The European Data Protection Board recently issued a summary of an event it held late last year, seeking stakeholder comment about pseudonymization and anonymization. Participants ranged from corporations and government bodies to NGOs, academics, and law firms. This report underscores the EDPB’s ongoing focus on this area. It is currently working on its pseudonymization guidance (Guidelines 01/2025), as well as future guidance on anonymization.
The event followed a CJEU’s ruling, in which the court discussed what might constitute pseudonymized data. The concern following that case has been the extent to which a company giving information to a third party would know -or should know- that the recipient has information that would allow it to single out individuals in a dataset. To help think through future guidance, the EDPB asked four questions in the event. It summarized the responses as follows:
- First, the EDPB asked if there were use cases where guidance might be most helpful. According to the report, there are several fact patterns where stakeholders would like guidance. These include common scenarios like inputting data into third party AI tools. The EDPB indicated that overall, stakeholders believed it was difficult to identify when information moves from pseudonymized to truly anonymous in data sharing scenarios because different companies in the chain have not only different technical power, but also additional information of which the “sharing” company may not be aware.
- Second, the EDPB asked for input on how stakeholders evaluate whether data is reasonably likely to permit identification. Stakeholders said the answer depends on who receives the data and what other data they have. Also relevant are the tools used by the receiving party and if they have the time and resources reidentify information. They urged the EDPB to focus on realistic risks instead of extreme or purely theoretical attacks, and to be clear that the risk may differ from one party in the chain to another.
- Third, the EDPB asked what measures stakeholders would want it to evaluate for judging identifiability. Stakeholders suggested that the EDPB use a test that take into account technical and organizational steps. Technical measures might include tokenization and key controls. Organizational steps might include contracts that prohibit re identification and vendor oversight measures. However, many emphasized the difficulties when there is a power gap between clients and larger tech vendors.
- Fourth, the EDPB asked how these questions play out with tricky fact patterns. Stakeholders also flagged a practical problem: as data moves to more parties, it becomes harder to know who can identify people. Businesses often lack visibility into what downstream recipients can do, which makes risk assessments difficult. Some suggested the EDPB publish a practical checklist or framework to help evaluate third-party risk without requiring perfect knowledge. Others stressed that the GDPR still expects controllers to make reasonable, fact-based judgments about whether identification by others is likely, even when the controller cannot see every detail.
Putting It Into Practice: This guidance suggests different factors the EDPB may consider in future guidance about when personal information is no longer identifiable under the GDPR. For pseudonymized data – which is still personal for GDPR – we might see a multi-factor test, while still maintaining the GDPR’s high threshold for data to qualify as truly anonymous.