European court ruling on pseudonymized data disclosure set for September 4

The European Court docket of Justice will ship its judgment on September 4, 2025, within the case between the European Knowledge Safety Supervisor (EDPS) and the Single Decision Board (SRB), addressing a basic query about pseudonymized private information that might reshape how digital advertising corporations deal with consumer info.

The case, designated C-413/23 P, facilities on a groundbreaking authorized precept: “pseudonymized information can fall exterior the idea of ‘private information’ for a recipient of the information when it’s nearly not possible for the recipient to determine any information topics from the information – even when it could be attainable for the sender of the knowledge.”

This distinction between sender and recipient capabilities represents a major departure from present information safety interpretations and will basically alter disclosure obligations throughout the digital promoting ecosystem.

Background of the dispute

The authorized battle originated from the 2017 decision of Banco Fashionable Español, when the SRB collected private information from affected shareholders and collectors throughout a session course of. The board subsequently transferred pseudonymized feedback to Deloitte, an unbiased valuation agency, with out initially disclosing this recipient in its privateness assertion.

The EDPS discovered that the SRB violated Article 15(1)(d) of Regulation 2018/1725 by failing to tell complainants that their information can be shared with Deloitte. Nevertheless, the Basic Court docket later annulled this choice on April 26, 2023, ruling that the EDPS had not adequately examined whether or not the transferred information constituted private information from Deloitte’s perspective.

Based on the Advocate Basic’s opinion delivered on February 6, 2025, this recipient-centric strategy might basically change how corporations assess their disclosure obligations. The opinion means that when recipients lack sensible means to determine people, the information could fall exterior private information protections fully.

Technical framework for identification impossibility

The dispute highlights particular technical measures that rendered identification “nearly not possible” for the recipient. The SRB applied complete information processing protocols: feedback have been “filtered, categorised and aggregated” earlier than switch to Deloitte. Particular person feedback couldn’t be distinguished inside single themes after this aggregation course of.

Every remark obtained a 33-digit globally distinctive identifier that solely the SRB might use to hyperlink responses again to particular person individuals. Deloitte obtained solely the processed feedback with alphanumeric codes however had no entry to the SRB’s database containing precise identification info.

The Advocate Basic’s opinion emphasizes this technical separation: “solely the SRB might hyperlink the feedback to the information obtained within the registration part. Deloitte had, and nonetheless has, no entry to the database of knowledge collected through the registration part.”

This creates a brand new framework for assessing information safety obligations primarily based on precise technical capabilities slightly than theoretical prospects. When recipients can not moderately determine people by way of accessible means, the information could escape private information classifications fully.

Shifting from theoretical to sensible identification dangers

Present GDPR interpretations sometimes deal with whether or not identification stays theoretically attainable by way of any means. The Advocate Basic’s opinion suggests a extra nuanced strategy that considers sensible accessibility of identification strategies.

The opinion states that “to find out whether or not means are moderately seemingly for use to determine the pure individual, account must be taken of all goal elements, reminiscent of the prices of and the period of time required for identification, making an allowance for the accessible expertise on the time of the processing.”

This shift towards sensible evaluation might considerably affect how programmatic advertising platforms consider their information processing obligations. When downstream recipients lack lifelike identification capabilities, information transfers may require much less stringent disclosure protocols.

The technical measures applied by the SRB reveal how strong pseudonymization can create real identification obstacles. The aggregation course of prevented distinguishing particular person opinions inside thematic classes, whereas entry restrictions ensured solely the unique controller maintained linking capabilities.

Implications for digital advertising information flows

The judgment might dramatically reshape information sharing practices in digital promoting, the place pseudonymized consumer identifiers recurrently stream between demand-side platforms, supply-side platforms, and information administration platforms. Present trade practices typically assume all pseudonymized information requires complete disclosure no matter recipient capabilities.

Nevertheless, if the courtroom adopts the Advocate Basic’s reasoning, corporations may have to assess disclosure obligations primarily based on every recipient’s precise identification capabilities slightly than making use of uniform necessities throughout all information transfers.

For programmatic promoting, this might imply completely different disclosure obligations for various individuals within the bidding course of. When advert exchanges obtain pseudonymized bid requests, they may not require the identical disclosure stage as information administration platforms that combination cross-site habits patterns.

The choice significantly impacts attribution modeling and cross-platform measurement, the place pseudonymized identifiers allow marketing campaign monitoring. Advertising and marketing groups working privacy-compliant measurement systems may profit from lowered disclosure necessities when downstream processors can not realistically determine customers.

