An umbrella group of EU data protection authorities will release guidelines on anonymization — a key concept on how the bloc’s data protection rules are applied to personal data — by the summer, the group’s chair said in an exclusive interview this week with MLex at the world’s largest gathering of privacy professionals. The guidelines are needed to reduce legal uncertainty and provide practical, harmonized guidance on how a person can be identified.
An umbrella group of EU data protection authorities will release guidelines on anonymization — a key concept on how the bloc’s data protection rules are applied to personal data — by the summer, the group’s chair said in an exclusive interview this week with MLex.The European Data Protection Board — the umbrella group of the 27 EU data protection authorities — issued draft guidelines in January 2025 on pseudonymized data — personal data that has been processed so that it can no longer be linked to a specific person without additional information. The EDPB then decided to issue separate guidelines on anonymization.
The EDPB held a workshop on the concept of anonymization and pseudonymization in December, following the EU Court of Justice SRB ruling on Sept. 4 that pseudonymized data wasn’t always personal data “in all cases and for every person” under EU data protection rules (see here).*
Anu Talus, the EDPB chair, said in an interview that the guidelines on anonymization will be issued by the summer, though she didn’t provide a precise date. She was speaking on the sidelines of the world’s largest gathering of privacy professionals in Washington, DC.**
Even though the EU’s General Data Protection Regulation took effect in 2018, companies are seeking guidance on the definition of personal data following a series of decisions from the EU’s highest court.
A key issue to be addressed in the guidelines is how individuals can be identified if their personal data has been pseudonymized, which is personal data that has been processed so it can no longer be attributed to a specific individual without the use of additional information kept separately, Talus said.
If recent case law is applied, identifiability is done on a case-by-case basis, depending on “all the means reasonably likely to be used” to identify a person.
Talus said the guidelines are important because the SRB case is “amending the current approach to pseudonymization. She explained that the former approach was “absolute” to the definition of personal data, and it’s now “more relative,” and “this has a really wide impact.”
The “relative” approach seen in the SRB case creates uncertainty because the same dataset may be anonymous in one context but identifiable in another. There’s also no single technical threshold that automatically guarantees anonymization.
This is because the interpretation of “identifiable” persons directly determines whether data falls within or outside the GDPR.
Guidelines on anonymization are needed to reduce legal uncertainty and provide practical, harmonized guidance on how a person can be identified, given technological developments, including AI. The GDPR’s obligations only apply to personal data of people who can be identified.
The guidelines will follow the European Commission’s Digital Omnibus proposal, presented last November, which introduces a “relative” approach to the definition of personal data, potentially narrowing the GDPR’s scope.
The commission has argued that the proposed definition codifies recent EU court case law. Business groups have welcomed the draft text, saying the move would make it easier for them to ensure that data remains anonymous.
The EDPB and the European Data Protection Supervisor, the privacy watchdog for the EU institutions, strongly urged EU member states in an opinion not to adopt the commission’s approach. The opinion said the change would “narrow the concept of personal data and would adversely affect the fundamental right to data protection.”
Cyprus, which is leading talks among national governments on the digital simplification package, has proposed removing the commission’s proposal to amend the definition of personal data in Article 4(1) of the GDPR.
Talus said removing the amended definition is a “smart approach.”
Changing the definition “would create legal uncertainty, and nobody wants legal uncertainty. So I think it's a very good direction,” she said.
Businesses have argued that if there’s limited or no risk of re-identification, then there should be less stringent GDPR obligations. Business groups want a risk-based approach that would ease data transfers involving people who are only indirectly referenced.
But Talus argues that what’s at stake is the fundamental right to data protection and people’s control over their personal data.
“What is really relevant in this context is that real people’s dignity and autonomy are protected even when we process pseudonymized data,” she said.
* Case C-413/23 P — EDPS v SRB.
** IAPP Global Summit 2026: Privacy-AI Governance, Washington, DC, March 30-April 2, 2026.
Please email editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers.