European court ruling on pseudonymized data disclosure set for September 4

The European Court of Justice will deliver its judgment on September 4, 2025, in the case between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB), addressing a fundamental question about pseudonymized personal data that could reshape how digital marketing companies handle user information.

The case, designated C-413/23 P, centers on a groundbreaking legal principle: "pseudonymized data can fall outside the concept of 'personal data' for a recipient of the data when it is virtually impossible for the recipient to identify any data subjects from the data – even if it would be possible for the sender of the information."

This distinction between sender and recipient capabilities represents a significant departure from current data protection interpretations and could fundamentally alter disclosure obligations across the digital advertising ecosystem.

Background of the dispute

The legal battle originated from the 2017 resolution of Banco Popular Español, when the SRB collected personal data from affected shareholders and creditors during a consultation process. The board subsequently transferred pseudonymized comments to Deloitte, an independent valuation firm, without initially disclosing this recipient in its privacy statement.

The EDPS found that the SRB violated Article 15(1)(d) of Regulation 2018/1725 by failing to inform complainants that their data would be shared with Deloitte. However, the General Court later annulled this decision on April 26, 2023, ruling that the EDPS had not adequately examined whether the transferred data constituted personal data from Deloitte's perspective.

According to the Advocate General's opinion delivered on February 6, 2025, this recipient-centric approach could fundamentally change how companies assess their disclosure obligations. The opinion suggests that when recipients lack practical means to identify individuals, the data may fall outside personal data protections entirely.

Technical framework for identification impossibility

The dispute highlights specific technical measures that rendered identification "virtually impossible" for the recipient. The SRB implemented comprehensive data processing protocols: comments were "filtered, categorised and aggregated" before transfer to Deloitte. Individual comments could not be distinguished within single themes after this aggregation process.

Each comment received a 33-digit globally unique identifier that only the SRB could use to link responses back to individual participants. Deloitte received only the processed comments with alphanumeric codes but had no access to the SRB's database containing actual identity information.

The Advocate General's opinion emphasizes this technical separation: "only the SRB could link the comments to the data received in the registration phase. Deloitte had, and still has, no access to the database of data collected during the registration phase."

This creates a new framework for assessing data protection obligations based on actual technical capabilities rather than theoretical possibilities. When recipients cannot reasonably identify individuals through available means, the data may escape personal data classifications entirely.

Shifting from theoretical to practical identification risks

Current GDPR interpretations typically focus on whether identification remains theoretically possible through any means. The Advocate General's opinion suggests a more nuanced approach that considers practical accessibility of identification methods.

The opinion states that "to determine whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing."

This shift toward practical assessment could significantly impact how programmatic advertising platforms evaluate their data processing obligations. When downstream recipients lack realistic identification capabilities, data transfers might require less stringent disclosure protocols.

The technical measures implemented by the SRB demonstrate how robust pseudonymization can create genuine identification barriers. The aggregation process prevented distinguishing individual opinions within thematic categories, while access restrictions ensured only the original controller maintained linking capabilities.

Implications for digital marketing data flows

The judgment could dramatically reshape data sharing practices in digital advertising, where pseudonymized user identifiers regularly flow between demand-side platforms, supply-side platforms, and data management platforms. Current industry practices often assume all pseudonymized data requires comprehensive disclosure regardless of recipient capabilities.

However, if the court adopts the Advocate General's reasoning, companies might need to assess disclosure obligations based on each recipient's actual identification capabilities rather than applying uniform requirements across all data transfers.

For programmatic advertising, this could mean different disclosure obligations for different participants in the bidding process. When ad exchanges receive pseudonymized bid requests, they might not require the same disclosure level as data management platforms that aggregate cross-site behavior patterns.

The decision particularly affects attribution modeling and cross-platform measurement, where pseudonymized identifiers enable campaign tracking. Marketing teams operating privacy-compliant measurement systems might benefit from reduced disclosure requirements when downstream processors cannot realistically identify users.

Controller versus recipient obligations

The Advocate General's opinion establishes a crucial distinction between data controller obligations and recipient capabilities. While the original controller (SRB) possessed identification keys, the recipient (Deloitte) faced "virtually impossible" identification barriers.

