“Personal Data”: More Than a Definition, a Quasi-Constitutional Stake in EU Law in the Era of the Digital Omnibus

The definition of “private information” seems, at first look, to be a technical provision: one amongst many definitional clauses. In EU regulation, nevertheless, it performs a much more consequential function. It determines the fabric attain of Article 8 of the Constitution of Elementary Rights (CFR) and Article 16 of the Treaty on the Functioning of the European Union (TFEU), structuring the operation of the Union’s digital rights framework. For that reason, any modification to the definition (even when offered as merely clarificatory or procedural) carries constitutional significance.

This submit argues that the notion of private information has acquired a quasi-constitutional standing throughout the EU authorized order. It isn’t only a regulatory time period in secondary laws, however the authorized gateway by which a elementary proper turns into operational. Modifying it’s subsequently not an atypical legislative refinement, however a constitutional intervention.

Current discussions about revising some components of the definition, together with throughout the Fee’s Digital Omnibus initiative, carry this concern into focus. But the constitutional query precedes any particular proposal. To understand what’s at stake, we should first perceive what the definition of private information has come to symbolize.

From Regulatory Idea to Constitutional Gateway

The best to information safety was not established primarily on the EU degree as a constitutional proper. Early nationwide information safety legal guidelines within the Seventies and the Council of Europe’s Conference 108 laid essential groundwork for the 1995 Information Safety Directive (DPD), which offered the primary complete EU framework and adopted a intentionally broad definition of private information in Article 2(a): “any info regarding an recognized or identifiable pure individual.”

Nonetheless, the turning level within the definition got here in 2000. Article 8 CFR recognised the fitting to the safety of private information as an autonomous elementary proper, distinct from Article 7’s proper to personal life. Although its wording is just not specific, Article 8 CFR’s normative foundation emerges from Courtroom of Justice of the European Union (CJEU) case regulation and subsequent laws, which present it protects particular person management over private information, making the idea of private information central to this elementary proper.

The best is additional formed by the intensive EU information safety acquis, which has rendered information safety one of the crucial regulated elementary rights within the EU, reaching a level of autonomous scope hardly ever matched by different rights. On this connection, it attracts its content material from secondary laws. The hyperlink between Article 8 and prior laws is especially evident in the way it frames ‘private information.’ Relatively than offering an unbiased definition, it presupposes the idea as developed in present laws. On this approach, the Constitution’s safety displays and reinforces ideas already articulated in secondary regulation. The notion of “private information” beneath Article 8 subsequently aligns broadly with the definition established by the DPD (in Article 2(a)) and worldwide devices.

The echoes from mutual affect between main and secondary regulation don’t cease there. The requirement outlined in Article 8(3) of the CFR relating to management by unbiased authorities was influenced by the Legislation Enforcement Directive, later included into the GDPR. The identical might be stated relating to the ideas of equity, lawfulness, and function limitation, in addition to the fitting to information entry and rectification.

Initially, the Constitution’s provisions served as interpretive steering. The Treaty of Lisbon, enacted in 2009, elevated them to main regulation, granting the CFR binding impact equal to that of the Treaties. Constitutionalising the basic proper to information safety by Article 8 CFR and Article 16 TFEU, which offered the authorized basis for the GDPR, enabling the Union to maneuver past the DPD’s minimum-harmonisation mannequin.

When the GDPR was enacted, it largely retained the DPD’s definition of private information. Article 4(1) GDPR preserves the core formulation (“any info regarding an recognized or identifiable pure individual”) whereas clarifying sure components in gentle of technological developments, together with on-line identifiers and site information, which had already been encompassed in apply and affirmed by the CJEU in circumstances similar to Google Spain (C‑131/12) and Breyer (C‑582/14). In doing so, the GDPR formalised and made specific what had beforehand been implicit within the DPD, consolidating a broad and adaptable definition able to addressing evolving technological contexts.

Though the GDPR is secondary laws beneath Article 288 TFEU, its shut connection to Article 8 CFR and Article 16 TFEU provides the definition of private information a constitutional function. It serves as each the cornerstone of the scope of the basic proper to information safety and as an interpretive reference for later laws, even when such acts are on the similar degree of secondary regulation. On this approach, the definition of private information holds a structurally distinctive place. It determines the scope of a constitutional proper. With out “private information,” Article 8 has no object. The definition is just not peripheral to the fitting. It’s constitutive of it.

