Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 4 Sept. 2025, the Court of Justice of the European Union delivered a judgment in the European Data Protection Supervisor v. Single Resolution Board case concluding that pseudonymized data can be regarded as nonpersonal data in certain circumstances.
In its January 2025 draft guidelines on pseudonymization, the EDPB concluded pseudonymized data is always personal data. The EDPS v. SRB judgment brought the EDPB's position under new light and bound the regulator to revisit its position. In light of the judgment, the EDPB organized a 12 Dec. virtual stakeholder event on anonymization and pseudonymization. This is in line with its commitments in the Helsinki Statement that include the regulator's plan to strengthen its dialogue with stakeholders.
The EDPB prepared four questions to guide discussion. The first focused on understanding where guidance is needed in relation to contextual assessment of relevant perspectives for determining identifiability.
Some participants highlighted a lack of clarity on how the ruling would apply in the context of joint controllership, especially when one controller does not have access to data. They also asked for more clarification on the relationship between the controller and the processor from each of their perspectives. Situations where data is transferred to third parties with which the controller does not have a contractual relationship were identified as relevant and some stakeholders called for guidance on the roles of different parties in international data transfers, especially in the case of a data breach.
In its second question, the EDPB asked about ways a controller could determine whether data that is considered anonymous could become indirectly identifiable due to its transmission between different parties.
Here, some noted that only actual and not potential transmissions should be taken into account. Some stakeholders highlighted the importance of contractual agreements in ensuring anonymization, while others were skeptical of their value due to there being no third-party effect, making the agreements nonenforceable by data subjects. Many agreed that a combination of technical, organizational and contractual measures is the most effective course of action for controllers.
The third question focused on discussing the measures a controller could implement to limit the means reasonably likely to be used for reidentification of data.
Here, stakeholders asked for a clarification of concepts, such as "means reasonably likely to be used." There was also a call to exclude speculated, hypothetical and illegal means. Some participants expressed their belief that while the controller bears most of the responsibility, other actors in the supply chain must also assume part of it. It was also mentioned that while general assessment must be context specific, the factors must be objective, pointing to the importance of Recital 26 of the EU General Data Protection Regulation in this context.
The final point of discussion focused on use cases where a controller processing pseudonymized data would struggle to determine whether it is personal for a specific recipient and the measures this controller could implement to prevent reidentification.
Once again, stakeholders asked for clarification of terminology, particularly when it comes to concepts of pseudonymization and anonymization. It was also mentioned that the transmitting party cannot predict future behaviors, while others pointed out that this cannot be used an as excuse. Certain techniques were brought up in the conversation as possible means to prevent reidentification, such as k-anonymity, the use of synthetic data, data clean rooms or trusted execution environments. Legal measures were also mentioned, like an obligation to notify onward sharing and clear allocation of roles and responsibilities.
In general, there was a strong call for more practical tools and guidance.
The EDPB's report on this stakeholder event will be released publicly, although the timeline is unknown, as well as the timeline for the publication of its guidelines on anonymization that are currently in the works.
The EDPB and EDPS are also currently working on a joint opinion on the Digital Omnibus regulation that proposes changes to the definition of personal data. The joint opinion is planned for release in early 2026.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
