Today, June 18th, SAMMAN Law & Corporate Affairs and leading privacy expert Rob van Eijk (Team Blaeu) publish a joint policy report assessing real-world use cases provided by European companies on data pseudonymisation: when does it achieve genuine anonymisation, and when does it not?
After the CJUE SRB case, the answer is crucial. The Digital Omnibus is currently debating harmonised criteria for determining when pseudonymised data ceases to qualify as personal data under GDPR. That debate deserves a pragmatic, evidence-based approach, not risk assessments untethered from technical reality.
This unique report provides such evidence.
It assesses five real-world use cases provided by European companies across sectors, applying a strong evaluation framework derived from the Court of Justice’s SRB ruling.
Three findings stand out:
- The threshold is genuinely high. Of the five cases assessed, one does not reach anonymisation. Strong safeguards alone are not sufficient if the controller retains the re-identification key.
- Anonymisation requires layered protection. No single technique — not hashing, not aggregation, not differential privacy — is sufficient on its own. What works is the combination of technical, organisational, and contractual measures that collectively close every re-identification route for the specific recipient.
- Taken together, the use cases reveal recurring patterns and effective safeguardsthat can form the basis of clear, operational criteria allowing businesses to determine when data is in or out GDPR’ scope.
The report also illustrates the cost of unclarity on GDPR scope. Where re-identification is not a realistic possibility, protection is not necessary; The full weight of GDPR compliance, such as records of processing, risk assessments, endless contractual negotiations, DPIAs or data subject rights management, only serves to add burden without adding any value for individuals or businesses. It also complicates the ability to reuse or share data for legitimate purposes, including AI model training.
We offer these use cases as a concrete starting point for the Commission and Data Protection Authorities to define clear, operational, and verifiable anonymisation criteria.
→ Full report: From Pseudonymised to Anonymous Data – EU Industry Use Cases – Joint Policy Report
