EU Member States Reject Proposed GDPR Redefinition of Personal Data
EU member-state governments, via the Council of the EU, rejected a European Commission proposal to redefine “personal data” under the GDPR as part of a broader late-2025 Digital Omnibus legislative package intended to streamline tech regulation and boost competitiveness. The proposed change was framed as making it easier to collect, share, and process data about individuals, but it drew pushback from privacy stakeholders concerned it would weaken protections.
European data protection regulators had already criticized the amendment earlier in February, and the Council’s compromise text—reported by Euractiv—omitted the Commission’s redefinition. Paul Nemitz, a key architect of the GDPR, welcomed the Council’s stance cautiously, signaling continued resistance among member states to altering the GDPR’s core definition of personal data in ways that could reduce privacy safeguards.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Paul Nemitz criticizes remaining Council GDPR compromise provisions
After the Council dropped the redefinition, GDPR architect Paul Nemitz welcomed that decision but criticized other parts of the compromise text, including language suggesting some pseudonymized data might lose personal-data status and a proposal that could let AI firms rely on legitimate interests for model training.
Council of the EU rejects proposed GDPR personal-data redefinition
EU member-state governments, acting through the Council of the EU, removed the Commission's proposed redefinition of "personal data" from the compromise text. The move blocked a change that critics said would have made some re-identifiable data easier to process.
European Parliament study warns Digital Omnibus could weaken protections
A European Parliament study warned that the Digital Omnibus could undermine uniform data protection, and criticized the Commission for limited consultation and the absence of a full impact assessment.
European data protection regulators oppose personal-data redefinition
The European Data Protection Board and EU data protection regulators objected to the Commission's proposed redefinition, warning it could weaken protections for individuals under the GDPR.
Commission proposes GDPR changes in late-2025 Digital Omnibus package
The European Commission included a proposal in its late-2025 Digital Omnibus package to redefine "personal data" under the GDPR, aiming to ease collection and processing of some data that a company cannot immediately link to an identifiable person.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU Digital Omnibus Proposals Face Privacy Watchdog Backlash Over GDPR Changes
European privacy watchdogs and digital rights advocates are pushing back against the European Commission’s proposed **“Digital Omnibus”** package, arguing that amendments billed as regulatory “streamlining” could **weaken EU privacy protections** and erode fundamental rights. Reported concerns focus on proposed changes to the **GDPR**, including narrowing the definition of **personal data** so that not all data that could potentially be linked to an identifiable person would qualify, alongside other adjustments intended to reduce compliance friction (e.g., reducing cookie banner requirements in some cases and simplifying multi-law breach notification processes). Separately, UK officials told Parliament that **legacy IT** is impeding implementation of technical controls meant to prevent repeats of the Ministry of Defence’s highly sensitive Afghan data exposure, where roughly **19,000** resettlement applicants’ details were compromised via a **CC instead of BCC** email error. The government’s Information Security Review recommended shifting cross-government information sharing away from email/attachments and toward source-based sharing, but ministers and the chief data officer cited departmental system fragmentation as a barrier to rolling out attachment-blocking and safer data-transfer mechanisms at scale.
Mar 21, 2026
European Commission Proposes Deregulatory Changes to GDPR and AI Regulations
The European Commission has introduced a legislative package, known as the Digital Omnibus, aimed at simplifying and consolidating digital regulations across the European Union. This proposal seeks to merge multiple pieces of legislation into a single framework, streamlining rules on artificial intelligence, cybersecurity, and data management. A key component of the package is the relaxation of certain General Data Protection Regulation (GDPR) provisions, including delaying the enforcement of regulations on high-risk AI systems and permitting companies to use personal data for AI training without prior user consent in most cases. The initiative also includes the launch of a European Business Wallet to facilitate digital operations for companies and public sector bodies, and a new Data Union Strategy to unlock high-quality data for AI development. EU officials argue that these changes will reduce administrative burdens and compliance costs for businesses, fostering innovation and competitiveness within the bloc. However, the proposal has drawn criticism from privacy and digital rights advocates, as well as some political parties, who warn that it could significantly weaken data privacy protections that have been a hallmark of the EU's regulatory landscape. The legislative package must still be approved by the European Parliament and the Council of the European Union, and its future remains uncertain amid ongoing debate over the balance between innovation and fundamental rights.
Mar 21, 2026
EU Digital Omnibus Proposal to Weaken GDPR Protections for AI and Cookie Tracking
The European Commission is preparing to introduce the "Digital Omnibus" legislative package, which includes significant amendments to the General Data Protection Regulation (GDPR) and related digital privacy laws. Leaked drafts of the proposal reveal changes that privacy advocates argue would create major loopholes, particularly by relaxing rules on pseudonymized data and shifting cookie regulation from the ePrivacy Directive to the GDPR. Critics, including Max Schrems and privacy groups like Noyb, warn that these reforms would undermine existing privacy protections, making it easier for companies—especially large tech and advertising firms—to exploit personal data for commercial purposes. The proposed amendments would also allow broader processing of cookie-derived data under a "closed list of low-risk purposes" or other legal bases, moving away from the current strict opt-in requirements. Privacy experts contend that these changes could violate European Court of Justice rulings and the EU Charter of Fundamental Rights, representing the most significant attack on European privacy since the GDPR's inception. The official unveiling of the Digital Omnibus package is expected on November 19, 2025, and the reforms have sparked strong opposition from privacy advocates who believe the legislative process is being rushed and lacks proper oversight, potentially eroding the rights of EU citizens in favor of industry interests.
Mar 21, 2026