Controller versus recipient obligations

The Advocate Basic’s opinion establishes a vital distinction between information controller obligations and recipient capabilities. Whereas the unique controller (SRB) possessed identification keys, the recipient (Deloitte) confronted “nearly not possible” identification obstacles.

The opinion means that “the duty to offer info is a part of the authorized relationship between the information topics, on this case the complainants, on the one hand, and the SRB as controller, on the opposite, and never a part of the connection between the SRB and the recipient.”

This controller-centric strategy means organizations would wish to tell customers about information transfers primarily based on the unique controller’s perspective, however the classification of knowledge as “private” for recipients relies on their precise identification capabilities.

For advertising expertise platforms, this creates a posh evaluation framework. Knowledge controllers should nonetheless present complete disclosure about potential recipients, however these recipients may course of the identical information underneath completely different authorized frameworks relying on their technical capabilities.

The excellence turns into significantly related for transparency frameworks that at present deal with all pseudonymized information uniformly. When recipients can not moderately determine customers, they could function underneath lowered compliance obligations whereas unique controllers keep full disclosure necessities.

Cross-border and worldwide implications

The recipient-centric strategy might affect how worldwide advertising campaigns deal with information transfers, significantly between EU entities and third-country processors. When abroad processors lack sensible means to determine EU information topics, transfers may face lowered regulatory scrutiny.

Nevertheless, this creates complexity for global advertising operations the place the identical pseudonymized information could be thought of private information in some jurisdictions however not others, relying on native identification capabilities.

The Advocate Basic famous that identification should be “prohibited by legislation or virtually not possible, for example on account of the truth that it requires a disproportionate effort when it comes to time, value and manpower.” This normal might range considerably throughout jurisdictions with completely different technical infrastructures.

Firms working worldwide campaigns may have to assess every recipient’s identification capabilities inside their particular technical and authorized setting, creating jurisdiction-specific compliance frameworks for a similar information units.

Technical safeguards and compliance structure

The case emphasizes that technical measures alone do not eradicate disclosure obligations for information controllers, however they will basically alter recipient obligations. The SRB’s implementation of filtering, categorization, and aggregation created real identification obstacles with out eliminating controller transparency necessities.

The opinion means that controllers investing in superior pseudonymization strategies may benefit their information recipients by lowering their compliance burdens, even whereas sustaining full disclosure obligations themselves.

This creates incentives for creating privacy-enhancing applied sciences that create real identification obstacles for downstream processors. Nevertheless, controllers should nonetheless inform information topics about potential recipients no matter these recipients’ identification capabilities.

For advertising expertise distributors, this framework encourages growth of knowledge processing architectures that genuinely stop identification slightly than merely obscuring it. When processors can reveal “nearly not possible” identification obstacles, they could function underneath lowered information safety obligations.

Trade transformation potential

The ruling might basically alter aggressive dynamics in digital promoting expertise. Platforms able to processing pseudonymized information with out identification capabilities may acquire vital operational benefits over people who keep linking capabilities.

This might speed up adoption of privacy-preserving promoting applied sciences that course of consumer information with out ever enabling identification. When advertising technology platforms can reveal real identification impossibility, they could entice extra enterprise companions in search of lowered compliance overhead.

Nevertheless, the choice may additionally create market fragmentation the place completely different individuals function underneath completely different authorized frameworks relying on their technical architectures. This might complicate standardization efforts and create interoperability challenges throughout the promoting ecosystem.

The timing coincides with trade efforts to develop privacy-preserving alternate options to conventional monitoring strategies. Firms creating these options will carefully monitor how the courtroom balances privateness safety with sensible implementation concerns.

Timeline

• June 7, 2017: SRB adopts decision scheme for Banco Fashionable Español
• June 14, 2018: Deloitte submits valuation report together with pseudonymized remark evaluation
• 2019: Privacy complaints reveal rising regulatory deal with information transparency
• 2020: 5 complaints submitted to EDPS relating to undisclosed information switch
• June 24, 2020: EDPS points preliminary choice discovering disclosure violations
• November 24, 2020: EDPS points revised choice after SRB evaluate request
• September 1, 2020: SRB information enchantment with Basic Court docket
• April 26, 2023: Basic Court docket annulls EDPS choice, specializing in recipient perspective
• July 5, 2023: EDPS appeals to Court docket of Justice
• February 6, 2025: Advocate Basic delivers opinion supporting recipient-centric strategy
• September 4, 2025: Court docket of Justice scheduled to ship remaining judgment

Key terminology defined

Pseudonymization: The processing of non-public information in a way that renders particular person identification not possible with out extra info saved individually. Beneath EU Regulation 2018/1725, pseudonymization entails technical and organizational measures making certain private information can’t be attributed to particular people with out entry to supplementary identification keys. The Advocate Basic’s opinion emphasizes that efficient pseudonymization can create real identification obstacles for information recipients, doubtlessly eradicating such information from private information classifications when recipients lack entry to linking info.

