Privacy

The EU Court broadens the definition of anonymous data

The effectiveness of 'pseudonymisation' has to be assessed on a case-by-case basis. The data remains anonymous if the recipient has no means of identifying the data subject

by Giusella Finocchiaro

18 September 2025

3' min read

Key points

Linkability
Case-by-case

3' min read

With its decision of 4 September 2025, the Court of Justice of the European Union defines the anonymous data.

From a legal point of view, although the definition is not in the text of the GDPR, but only in recital 26, it is still assumed, as already stated in the parent directive, that data are anonymous if the information contained in the data cannot be referred to an identified or identifiable individual. The crucial question is what is meant by the non-referability of the information. Can the data not be traced back to a subject from an IT point of view because, for example, cryptography systems are used that do not allow the anonymised subject to be re-identified? Or from a legal point of view, because, for instance, there are contractual constraints or because different subjects have the necessary information and cannot exchange it? Also, does the anonymous data have to be anonymous for everyone, or can it be anonymous for some, who do not have the information to re-identify the information, and not for others?

In a nutshell: is the data anonymous if it can be said to beabsolutely anonymous or should the anonymity of the data be assessed on a case-by-case basis, depending on the specific context?

Connectability

The key is the linkability between the information and a subject, even if the subject is not identified by name. The linkability depends on many factors: the subject making the link, the context in which it operates and the domain of knowledge it has at its disposal.

On these different interpretations of anonymous data, different opinions have been debated for years, by jurisprudence, Garanti, and doctrine. On the other hand, to say that data must be anonymous absolutely, in the digital world, is like saying that anonymous data does not exist.

Now the Luxembourg courts have ruled that a pseudonymised piece of data, depending on the circumstances to be assessed on a case-by-case basis, may indeed constitute anonymous data for the recipient of that data, if he or she does not have reasonable means (such as cost, time, resources) to identify the data subject, i.e. the person to whom the data refers.

Following, in relation to this point of the contested judgment, the guideline of the General Court of the European Union of 2023, the Court rejected the argument of the European Privacy Guarantor according to which 'pseudonymised data constitute personal data in any event by reason only of the existence of information enabling the data subject to be identified'.

Case by case

Therefore, it must be assessed on a case-by-case basis whether the entity processing the data can, from the point of view of costs, time, necessary resources, legal and technological constraints, re-identify them. Assessment to be made in the light of the reasonableness criterion: as the Court states, 'no reasonable use may be made of a means of identifying the data subject when the identification of that person is prohibited by law or practically impracticable, for example on account of the fact that it would involve a disproportionate expenditure of time, cost and labour'.

The Court speaks of 'impersonal' data, affirms a 'not unlimited' notion of personal data and adopts a concept of relativity of personal data that must, that is, be assessed according to the circumstances of the data processing in each particular case.

The impact of this ruling is undeniable. It is an interpretation more suited to the times and the digital world we live in, which will allow - just think of scientific research in the health sector - a more fluid circulation of data, guaranteeing itssecurity.