Anonymization vs. Pseudonymization: The Implications of the CJEU's Relative Approach

Managing compliance within the digital economy relies on a complex balance between leveraging informational value and rigorously protecting privacy. At the heart of this equation, pseudonymization and anonymization are not mere technical options but crucial strategic choices. An organization's ability to transform raw data into an exploitable asset without compromising individual identities is now a major competitive advantage. The technical stakes are colossal, as it involves reducing the risk of re-identification while preserving the statistical utility of datasets, a mission where data science meets the requirements of European law.

‍

‍

Technical Challenges: The Complexity of the Anonymization Threshold

‍

‍

In operational practice, many departments and professions invoke the concept of anonymization as a lever to exclude their processing from the scope of the GDPR. However, a persistent confusion between pseudonymization and anonymization often weakens compliance strategies.

‍

‍

Pseudonymization: A Protection That Does Not Exclude Personal Data

‍

‍

It consists of replacing a direct identifier with a pseudonym. In practice, this operation is reversible when the mapping table is retained, as is often the case in the research sector. While it allows for maintaining individual analytical granularity and limits the impact of a potential data breach, it does not relieve the organization of its legal obligations. Legally, the data remains personal data.

‍

‍

Anonymization: A Technical Challenge at the Expense of Utility

‍

‍

True anonymization is far more sophisticated and restrictive than simple identity masking. To be valid, it must withstand three major technical tests: individualization, correlation, and inference. Reaching this threshold requires significant transformations such as excessive generalization or the injection of statistical noise. This process creates a paradox: the higher the level of protection, the lower the data's precision, sometimes rendering the processing useless for business purposes.

‍

‍

The Jurisprudential Shift of September 4, 2025: The Validated Relative Approach

‍

‍

The interpretation of the boundary between these two concepts reached a decisive stage with the ruling of the Court of Justice of the European Union on September 4, 2025 (Case C-413/23 P, EDPS v. SRB). The Court validated a so-called relative approach to personal data.

‍

According to this interpretation, information can be considered anonymous for a third-party recipient if that party has no legal or realistic means of accessing data that would allow re-identification. This decision finally acknowledges that data can change its legal nature depending on the technical means and information reasonably available to the data holder.

‍

‍

A Redefinition That Sparks Strong Opposition

‍

‍

This development is not universally accepted. Several French and European digital rights associations strongly oppose this reclassification. For these stakeholders, anonymization must remain an absolute standard. Critics point out that in a Big Data environment, re-identification through cross-referencing (linkage) is becoming technically more accessible, even without access to an initial mapping table. This debate highlights that compliance must also integrate an ethical dimension and reputation risk management for businesses.

‍

‍

The Digital Omnibus Project: Perspectives and Limitations of the Current Framework

‍

‍

The draft Digital Omnibus Regulation was designed to enshrine this case law into legislation to streamline the digital single market.

‍

Crucial warning: the Digital Omnibus currently remains a draft. No provision of this text has yet been definitively adopted. Organizations must continue to comply with the regulatory and legislative framework currently in force. Anticipating unconfirmed legislative simplification would expose companies to sanctions from national supervisory authorities, who maintain their usual requirements.

‍

‍

Practical Applications: Health, Research, and the AI Act

‍

‍

Despite the provisional status of the Digital Omnibus, the September 2025 case law already offers concrete prospects for cutting-edge sectors, while requiring a multidimensional risk analysis.

‍

‍

In the field of health and research

‍

‍

The relative approach offers a framework for streamlining data sharing, but the classification as "anonymous data" does not solely depend on the absence of access to the mapping table retained by the producer. The recipient laboratory must demonstrate that it has no reasonably available means to re-identify individuals. This implies the impossibility of cross-referencing (verifying that the remaining variables do not allow for the identification of a unique individual through cross-referencing with third-party databases) and the existence of strict contractual barriers. If the risk of re-identification through correlation persists, the data remains personal.

‍

‍

Regarding the AI Act

‍

‍

The distinction between these techniques is crucial for model training. Using anonymized data according to CJEU criteria helps reduce administrative burdens associated with the learning phases. By legally classifying their training datasets as anonymous through this relative approach, companies reduce their risk exposure when processing sensitive data, provided there is complete technical and legal watertightness.

‍

‍

Conclusion: Which compliance strategy to adopt?

‍

‍

Navigating between pseudonymization and anonymization requires hybrid expertise. While jurisprudential developments open new possibilities, caution remains essential given an evolving legislative framework and increased vigilance from civil society. The Adequacy platform is part of this dynamic, providing the necessary tools to manage these security measures with the rigor required by current law, while preparing infrastructures for tomorrow's standards. The priority remains the implementation of robust technical barriers and flawless documentation of processing procedures.

‍

‍

FAQ - Frequently asked questions about anonymization and pseudonymization

‍

‍

What is the difference between anonymization and pseudonymization under the GDPR?

Pseudonymization replaces a direct identifier with a pseudonym, but the data remains personal because re-identification is still possible. Anonymization, however, must make any re-identification impossible — thereby removing it from the scope of the GDPR.

‍

What is the relative approach to personal data validated by the CJEU in 2025?

According to the judgment of 4 September 2025 (C-413/23 P), data can be considered anonymous for a third-party recipient if that recipient has no legal or realistic means of re-identifying the data subjects. The legal nature of the data therefore depends on the context and the recipient.

‍

Does the Digital Omnibus project already change companies' GDPR obligations?

No. The Digital Omnibus is still a draft. Organizations must continue to comply with the regulatory framework currently in force. Anticipating simplifications that have not yet been adopted exposes them to sanctions from national supervisory authorities.

‍

Can pseudonymized data be used to train an AI model?

Pseudonymized data remains personal data within the meaning of the GDPR and the AI Act. Only truly anonymized data — according to current technical and legal criteria — can reduce regulatory constraints during training phases, provided there is complete isolation.

‍

What are the three technical tests required to validate anonymization?

To be legally valid, anonymization must withstand three tests: individualization (impossible to isolate an individual), correlation (impossible to link records), and inference (impossible to deduce information about an individual).