The opinion suggests that "the obligation to provide information is part of the legal relationship between the data subjects, in this case the complainants, on the one hand, and the SRB as controller, on the other, and not part of the relationship between the SRB and the recipient."

This controller-centric approach means organizations would need to inform users about data transfers based on the original controller's perspective, but the classification of data as "personal" for recipients depends on their actual identification capabilities.

For marketing technology platforms, this creates a complex assessment framework. Data controllers must still provide comprehensive disclosure about potential recipients, but those recipients might process the same data under different legal frameworks depending on their technical capabilities.

The distinction becomes particularly relevant for transparency frameworks that currently treat all pseudonymized data uniformly. When recipients cannot reasonably identify users, they might operate under reduced compliance obligations while original controllers maintain full disclosure requirements.

Cross-border and international implications

The recipient-centric approach could influence how international marketing campaigns handle data transfers, particularly between EU entities and third-country processors. When overseas processors lack practical means to identify EU data subjects, transfers might face reduced regulatory scrutiny.

However, this creates complexity for global advertising operations where the same pseudonymized data might be considered personal data in some jurisdictions but not others, depending on local identification capabilities.

The Advocate General noted that identification must be "prohibited by law or practically impossible, for instance on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower." This standard could vary significantly across jurisdictions with different technical infrastructures.

Companies operating international campaigns might need to assess each recipient's identification capabilities within their specific technical and legal environment, creating jurisdiction-specific compliance frameworks for the same data sets.

Technical safeguards and compliance architecture

The case emphasizes that technical measures alone don't eliminate disclosure obligations for data controllers, but they can fundamentally alter recipient obligations. The SRB's implementation of filtering, categorization, and aggregation created genuine identification barriers without eliminating controller transparency requirements.

The opinion suggests that controllers investing in advanced pseudonymization techniques could benefit their data recipients by reducing their compliance burdens, even while maintaining full disclosure obligations themselves.

This creates incentives for developing privacy-enhancing technologies that create genuine identification barriers for downstream processors. However, controllers must still inform data subjects about potential recipients regardless of those recipients' identification capabilities.

For marketing technology vendors, this framework encourages development of data processing architectures that genuinely prevent identification rather than merely obscuring it. When processors can demonstrate "virtually impossible" identification barriers, they might operate under reduced data protection obligations.

Industry transformation potential

The ruling could fundamentally alter competitive dynamics in digital advertising technology. Platforms capable of processing pseudonymized data without identification capabilities might gain significant operational advantages over those that maintain linking capabilities.

This could accelerate adoption of privacy-preserving advertising technologies that process user data without ever enabling identification. When advertising technology platforms can demonstrate genuine identification impossibility, they might attract more business partners seeking reduced compliance overhead.

However, the decision might also create market fragmentation where different participants operate under different legal frameworks depending on their technical architectures. This could complicate standardization efforts and create interoperability challenges across the advertising ecosystem.

The timing coincides with industry efforts to develop privacy-preserving alternatives to traditional tracking methods. Companies developing these solutions will closely monitor how the court balances privacy protection with practical implementation considerations.

Timeline

• June 7, 2017: SRB adopts resolution scheme for Banco Popular Español
• June 14, 2018: Deloitte submits valuation report including pseudonymized comment analysis
• 2019: Privacy complaints demonstrate increasing regulatory focus on data transparency
• 2020: Five complaints submitted to EDPS regarding undisclosed data transfer
• June 24, 2020: EDPS issues initial decision finding disclosure violations
• November 24, 2020: EDPS issues revised decision after SRB review request
• September 1, 2020: SRB files appeal with General Court
• April 26, 2023: General Court annulls EDPS decision, focusing on recipient perspective
• July 5, 2023: EDPS appeals to Court of Justice
• February 6, 2025: Advocate General delivers opinion supporting recipient-centric approach
• September 4, 2025: Court of Justice scheduled to deliver final judgment

Key terminology explained

Pseudonymization: The processing of personal data in a manner that renders individual identification impossible without additional information kept separately. Under EU Regulation 2018/1725, pseudonymization involves technical and organizational measures ensuring personal data cannot be attributed to specific individuals without access to supplementary identification keys. The Advocate General's opinion emphasizes that effective pseudonymization can create genuine identification barriers for data recipients, potentially removing such data from personal data classifications when recipients lack access to linking information.

