As AI becomes increasingly more involved with inferring and interacting with emotions and the European Union (EU) takes a radical turn on its approach to data, the need for establishing clear legal boundaries that define and safeguard emotion data in the EU has grown evident. Under the current EU legal framework, emotion data are not recognised as a separate category of personal data and are only protected insofar as they fall within the scope of the EU personal data protection laws. The centrepiece of the EU’s personal data protection framework, the General Data Protection Regulation (GDPR), makes no reference to either emotion or emotion data. It, therefore, applies to data concerning emotions only when they are considered “personal data” within the meaning of the Regulation, which is not always the case for all types of emotion data.

Now, to compound the issue, the European Commission’s proposal of Digital Omnibus introduces amendments to the rules on the definition and processing of personal data, which, rather than addressing the current gaps regarding the regulation of emotion data under the GDPR, widen them even more.

Emotion data in the GDPR: The current state of the law

Emotion data refers to information which could be derived from a person’s facial expressions, voice, physiological signs, and behavioural responses, and reflect a person’s inner emotional state or feelings. To fall under the GDPR, emotion data must satisfy the requirements of personal data defined under Article 4(1) of the Regulation.

Article 4(1) defines personal data as “any information relating to an identified or identifiable natural person.” According to Recital 26, when determining whether a person is identifiable, all the means reasonably likely to be used either by the controller or by another person to identify the person directly or indirectly should be taken into account. The definition of personal data also encompasses pseudonymised data, which could be attributed to an identifiable person by the use of additional information.

While emotion data mostly constitutes personal data under this definition, certain emotion data, such as that collected through anonymised surveillance, is considered anonymous and thus is left out of the GDPR. GDPR defines anonymous data as “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.” Accordingly, anonymised emotion data does not fall under the GDPR if the data subject is not or would not be identifiable despite the use of all reasonable means. This low threshold for anonymisation can be problematic for emotion data, which is extremely sensitive by nature and strongly connected to one’s identity, mental state, and personal values. The technical limits to anonymisation as a method compound this problem.

Complete anonymisation is almost impossible to achieve, particularly in very large data sets, meaning that there is generally a residual risk of re-identification.  Moreover, there is always the risk that the anonymisation process could be reversed      in the future through new technologies or disclosure of additional data.  Regardless, such elaborate ways of re-identification are not covered under the GDPR’s definition of identifiability. This means that certain anonymised emotion data, which is considered unidentifiable under the reasonable means test but bears the potential risk of re-identification, could be processed without accountability in some cases.

Even when emotion data qualifies as personal data under Article 4(1), it is not specifically protected as a separate class of the special categories of personal data whose processing is prohibited under Article 9(1) subjected to the exemptions laid down in Article 9(2). As highlighted in Recital 51, the special categories of data outlined in Article 9(1) are deemed particularly sensitive in relation to fundamental rights and freedoms and are provided with a higher level of protection under the GDPR. They include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or those concerning one’s sex life or sexual orientation, as well as genetic data, and biometric data processed for identification purposes.

For Article 9(1) to be applicable to emotion data, such data must fall under one of those categories, exhaustively listed in the provision, which, when emotion data is concerned, would be either biometric data or health data. Biometric data is defined under Article 4(14) as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person.” Following that, emotion data processed by facial emotion recognition systems or by those inferring emotions from physiological body signs, such as heart rate and blood pressure, falls under Article 9(1). The information processed by the latter may also be categorised as health data, which, as stated in Recital 35, encompasses not only the physical and mental health of a person but also “any information on…the physiological or biomedical state of the data subject.”

Whether emotion data constitutes biometric data or health data, thus, depends on the technical approach taken by the emotion recognition system processing the information. As a result, data processed by many emotion recognition systems using other approaches is left out of Article 9(1)’s coverage and is treated as ordinary personal data insofar as it is legally classified as such under Article 4(1). Emotion data collected through text sentiment analysis and context-based inference methods, which are heavily used by AI companions, is an example of such excluded data, as these methods generally rely on non-biometric outputs, such as text and word choices.

What does Digital Omnibus mean for emotion data?

The proposed Digital Omnibus package introduces significant changes to Article 4 and Article 9 of the GDPR, which subtly narrow down the application scope of the GDPR and weaken the special protection provided to sensitive data under the Regulation.

Amending Article 4(1) of the GDPR, Article 3(1)(a) of the proposal redefines the concept of personal data and states that information will not be considered personal data for a given entity where that entity does not have means reasonably likely to be used to identify the data subject of the information. A potential subsequent data recipient’s capacity to identify the data subject alone will not make the information personal. Based on a similar logic, Recital 27 of the proposal excludes pseudonymised data from the GDPR’s protection, stating that the existence of additional information that enables the identification of the data subject, in itself, does not mean that pseudonymised data constitutes personal data under the Regulation.

