When Is Personal Not Personal? EDPB Asks Stakeholders

The European Data Protection Board’s recent stakeholder event underscores a pivotal shift in how regulators view pseudonymised versus anonymous data. Following a landmark CJEU decision, the EDPB is confronting the practical challenges that arise when data passes through multiple processors, especially as AI tools become commonplace. By soliciting input from a broad spectrum of actors, the board aims to refine its forthcoming Guidelines 01/2025, ensuring that the GDPR’s high bar for anonymity remains robust while offering clearer pathways for compliant pseudonymisation.

Stakeholder feedback converged on three core themes: the need for a nuanced, multi‑factor test; the importance of realistic risk assessments that account for the recipient’s technical arsenal; and the recognition of power imbalances between data controllers and large tech vendors. Participants argued that a purely theoretical approach to re‑identification risks inflates compliance costs and obscures genuine threats. Instead, they propose combining technical measures—such as tokenisation and key management—with organisational safeguards like contractual prohibitions on re‑identification, creating a balanced framework that reflects real‑world capabilities.

For businesses, the anticipated guidance could translate into actionable checklists and standardized risk‑evaluation templates, simplifying due‑diligence when sharing data with third parties. Companies will need to document not only the technical safeguards they employ but also the contractual and oversight mechanisms governing downstream processors. By adopting a fact‑based, proportionate approach, firms can mitigate liability while maintaining the analytical benefits of data sharing. Ultimately, the EDPB’s forthcoming guidance promises to clarify the line between personal and non‑personal data, fostering greater regulatory certainty across the EU data economy.