The European Data Protection Board recently convened stakeholders to navigate a critical shift in how pseudonymized data is understood under EU privacy law. The December 12th virtual gathering reflects the regulator’s effort to reconcile its previous guidance with a landmark court ruling that challenged long-held assumptions about data protection obligations.
The Catalyst for Change
In September 2025, the Court of Justice of the European Union issued a decision in European Data Protection Supervisor v. Single Resolution Board that fundamentally altered the regulatory landscape. The court concluded that under specific circumstances, pseudonymized information may qualify as non-personal data—a determination that directly contradicted existing regulatory guidance.
Just months earlier, the EDPB had published draft guidelines asserting that pseudonymized data invariably constitutes personal data. The court’s ruling forced the regulator to reconsider this absolute position, prompting the stakeholder consultation held in December. This engagement aligns with commitments outlined in the EDPB’s Helsinki Statement, which emphasizes enhanced dialogue with industry participants and other affected parties.
Navigating the Controller Landscape
The EDPB structured discussions around four strategic questions, beginning with where organizations most urgently need direction regarding contextual assessments of identifiability. The first session revealed significant uncertainty around joint controllership arrangements, particularly scenarios where one controlling entity lacks direct access to the underlying data.
Participants requested additional clarity on the dynamic between controllers and processors, especially when evaluated from each party’s distinct vantage point. Organizations flagged situations involving data transfers to third parties without established contractual relationships as particularly problematic. Several attendees advocated for guidance addressing the responsibilities of various actors in cross-border data flows, with special attention to obligations triggered by security breaches.
Assessing Transmission Risks
The second discussion point examined how controllers might evaluate whether ostensibly anonymous data could become indirectly identifiable through transfers between multiple parties. Stakeholders expressed divergent views on which transmissions should factor into this assessment.
Some argued that organizations should only consider actual data flows rather than hypothetical future scenarios. While certain participants emphasized contractual agreements as crucial anonymization safeguards, others questioned their practical value. These skeptics noted that contracts lack third-party enforceability, leaving data subjects without direct recourse. Despite these differences, broad consensus emerged that layered protections—combining technical implementations, organizational policies, and contractual provisions—offer the most robust approach for controllers.
Defining Reasonable Reidentification Methods
The third question centered on what measures controllers should deploy to constrain the methods reasonably likely to enable reidentification. Here, stakeholders pressed for precise definitions of terminology, particularly the phrase “means reasonably likely to be used.”
Multiple voices called for excluding speculative, theoretical, and unlawful reidentification methods from risk assessments. Some participants contended that while controllers bear primary responsibility for protecting data, other supply chain participants must share accountability. Others emphasized that although contextual factors should inform general assessments, the evaluation criteria themselves must remain objective. Several stakeholders highlighted Recital 26 of the GDPR as providing important interpretive guidance for these determinations.
Managing Uncertainty in Data Classification
The final discussion explored practical scenarios where controllers handling pseudonymized information struggle to determine whether specific recipients would consider it personal data, and what preventive measures might address reidentification risks.
Terminology again emerged as a central concern, with stakeholders requesting sharper distinctions between pseudonymization and anonymization concepts. Participants noted the inherent challenge of predicting recipient behavior, though others cautioned against using unpredictability as justification for inadequate safeguards.
The conversation surfaced several technical approaches that might prevent reidentification. These included k-anonymity techniques, synthetic data generation, data clean rooms, and trusted execution environments. Beyond technical measures, participants proposed legal mechanisms such as mandatory notification requirements for onward data sharing and explicit allocation of responsibilities across the data ecosystem.
The Call for Practical Implementation Tools
Throughout all four discussion sessions, a consistent theme emerged: stakeholders urgently need actionable guidance and practical tools rather than abstract principles. Organizations implementing data protection programs seek concrete frameworks they can operationalize within existing workflows and systems.
The EDPB plans to publish a formal report documenting the stakeholder event findings, though no release date has been announced. Similarly, the regulator continues developing comprehensive guidelines on anonymization techniques, but their publication timeline remains uncertain.
Looking Ahead
The regulatory landscape continues evolving on multiple fronts. The EDPB and EDPS are jointly preparing an opinion on the proposed Digital Omnibus regulation, which includes provisions that would modify the legal definition of personal data. That joint opinion is expected in early 2026, adding another layer to an already complex regulatory picture.
This stakeholder consultation represents more than just regulatory compliance—it signals a potential recalibration of how European privacy law treats data processing at scale. Organizations across sectors, from healthcare to artificial intelligence development, rely on clear distinctions between personal and non-personal data to inform their operational decisions.
The tension between the EDPB’s January 2025 position and the September court ruling illustrates broader challenges facing privacy regulators. As data processing techniques grow more sophisticated and data sharing arrangements more complex, regulators must balance protecting individual rights with enabling legitimate data uses that drive innovation and economic activity.
The coming months will reveal whether the EDPB can craft guidance that provides the clarity organizations seek while maintaining robust privacy protections. The stakes extend beyond European borders, as multinational organizations adjust their data practices globally to accommodate European requirements. How regulators resolve these questions about pseudonymization may well set precedents that shape international data governance for years to come.
