On 4 September 2025, the Court of Justice of the European Union (CJEU) delivered a landmark ruling shedding new light on one of the key questions in data protection law: when can “personal data” be considered as “anonymised” and therefore as being out of scope of data protection laws? Clarifying the legal threshold for identifiability, the CJEU brings new elements to redefine the contours of the definition of “anonymisation” which could have a huge impact on business operations for various organisations.
Background of the case
The Single Resolution Board (SRB), responsible for managing bank resolutions across the EU, collected feedback from shareholders and creditors and shared these datasets with a consulting firm. Before the transfer, each comment was pseudonymised using randomly generated alphanumeric codes. Crucially, the consulting firm had no access to the key that could link codes to individuals, making re-identification seemingly impossible.
Despite this, the European Data Protection Supervisor (EDPS) concluded that the data still qualified as personal data and found the SRB in breach of Regulation 2018/1725, the EU GDPR analogue for EU institutions, for failing to inform data subjects about the transfer.
The SRB challenged the decision before the EU’s General Court (EGC), which sided with the SRB. The EGC held that the EDPS had not sufficiently examined whether the consulting firm had any legal means to access the re-identification key. It concluded that the datasets were anonymised, i.e. did not constitute personal data under the EU GDPR for the recipient and annulled the EDPS’s decision. Subsequently, the EDPS challenged the EGC’s decision before the CJEU.
Concept of pseudonymisation and anonymisation in data (protection) laws
Understanding the distinction between pseudonymisation and anonymisation is essential to grasping the significance of this CJEU ruling.
Under the EU GDPR, pseudonymisation requires that personal data can no longer be attributed to a specific data subject without additional information and that such additional information is kept separately and protected. While pseudonymisation enhances privacy and supports the EU GDPR’s overarching principle of data protection by design, pseudonymised data are still subject to the EU GDPR, meaning all EU GDPR obligations apply.
In contrast, anonymisation renders personal data permanently unidentifiable to a specific data subject. Once data is ultimately anonymised, it falls outside the scope of the EU GDPR.
Qualifying data as either pseudonymised or anonymised is therefore decisive. EU supervisory authorities (in particular, the Article 29 Data Protection Working Party as the predecessor of the European Data Protection Board (EDPB)) advocated for a risk-based approach to anonymisation but also stressed that effective anonymisation requires eliminating all means of re-identification, including the destruction of raw identifiers. In this regard, a previous decision of the CJEU (known as “Breyer decision”) ruled, for example, that dynamic IP addresses could constitute personal data in cases the controller had legal means to obtain additional information enabling identification. By recognizing a relative approach to identifiability, focused on whether re-identification is possible for the specific actor, the decision set a rather high bar.
Pseudonymised data does not always constitute personal data, according to the CJEU
Echoing Advocate General Spielmann’s Opinion, the CJEU held in EDPS v. SRB that pseudonymised data must not be regarded as constituting personal data in all cases and for every person. In other words, the same dataset may be personal data for one party and anonymous for another.
However, the CJEU also emphasises that such an assessment concretely depends on the circumstances of the case and would apply in so far as pseudonymisation effectively prevents persons other than the controller from identifying data subjects in such a way that, for them, individuals are no longer identifiable. In consequence, “the individual circumstances” are decisive.
Key takeaways and strategic considerations
The CJEU’s decision, generally reiterating its previous statements, but with different nuances, results in a few key takeaways, while many aspects still require further clarification:
- The same dataset can be pseudonymised, i.e. personal for one organisation (who holds the key) yet, non-personal for another organisation receiving the data and lacking any means reasonably likely to re-identify, considering legal, technical and practical circumstances. This is a shift in emphasis from the stricter readings after the “Breyer decision” (see above), and it compels a contextual analysis of re-reidentification risk.
- Whether the EU GDPR applies to a recipient depends on the recipient’s realistic capabilities (and constraints) in its environment, not just on what the exporter could do. A recipient-only lens is insufficient; they must analyse the entire allocation of means and the “legal powers” surrounding both parties. It could, for instance, be considered whether a contractual obligation of the recipient is sufficient.
- Controllers must assess their obligations at the point of data collection and disclosure: the exporter’s act of pseudonymising and transferring remains subject to the EU GDPR, even if, in the recipient’s context, the dataset received by the recipient may no longer be considered as “personal data.”
Therefore, the ruling could allow organizations to consider effectively pseudonymised data as not being subject to the EU GDPR anymore and thereby limiting the EU GDPR-related obligations for the recipient who may fall outside of the scope of the EU GDPR for that dataset. It is currently discussed whether this may reduce the need to conclude data processing agreements, provided strict key segregation is implemented, no-reidentification covenants are foreseen (e.g., no re-identification, no linkage, no enrichment; auditability and incident duty to notify re-identification risk events), and the agreement would include a “snap-back” clause that reactivates data protection obligations if circumstances change.
Another aspect to consider is that robust pseudonymisation with keys retained in the EEA can significantly reduce transfer risks and may even simplify the data exporter’s EU GDPR duties. When combined with strong key segregation and controlled tokenisation, this approach can make onboarding analytics or AI vendors faster and safer, as the importer, lacking any realistic means of re-identification, may not be processing “personal data” and it could be argued that the conclusion of standard contractual clauses (including no need to carry out transfer impact assessments) is redundant in certain instances.
The ruling could also open new pathways for data reuse and innovation. As AI models rely on large datasets, the ability to use pseudonymised data without triggering full EU GDPR obligations could reduce compliance burdens and accelerate development.