract possibilities, but on whether the specific organization processing the data can realistically reconnect it to individuals, using the means it has or can reasonably access. However, this assessment won't be entirely subjective: upon approval of the Digital Omnibus pack, the European Commission will list the means and criteria to determine whether data resulting from pseudonymization no longer constitutes personal data for certain entities.
The consequence is not the disappearance of data protection obligations, but their redistribution. For many digital service providers, this means that regulatory exposure may increasingly depend on how services are designed — including whether they ever receive data in a form that allows re-identification at all. Where identity is genuinely out of reach by design, the regulatory framework follows that design choice.
In this sense, pseudonymization is no longer merely a security measure. It becomes a governance decision about where — and with whom — the power to identify should reside.
What This Means — and What It Does Not
This proposed clarification represents a meaningful shift from the current framework and addresses uncertainties that have surfaced repeatedly since the GDPR's entry into force, including in cases such as Breyer and SRB v EDPS. It provides a clearer legal anchor for data uses that depend on information, but not on identity.
At the same time, it does not eliminate responsibility. Organizations that retain re-identification capabilities, whether for operational, legal, or strategic reasons, will continue to fall within the GDPR's scope. Group structures, data-sharing arrangements, and access controls will remain decisive.
Pseudonymization, in other words, is not a way around regulation. It is a way of allocating regulatory weight in line with actual data use.
Preparing for a Different Allocation of Risk
Whether this recalibration translates into tangible relief will depend not only on legislative outcomes, but on how organizations are structured in practice. Its potential impact sits upstream of compliance: in product and service design, in data acquisition models, in internal processing arrangements, and in the role played by intermediaries and data brokers.
For organizations whose value lies in analyzing data rather than identifying individuals, and for designers of systems, processes, and data flows, this shift may materially change how regulatory risk is distributed. In that sense, the Digital Omnibus pack is not about easing obligations in the abstract; it's about clarifying where strategic choices begin to matter. Strategic preparation starts now.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]