The Commission tries to justify this radical change to the definition of personal data by pointing to the recent rulings of the Court of Justice of the European Union (CJEU). However, the only recent CJEU judgement that partially shares this understanding was given in EDPS v Single Resolution Board (C-413/23 P). In its judgement, the court held that pseudonymised data does not, “in all cases and for every person,” qualifies as personal data, as pseudonymisation may, depending on the circumstances, effectively prevent the identification of the data subject by people other than the controller.

Whether a piece of data is deemed personal under the proposed rules, therefore, will be conditional on the identification capacity of the individual entity processing the data, meaning that the same piece of data could be regarded as personal for one entity and non-personal for another. This conditional interpretation practically renders the applicability of GDPR to certain data dependent on the self-declaration of controllers regarding their possession of the means to identify the data, as there is no established procedure for data subjects to prove the opposite. Even if data subjects somehow manage to do so, the process would take years and render any remedy virtually worthless for them.

This new subjective approach to personal data creates additional ambiguity regarding the GDPR’s applicability to emotion data, which is already restricted by the unique nature of emotion data that is inherently extremely personal      but not always legally recognized     . Given the already existing uncertainty surrounding the status of emotion data under the GDPR, this legal loophole could easily be taken advantage of by data controllers who aim to avoid compliance with the Regulation when processing emotion data. It would also create extra complexity and uncertainty for controllers, particularly for small and medium sized companies, and increase the risk of triggering penalties by supervisory authorities and liability claims by data subjects.

For emotion data that is nevertheless regarded as personal data, Digital Omnibus has other surprises. Article 3(3) of the proposal introduces two additional exemptions to the prohibition of special data processing under Article 9(1) of the GDPR. One of them concerns biometric data and exempts its processing from the general prohibition prescribed in Article 9(1) when it is necessary for verifying the identity of the data subject and where the data and the means of processing are under the data subject’s sole control. This means that emotion data classified as biometric data under the GDPR will no longer benefit from the extra protection under Article 9(1) when it is processed for identity verification.

According to the second proposed exemption, the processing of special categories of personal data in the context of the development and operation of an AI system or model will not be deemed a breach of the GDPR where it happened despite the implementation of appropriate organisational and technical measures to avoid it. If identified by the controller in datasets, such data will have to be removed unless it “requires disproportionate effort.”

While not clarifying what constitutes disproportionate effort, the necessity to re-engineer the AI system or model to remove such data is considered as an example of disproportionate effort under Recital 33 of the Digital Omnibus. This low benchmark for disproportionality indicates that it could become a default excuse for controllers to avoid the obligation of removal, particularly when large and unstructured data sets are involved. The risk of such legal circumvention is particularly high when it comes to emotion data due to the typical involvement of AI systems in data processing. With its broad scope and vague wording, the exemption provides a safe passage for controllers to process emotion data, whether on purpose or unintentionally, without giving rise to a GDPR infringement.

One step forward or two steps back? The future of emotion data

It appears that rather than clarifying the rules for the regulation of emotion data under the GDPR, the EU has decided to extend this legal uncertainty to personal data by reconceptualising the GDPR’s long-established terminology, which leaves certain previously protected emotion data out of its protection. Exacerbated by the EU Artificial Intelligence Act’s failure to provide an adequate and consistent framework for emotion recognition systems, such regulatory exclusion leaves the door open for the processing of certain types of emotion data in the EU with little to no accountability. In an era of rising use of AI companions and emotional surveillance systems, this deregulation attempt on data jeopardises not only privacy but also mental integrity, freedom of expression, and many other fundamental rights people are entitled to in relation to their emotions.

*Image generated by Perplexity AI

Suggested citation:

Öznur Uğuz, ‘Emotion Data under the GDPR: How the Digital Omnibus Deepens the Existing Legal Uncertainty’ (Comparative Digital Law Blog, 08 May 2026) <https://lawandtech.ie/emotion-data-under-the-gdpr-how-the-digital-omnibus-deepens-the-existing-legal-uncertainty>.

About the author:

Öznur Uğuz is a PhD researcher at Scuola Superiore Sant’Anna and a qualified lawyer registered with the Istanbul Bar Association. She holds a Master of Science in European Economy and Business Law from the University of Rome Tor Vergata, a Bachelor of Laws and a Bachelor of Arts in Sociology from Istanbul University, and a Graduate Diploma in Law from The University of Law UK.