Oct 102025

EU Court of Justice Issues Landmark Judgment on Concept of “Personal Data”

Francesca Blythe, Lauren Cuyvers, Oscar Beghin and Dr. Kwabena Tenkorang
, , , , ,

On 4 September 2025, the EU Court of Justice (the “CJEU”) issued a landmark ruling in SRB v. EDPS confirming that pseudonymous data is not automatically personal data in all cases (the “SRB Case”). Instead, the key question is whether the controller can realistically re-identify the individual. This judgment is expected to have a significant impact on instances where effective technical and/or organisational measures prevent re-identification by the controller. Importantly, although the ruling arose under EU Regulation 2019/1725 – i.e., the EU data protection law applicable to EU Institutions (such as the Commission) – the CJEU confirmed that the same interpretation applies under the General Data Protection Regulation (the “GDPR”).

Personal, Pseudonymous, and Anonymous Data

Under the GDPR, “personal data” is broadly defined and includes both directly identifiable information (e.g., names, contact details) and indirectly identifiable information (e.g., IP address, unique IDs). “Pseudonymous data” constitutes personal data if individuals can be identified using “reasonably likely” means – taking into account all objective factors such as cost, time, and available technology. By contrast, “anonymous data” is information which does not relate to an identified or identifiable individual.

Why This Matters

The distinction is important because only personal data is subject to the requirements of the GDPR. However, what constitutes anonymous data (and whether pseudonymous data can be considered anonymous) has – up until now – been an area of extensive debate, with differing interpretations and ultimately two main schools of thought:

  • The absolute approach which considers that, provided a known third party holds additional information, the pseudonymous data would be considered personal data, regardless of the likelihood of attribution.
  • The relative approach which considers that the means by which additional information could be used to identify the individual, together with how likely those means would be used, should be taken into account when determining the likelihood of re-identification. Key to the relative approach is the relationship between the parties and the contextual circumstances as to possible re-identification.

Key Findings from the SRB Case

The CJEU in the SRB Case confirmed that data may be personal data in the hands of one controller but may be non-personal data in the hands of another controller – depending on the information and means reasonably likely to be used by both for re-identification. In the SRB Case, the CJEU found that:

  • The original controller (the “SRB”) had the required additional information to link the pseudonymous data back to an individual and, as a result, the data should be considered “personal data” from the perspective of the SRB.
  • To determine whether the recipient (a large professional services firm) was in possession of personal data, it must be assessed whether the technical and organisational security measures applied by SRB to the pseudonymous data were sufficient in nature so as to prevent re-identification by the recipient. In short, this requires that (a) the recipient is not able to lift those security measures during processing under its control (e.g., reverse encryption) and (b) the pseudonymisation technique must be sufficient such as to prevent the recipient from attributing the data to the individuals including by recourse to other means of identification such as cross-checking with other factors (e.g., look-up tables).
  • Data is not “personal” where, in reality, the “risk of identification appears insignificant” – such as where re-identification would be unlawful or would require disproportionate effort. The mere fact that additional means or information exists does not mean that, in all cases and for every person, the data is “personal data.”

Divergence from Existing Guidance

The CJEU’s relative approach (which aligns with that of the UK Information Commissioner’s Office) diverges from the draft Guidelines 01/2005 on Pseudonymisation from the European Data Protection Board (“EDPB”); these conclude that pseudonymous data which could be attributed to an individual using additional information is to be considered personal data even where the pseudonymous data and additional information are not in the hands of the same person.

Status of the Judgment

Although the case has been referred back to the General Court to rule on remaining procedural claims raised by the SRB, the CJEU’s substantive findings are final and definitive and the interpretation of such substantive concepts should be deemed authoritative vis-à-vis national data protection authorities and courts.

Practical Implications

The SRB Case is highly relevant for sectors that handle large volumes of pseudonymous data including, for example, sponsors of clinical trials (processing key-coded trial data), providers of digital products and services including AI (with pseudonymized logs), AdTech and marketing (where device IDs and other identifiers may be hashed), HR (where survey and performance metrics may be pseudonymised), and financial services (with transaction logs or know your customer/anti-money laundering risk profiles potentially being pseudonymized). For these organisations, the ruling could ease compliance obligations by recognizing that pseudonymized data may, in some contexts, fall outside the scope of the GDPR.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Francesca Blythe

London

fblythe@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Oscar Beghin

Brussels

obeghin@sidley.com

Dr. Kwabena Tenkorang

Trainee Solicitor

ktenkorang@sidley.com

You might also like
Texting in Texas: The State Expands Telemarketing Registration Requirements to Include Text Marketers

Texas has amended its telephone solicitation and telemarketing law (the Texas “mini-TCPA” — after the federal Telephone Consumer Protection Act) to require certain businesses that engage in text marketing to register with the Texas Secretary of State and make detailed disclosures, pay registration fees, and post a $10,000 security deposit. The amendments, which were enacted by Senate Bill 140 and went into effect on September 1, 2025, also make certain violations of the Texas mini-TCPA de facto violations of the state’s deceptive trade practices law, which includes a private right of action and can carry significant penalties. While the law includes several provisions that will likely exempt established businesses that obtain one-to-one opt-in consent for text marketing messages and other types of calls, in light of the substantial fines and private right of action, businesses will want to carefully review the application of these new amendments to their marketing programs.

The UK Data (Use and Access) Act 2025: Implications For Financial Services

The new UK Data (Use and Access) Act 2025 came into force on June 19. Applying in phases through June 2026, the Act will reform, in part, how the UK regulates personal and non-personal data.

EU Consults on Digital Fairness Act: Big Changes Ahead for Consumer-Facing Platforms

The European Commission (Commission) has launched a public consultation on a proposed new law — the Digital Fairness Act (DFA) — aimed at strengthening consumer protection in digital markets. The goal is to fill perceived regulatory “gaps” left by recent EU digital regulations, including the Digital Services Act (DSA) and Digital Markets Act (DMA).