Personal data: Information relating to identified or identifiable natural persons, as defined under Article 3(1) of Regulation 2018/1725. The case challenges traditional interpretations by suggesting that data classification depends on recipient capabilities rather than theoretical identification possibilities. When recipients cannot reasonably identify data subjects through available means, the same information might not constitute personal data for those specific recipients, even while remaining personal data for controllers who possess identification capabilities.

Data controller: The entity determining purposes and means of personal data processing, bearing primary responsibility for compliance with data protection obligations. In this case, the Single Resolution Board functioned as controller when collecting shareholder and creditor information, maintaining full disclosure obligations regardless of recipient identification capabilities. Controllers must inform data subjects about potential recipients and processing purposes, even when technical measures prevent those recipients from identifying individuals.

Identification capabilities: The practical technical and legal means available to specific entities for linking pseudonymized data to individual identities. The Advocate General's opinion introduces a recipient-specific assessment framework, considering factors such as access to additional information, technical infrastructure, legal restrictions, and proportionality of identification efforts. This marks a shift from theoretical possibility toward practical feasibility in determining data protection obligations.

Disclosure obligations: Legal requirements for data controllers to inform subjects about data processing activities, including potential recipients of personal information. Article 15(1)(d) of Regulation 2018/1725 mandates that controllers provide comprehensive information about data sharing arrangements. The case clarifies that these obligations remain with controllers regardless of whether recipients can identify data subjects, prioritizing transparency at the point of initial data collection.

Recipient perspective: The analytical framework focusing on downstream processors' actual capabilities rather than original controllers' identification possibilities. The General Court emphasized this approach, examining whether Deloitte could identify complainants rather than whether the Single Resolution Board maintained such capabilities. This recipient-centric analysis could fundamentally alter how companies assess data protection obligations across complex processing chains.

Digital marketing: The broader industry context where pseudonymized user data flows between multiple platforms for advertising delivery, measurement, and optimization. The case's implications extend throughout programmatic advertising ecosystems, where demand-side platforms, supply-side platforms, and data management platforms process pseudonymized identifiers with varying identification capabilities. Marketing technology vendors may need to reassess their data classification and compliance frameworks based on actual technical architectures.

Technical measures: The specific technological implementations designed to prevent or complicate identification of data subjects. In this case, the Single Resolution Board employed filtering, categorization, and aggregation processes that prevented distinguishing individual comments within thematic groups. These measures created genuine identification barriers for recipients while maintaining controller access through separately stored linking keys, demonstrating how technical architecture can influence legal classifications.

Data protection regulation: The comprehensive legal framework governing personal data processing within European Union institutions, bodies, offices, and agencies. Regulation 2018/1725 establishes principles for lawful, fair, and transparent data processing while defining concepts like pseudonymization and personal data. The case tests how these regulatory definitions apply when technical measures create asymmetric identification capabilities between controllers and recipients.

Compliance obligations: The specific legal requirements entities must meet when processing personal data, varying based on their role and capabilities within data processing chains. The case suggests that effective pseudonymization might reduce compliance burdens for recipients who cannot identify data subjects, while controllers maintain full transparency and accountability requirements. This creates potential for differentiated compliance frameworks based on actual technical capabilities rather than uniform obligations across all processors.

Summary

Who: The European Data Protection Supervisor appealed a General Court decision in a case against the Single Resolution Board, with the Advocate General supporting the EDPS position that disclosure obligations depend on controller perspective rather than recipient capabilities.

What: The case addresses whether organizations must inform users about sharing pseudonymized data when recipients cannot practically identify individuals, with the Advocate General opining that data can fall outside personal data protections when identification is "virtually impossible" for recipients.

When: The Court of Justice will deliver its judgment on September 4, 2025, following the Advocate General's opinion delivered on February 6, 2025, in a case originating from 2017 banking resolution procedures.

Where: The dispute involves EU data protection law under Regulation 2018/1725, with implications for digital marketing practices across European Union member states and international data transfers.

Why: The case emerged from complaints that the Single Resolution Board failed to disclose data sharing with Deloitte during Banco Popular's resolution process, raising fundamental questions about disclosure obligations when technical measures prevent recipient identification of data subjects.