The EU Digital Omnibus Proposal, published by the European Commission on November 19, 2025, aims to simplify the overall EU digital legislative framework and, as part of this effort, proposes amendments to clarify the interpretation of the concept of "personal data" in the General Data Protection Regulation (GDPR). In particular, the proposal introduces a subject-specific and context-dependent assessment of identifiability, under which information does not constitute personal data for an entity that lacks reasonably available means of reidentification. This paper focuses on the judgment of Court of Justice of the European Union (CJEU) in SRB (Case C-413/23 P European Data Protection Supervisor v Single Resolution Board [2025]) as the institutional background of this amendment. While the judgment recognizes that identifiability may depend on the means reasonably available to each entity, it also maintains a controller-based standard for the transparency obligation, thereby separating the assessment of identifiability from the establishment of that obligation. Against this background, this analysis addresses the following research question: how the EU Digital Omnibus Proposal transforms the legal role of privacy enhancing technologies (PETs) from supplementary safeguards into institutional elements that define the scope of personal data under the GDPR. It argues that the proposal repositions PETs as structural components that shape the range of reasonably available re-identification means and thereby influence the scope of application and the activation of obligations under the GDPR. This institutional design suggests a new approach to balancing data protection and data utilization, in which the boundary between personal and non-personal data is constructed through technology-dependent identifiability assessments.
各種検索
サポート
ヘルプ