On Thursday, 4 September, the Court of Justice of the European Union (CJEU) will issue an important ruling in SRB v EDPS (Case C-413/23 P), which could reshape how pseudonymized data is treated under the EU data protection law.

In this issue, we break down the case, recap the positions of the EDPS, the General Court, and the Advocate General, and explore three possible scenarios for how the CJEU could rule, and what each would mean for the businesses going forward.

Quick Recap

The case stems from the 2017 resolution of Banco Popular Español. The Single Resolution Board (SRB) collected feedback from affected shareholders and pseudonymized it before sharing it with Deloitte, its external advisor.

• Pseudonymization involved 33-character random codes replacing names
• Only the SRB had the key to re-identify individuals; Deloitte did not

Five complainants brought a case to the European Data Protection Supervisor (EDPS) arguing that the SRB should have disclosed Deloitte as a recipient of personal data. The EDPS agreed, concluding that:

• The pseudonymized data still qualified as personal data because the codes that SRB possessed allowed linkage between individuals' registration and feedback responses.
• The SRB breached transparency obligations by not naming Deloitte as a recipient in its privacy notice.

The General Court's Decision

On April 16, 2023, the General Court annulled the EDPS’s decision, ruling that the EDPS had failed to properly assess whether Deloitte, as a recipient in this specific case, had the means to re-identify the data subjects.

…since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’…

The Court effectively rejected a position that one can rule if data are pseudonymized or anonymized in an abstract fashion. Quite the opposite, the Court held that the recipient’s perspective and the means available to them (citing previous Breyer judgment) are decisive when determining whether pseudonymized data constitutes personal data.

The Key Tensions & AG Position

At the core of this case lies a fundamental (and long-standing) debate:

How do we determine whether pseudonymized data is still “personal data”?

There are two competing approaches that the CJEU will have an opportunity to rule on:

• Objective approach to personal data - where data remains personal as long as the controller or any party can re-identify individuals
• Relative approach to personal data - where data is only personal if the specific recipient has reasonable means to identify individuals

This distinction is critical because whether a dataset constitutes personal data or not is a fundamental question - if it does, all the GDPR requirements apply. If not, then obviously none do.

Yet, Advocate General (AG) Spielmann offered a different take on this tension in his opinion of February 6, 2025. He suggested that GC's analysis on Deloitte's possibility to re-identify was "not material", and instead focused on the SRB’s obligation to provide information as the data controller. He found that since data was personal in the SRB's possession, the SRB had an obligation to inform the data subjects about Deloitte as a recipient, regardless of whether the data constituted personal data in Deloitte’s possession.

While the AG's opinion does not fully endorse the EDPS's broad "objective" view that pseudonymized data is always personal data for any recipient (acknowledging that data could legally escape classification if re-identification is truly impossible or insignificant), it strongly supports the EDPS's ultimate conclusion regarding the SRB's failure to inform.

Potential Outcomes & Implications

The CJEU is not bound by the AG's opinion, but it often provides a strong indication. Here are the main, yet not the only, options for the CJEU's decision:

Scenario 1: CJEU Upholds the General Court's Judgment (Reinforce Relative Approach):

• Core finding: The definition of personal data depends on the recipient's reasonable ability (legal means) to re-identify. This position challenges current interpretations, including some of the fundamental assumptions made by the EDPB in its Guidelines on Pseudonymization of January 16, 2025.
• Implications for businesses: Might reduce compliance burden were they act as data recipients without reasonable means to re-identify the datasets they receive.

Scenario 2: CJEU Overturns the General Court, Fully Endorses the EDPS (Strengthen Objective Approach):

• Core finding: Pseudonymized data always remains personal data as long as any party (including the original controller) retains the means to re-identify the data subject, regardless of the recipient's capabilities. This position reinforces the traditional doctrine, aligning with the EDPB guidance.
• Implications for businesses: All parties handling pseudonymized data would need to treat it as personal data, maintaining full GDPR compliance, even if they do not hold the key to re-identification.

Scenario 3: CJEU Aligns with Advocate General's Nuanced Reasoning

• Core finding: The CJEU could agree with the AG that the SRB's information obligation arose when the data was personal in its own hands, thereby upholding the EDPS's finding of an infringement on that specific ground, while perhaps leaving the broader "relative vs. objective" debate for recipients more open in other contexts. This position does not really answer the core question at hand.
• Implications for businesses: Those sharing pseudonymized personal data will need to make sure the recipients are included in the privacy notices.

Whatever the outcome, we’ll cover it in due course. 📢 Follow StreamLex on LinkedIn for real-time updates as the decision is handed down.