Pseudonymisation has long been a key safeguard under the GDPR. A new “Digital Omnibus” proposal aims to clarify when pseudonymised data may fall outside the scope of personal data – an idea the EDPB and EDPS have pushed back on. Here’s a quick overview of the landscape and what to watch.

1) Pseudonymisation under the GDPR today

Definition (Article 4(5))
Pseudonymisation is any processing of personal data that prevents attribution to a specific data subject without additional information, provided that such information is kept separately and protected by appropriate technical and organisational measures.

Where it matters in practice

• Purpose compatibility (Article 6): When assessing whether further processing is compatible with the original purpose, controllers should consider safeguards like pseudonymisation or encryption.
• Privacy by design/default (Article 25): Controllers must implement suitable measures – including pseudonymization – to embed data protection principles (e.g., minimisation) into processing activities.
• Security (Article 32): Pseudonymisation is listed among the measures that can ensure a level of security appropriate to risk.
• Research & statistics (Article 89): For archiving in the public interest, scientific or historical research, or statistical purposes, controllers must adopt safeguards to uphold data minimisation; pseudonymisation may be used where it allows achieving those purposes. If purposes can be achieved without identifying individuals, processing should proceed in that non‑identifying way.

Bottom line today:
Pseudonymisation reduces risk and supports compliance, but does not remove data from the GDPR’s scope; the data remain personal unless it is no longer reasonably identifiable.

2) The Digital Omnibus proposal: clarifying pseudonymisation and its boundary with personal data

The Commission’s Digital Omnibus proposal seeks to simplify and harmonise the digital legislative framework. In the GDPR context, it also aims to:

• Clarify key definitions, including personal data and pseudonymisation;
• Facilitate compliance by supporting controllers with criteria and means to determine when data resulting from pseudonymisation do not constitute personal data (e.g., considering state of the art techniques and re‑identification risks);

New Article 41a (proposed)
The proposal would add Article 41a to the GDPR empowering the Commission to adopt implementing acts that:

• Specify means and criteria to assess whether pseudonymised data no longer constitute personal data for certain entities;
• Take into account the state of the art and risk of re‑identification for typical recipients;
• Involve the EDPB closely; the EDPB would issue an opinion within 8 weeks on draft implementing acts;
• Allow controllers to use those means/criteria as an element of proof that data cannot lead to re‑identification.

What this tries to achieve:
More legal certainty and practical guidance for controllers on when pseudonymised outputs can be treated as non‑personal, potentially easing compliance burdens – especially for smaller organisations – where re‑identification risk is demonstrably negligible.

3) The EDPB–EDPS joint opinion: concerns and a clear recommendation

In Joint Opinion 2/2026, the EDPB and EDPS express significant concerns with proposed Article 41a:

1. Material scope of EU data protection law at stake
   Deciding whether information is personal data defines when the GDPR applies. Allowing the Commission – via implementing acts – to determine means and criteria for when pseudonymised data are no longer personal could de facto reshape the GDPR’s material scope “for whom and when,” which the authorities argue should be determined independently by supervisory authorities, under court control, with the EDPB ensuring consistent application.

2. Legal certainty may not improve
   The draft says implementation of the Commission’s means/criteria “may be used as an element” to show non‑identifiability. The authorities find this ambiguous: Would it create a rebuttable presumption or merely one factor among others? Such uncertainty risks more complexity and confusion, contrary to the proposal’s simplification goals.

Regulatory ask:
The EDPB and EDPS recommend deleting Article 41a from the proposal.

What this means for organisations

• Today’s steady state remains: Pseudonymised data are generally still personal data; pseudonymisation reduces risk and supports lawfulness, security, and privacy by design, but does not itself exclude GDPR applicability.
• If Article 41a were adopted: There could be structured criteria (and potentially industry‑specific or recipient‑specific categories) to support assertions that certain pseudonymised datasets are non‑personal. However, the legal effect might be limited if criteria only serve as one evidentiary element rather than a presumption – leaving residual uncertainty.
• Regulatory trajectory: Given the EDPB–EDPS stance, expect intense debate in the legislative process. Controllers should not plan on deregulatory outcomes; continue to treat pseudonymised data as personal unless robustly anonymised per existing standards.