Innovation Without Redefinition: A Technical Model for Proportional Identifiability Under GDPR

Profile picture for user n00ky4u3
Sangam Das
25 veebruar 2026 - ajakohastatud 2 kuud tagasi

Context

In light of the February 2026 Council compromise removing the proposed amendment to Article 4(1) GDPR within the Digital Omnibus, and following the EDPB–EDPS Joint Opinion 2/2026, the legislative direction appears to preserve the current definition of “personal data” while addressing pseudonymisation and identifiability through guidance rather than redefinition.

This contribution does not advocate for amending the GDPR definition.
It explores whether the underlying policy objective — legal certainty for entities that genuinely cannot re-identify pseudonymised data — might be achievable through technical architecture rather than definitional change.

The Identifiability Gap

Recital 26 GDPR requires that account be taken of “means reasonably likely to be used” to identify a person.

However, no technical mechanism currently exists to make that assessment:

  • Verifiable
  • Stable over time
  • Consistent across processing chains
  • Resistant to AI-driven inference advances

As a result, identifiability remains probabilistic, entity-relative, and contested.

Proposed Technical Direction

The note outlines a cryptographically verifiable proportional identifiability model in which:

  • External recipients cannot re-identify data under defined security assumptions
  • Identifiability becomes a verifiable technical predicate rather than a subjective claim
  • Lawful judicial access remains possible through hardware-enforced, quota-bound mechanisms
  • Protection remains consistent across all entities in the processing chain

Under such an architecture:

AI innovation and privacy protection do not require a trade-off.
Legal certainty can be achieved without narrowing the scope of personal data.

The definition of Article 4(1) remains unchanged.
The architecture of data systems evolves instead.

Policy Relevance

This technical direction may be relevant to:

  • Ongoing EDPB pseudonymisation guidance
  • AI Act high-risk implementation practices
  • Digital Euro privacy design
  • eIDAS 2.0 identity architecture
  • Article 28 processor risk allocation
  • NIS2 security-of-processing design

Clarification

This submission is offered purely as a technical research contribution.
It does not seek to influence institutional deliberations and does not advocate legislative amendment.

Sangam Das
Independent Researcher
Technical Note.pdf
(286.69 KB - PDF)
Sildid
data recommendation ai regulation