The CJEU has bolstered this structural function. Over twenty years, the Courtroom has constantly interpreted “private information” broadly, emphasising the necessity to guarantee efficient and full safety of elementary rights. In circumstances similar to Breyer and Nowak (C-434/16), the Courtroom handled identifiability as a contextual however expansive notion, evaluating whether or not identification in all fairness doable in gentle of all means more likely to be employed, thereby eschewing inflexible formalism in favour of a purposeful strategy.

GDPR and the Mutual Reinforcement of Main and Secondary Legislation

 A defining characteristic of the GDPR is its deep alignment with EU main regulation, understood as a “normative circle”: a structural relationship the place main and secondary regulation mutually reinforce one another, slightly than following a easy top-down hierarchy.

Within the post-Lisbon authorized panorama, Article 8 CFR and Article 16 TFEU present a constitutional mandate for information safety. The GDPR interprets these summary rights into concrete regulatory provisions. The connection is thus mutually constitutive: main regulation informs the interpretation of the GDPR, whereas the GDPR, by its detailed provisions, provides concrete expression to Constitution rights.

This reciprocal relationship is exemplified by the idea of private information: anchored in Article 8(1) CFR, it’s operationalised in Article 4(1) GDPR, whose broad, inclusive definition provides texture and specificity to elementary rights. Conversely, Article 23 GDPR explicitly hyperlinks restrictions on information topics’ rights again to Article 52(1) CFR, constraining regulatory discretion.

On this state of affairs, the GDPR may very well be understood not as an atypical legislative act however as a “quasi-constitutional” instrument throughout the EU authorized order. Right here, “quasi-constitutional” doesn’t denote formal hierarchy however purposeful supremacy, reflecting the GDPR’s function as a rights-structuring instrument whose ideas affect adjoining laws. This strategy sees it as a definite normative class, based mostly on its deep reference to Article 8 CFR and its function in giving impact to Article 16 TFEU.

Article 16 TFEU broadly framed language displays its foundational perform of encompassing all human actions that contain some type of private information processing. Therefore, the GDPR is just not merely a legislative instrument to be weighed towards others of the identical rank utilizing conventional interpretative ideas. Relatively, the GDPR could also be conceived because the normative and purposeful articulation of Articles 8 CFR and 16 TFEU, working not merely as secondary laws however as a main mechanism by which constitutional ideas are given concrete impact. This confers upon it a privileged interpretive authority, notably with respect to its core definitional provisions, even whereas it stays formally labeled as a regulation.

From this angle, when the GDPR overlaps with different legislative acts, these tensions are resolved not merely by conventional interpretative ideas reasoning. As an alternative, the GDPR is handled as quasi-constitutional standing, alongside the Treaties and the CFR, guiding the interpretation of subsequent laws to protect the normative core of the basic proper to information safety.

Why Redefinition Is Not Impartial. The Digital Omnibus as a Constitutional Take a look at Case

Legislative amendments to definitional clauses are sometimes offered as mere clarifications, aimed toward crystallising the pure evolution of an idea by jurisprudence and administrative apply. Nonetheless, when a definition shapes the scope of a constitutional proper, such “clarifications” are hardly ever impartial.

Redefining “private information” alters who falls throughout the safety of Article 8 CFR. A narrower idea may exclude sure processing actions from constitutional scrutiny altogether. It doesn’t merely alter compliance burdens. It reshapes the structure of rights.

Furthermore, codifying context-sensitive judicial reasoning into inflexible statutory language can create the phantasm of precision whereas sacrificing flexibility. Constitutional adjudication relies on open-textured ideas that permit adaptation to technological change. Freezing a specific judicial formulation into legislative textual content dangers reworking a dynamic interpretive normal right into a static rule. In constitutional programs, scope is substance. The boundary of a proper typically determines its sensible drive. The definition of private information is exactly such a contour.

 These structural concerns place latest reform initiatives in a distinct perspective. Inside the Fee’s Digital Omnibus initiative, amendments to the GDPR have been contemplated in response to perceived enforcement and interpretation challenges. The Fee Workers Working Doc accompanying the Digital Omnibus Regulation Proposal identifies persistent difficulties in guaranteeing constant utility of the GDPR throughout the Union. It emphasises “the necessity for a extra harmonised and constant interpretation” of the Regulation, with the intention of lowering fragmentation and selling uniform enforcement. Among the many areas recognized as requiring clarification is the definition of “private information,” a very disputed side of the proposal.

On this context, explicit consideration has been given to latest case regulation of the Courtroom of Justice of the European Union, notably the judgment in SRB case (C-413/23 P, 4 September 2025). The Workers Working Doc notes that stakeholders have referred to as for larger authorized certainty relating to the scope of private information in gentle of this ruling, which thought of whether or not pseudonymised information stay private when transferred to a recipient with out re-identification means. The Courtroom utilized a relative strategy, assessing identifiability based mostly on the means moderately obtainable to the recipient and the encompassing authorized and factual circumstances.

Transposing such reasoning instantly into Article 4(1) GDPR might seem, like prior to now, to reinforce readability. Nonetheless, even the place a reform doesn’t purport to redefine the core components of the notion (e.g., “info”, “regarding”, “recognized or identifiable pure individual”) the act of clarifying how these components function might subtly remodel their substance. Adjusting the interpretative parameters of the criterion of identifiability (as an example, by foregrounding the angle of a selected recipient or by narrowing the evaluation of accessible means, introducing a extra subjective strategy) might shift the sensible boundary between private and non-personal information. In doing so, it impacts not merely the applying of the definition, however its efficient nature and attain.

This turns into notably seen in relation to pseudonymised information. The Digital Omnibus discussions reportedly ponder clarifying that information which have been pseudonymised, and for which the recipient doesn’t possess moderately obtainable technique of re-identification, might fall outdoors the notion of private information in that recipient’s arms. Whereas pseudonymisation beneath Article 4(5) GDPR has historically been understood as a safety measure that reduces danger with out altering the info’s authorized qualification, the proposed clarification appears to assist a low-threshold strategy to anonymisation.

Such a transfer should be learn towards Recital 26 GDPR, which embeds a dynamic, risk-sensitive and relational evaluation throughout the idea of private information, with out fragmenting its scope in accordance with the subjective place of every recipient. If the Omnibus reform had been to crystallise a recipient-relative strategy within the operative definition itself, it dangers isolating the evaluation to the speedy holder of the info, thereby narrowing the fabric scope of safety even the place identifiability persists at systemic degree.

Furthermore, the proposed Digital Omnibus don’t seem to contemplate everything of the Courtroom’s reasoning in SRB. The proposal appears to extract and generalise solely sure components of that reasoning (notably the recipient-oriented perspective) with out totally incorporating the Courtroom’s broader safeguards and contextual limitations. Following the Courtroom’s reasoning, identifiability requires an goal, context-sensitive evaluation, slightly than one restricted to the subjective perspective of a specific actor.

Clarification or Recalibration?

 If the proposed modification narrows the circumstances beneath which information qualify as private, its implications lengthen far past technical regulation. Such a change wouldn’t merely codify case regulation; it will recalibrate the fabric scope of Article 8 CFR by secondary laws, elevating profound constitutional questions.

The problem is whether or not the EU legislature might alter the constitutional perimeter of the fitting by modifying the idea that defines its attain, notably by procedural autos designed for simplification slightly than rights-sensitive reform. Recognising the quasi-constitutional standing of this definition doesn’t render it immutable, but it surely does demand heightened scrutiny.

What seems as a technical clarification might actually redraw the scope of Article 8. Contextual and relational assessments, together with the therapy of pseudonymised information, can shift EU information safety from a common framework with differentiated obligations to a fragmented one. Scope is just not administrative element; it’s constitutional design. The definition of private information is woven into the Union’s constitutional cloth, and it can’t be calmly rewoven.

Pablo Trigo Kramcsák is a doctoral researcher on the Analysis Group on Legislation, Science, Expertise & Society (LSTS) of the Vrije Universiteit Brussel (VUB), the place he’s additionally a authorized researcher on the Cyber and Information Safety Lab (CDSL) and a fellow on the Brussels Privateness Hub (BPH).

Barbara Lazarotto is a authorized researcher at the Legislation, Science, Expertise and Society Analysis Group (LSTS) of Vrije Universiteit Brussel (VUB) and the Managing Director of the Brussels Privateness Hub, an educational analysis heart related to LSTS.