Private information: Info regarding recognized or identifiable pure individuals, as outlined underneath Article 3(1) of Regulation 2018/1725. The case challenges conventional interpretations by suggesting that information classification relies on recipient capabilities slightly than theoretical identification prospects. When recipients can not moderately determine information topics by way of accessible means, the identical info won’t represent private information for these particular recipients, even whereas remaining private information for controllers who possess identification capabilities.

Knowledge controller: The entity figuring out functions and means of non-public information processing, bearing major duty for compliance with information safety obligations. On this case, the Single Decision Board functioned as controller when gathering shareholder and creditor info, sustaining full disclosure obligations no matter recipient identification capabilities. Controllers should inform information topics about potential recipients and processing functions, even when technical measures stop these recipients from figuring out people.

Identification capabilities: The sensible technical and authorized means accessible to particular entities for linking pseudonymized information to particular person identities. The Advocate Basic’s opinion introduces a recipient-specific evaluation framework, contemplating elements reminiscent of entry to extra info, technical infrastructure, authorized restrictions, and proportionality of identification efforts. This marks a shift from theoretical risk towards sensible feasibility in figuring out information safety obligations.

Disclosure obligations: Authorized necessities for information controllers to tell topics about information processing actions, together with potential recipients of non-public info. Article 15(1)(d) of Regulation 2018/1725 mandates that controllers present complete details about information sharing preparations. The case clarifies that these obligations stay with controllers no matter whether or not recipients can determine information topics, prioritizing transparency on the level of preliminary information assortment.

Recipient perspective: The analytical framework specializing in downstream processors’ precise capabilities slightly than unique controllers’ identification prospects. The Basic Court docket emphasised this strategy, inspecting whether or not Deloitte might determine complainants slightly than whether or not the Single Decision Board maintained such capabilities. This recipient-centric evaluation might basically alter how corporations assess information safety obligations throughout advanced processing chains.

Digital advertising: The broader trade context the place pseudonymized consumer information flows between a number of platforms for promoting supply, measurement, and optimization. The case’s implications lengthen all through programmatic promoting ecosystems, the place demand-side platforms, supply-side platforms, and information administration platforms course of pseudonymized identifiers with various identification capabilities. Advertising and marketing expertise distributors could have to reassess their information classification and compliance frameworks primarily based on precise technical architectures.

Technical measures: The particular technological implementations designed to forestall or complicate identification of knowledge topics. On this case, the Single Decision Board employed filtering, categorization, and aggregation processes that prevented distinguishing particular person feedback inside thematic teams. These measures created real identification obstacles for recipients whereas sustaining controller entry by way of individually saved linking keys, demonstrating how technical structure can affect authorized classifications.

Knowledge safety regulation: The great authorized framework governing private information processing inside European Union establishments, our bodies, workplaces, and companies. Regulation 2018/1725 establishes ideas for lawful, truthful, and clear information processing whereas defining ideas like pseudonymization and private information. The case assessments how these regulatory definitions apply when technical measures create uneven identification capabilities between controllers and recipients.

Compliance obligations: The particular authorized necessities entities should meet when processing private information, various primarily based on their position and capabilities inside information processing chains. The case means that efficient pseudonymization may scale back compliance burdens for recipients who can not determine information topics, whereas controllers keep full transparency and accountability necessities. This creates potential for differentiated compliance frameworks primarily based on precise technical capabilities slightly than uniform obligations throughout all processors.

Abstract

Who: The European Knowledge Safety Supervisor appealed a Basic Court docket choice in a case towards the Single Decision Board, with the Advocate Basic supporting the EDPS place that disclosure obligations rely on controller perspective slightly than recipient capabilities.

What: The case addresses whether or not organizations should inform customers about sharing pseudonymized information when recipients can not virtually determine people, with the Advocate Basic opining that information can fall exterior private information protections when identification is “nearly not possible” for recipients.

When: The Court docket of Justice will ship its judgment on September 4, 2025, following the Advocate Basic’s opinion delivered on February 6, 2025, in a case originating from 2017 banking decision procedures.

The place: The dispute entails EU information safety legislation underneath Regulation 2018/1725, with implications for digital advertising practices throughout European Union member states and worldwide information transfers.

Why: The case emerged from complaints that the Single Decision Board did not disclose information sharing with Deloitte throughout Banco Fashionable’s decision course of, elevating basic questions on disclosure obligations when technical measures stop recipient identification of knowledge topics.