For more than a decade, debates around anonymisation have been marked by a persistent tension. European regulators have for long taken a cautious stance, stressing that pseudonymised data remain personal data because re-identification is always theoretically possible. Practitioners, by contrast, have long pushed back against this position, arguing that such a strict reading bears little resemblance to the way contemporary data systems actually operate and risks rendering anonymisation practically unusable.

The Court of Justice of the European Union’s judgment in European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (Case C-413/23 P) appears to tip the balance towards the latter view. In that decision, the Court framed identifiability as a contextual risk that must be assessed from the perspective of the recipient. In doing so, the judgment appears to carve out space for a more operational understanding of anonymisation within real-world data ecosystems. Yet the procedural trajectory of the case lends the judgment an unusual quality. After the Court of Justice set out its interpretation and remanded the case for reconsideration, the proceedings before the General Court were ultimately withdrawn at the request of the parties.

This piece does not set out to rehearse the doctrinal implications of EDPS v SRB, a task already handled with notable clarity by Professor Sophie Stalla-Bourdillon in a recent analysis. Instead, it steps back to ask a different question: what does the ruling actually mean for the governance of anonymisation and data sharing in practice? In this respect, the ruling marks less the end of a debate than the opening of a new phase.

What the judgment leaves unresolved

The most consequential aspect of the ruling may lie not in what the Court said but in what it left unsaid. Once the Court shifted the analytical focus towards the recipient’s capacity to re-identify individuals, a series of practical questions immediately came to the fore. First, responsibility for verifying anonymisation remains strikingly open-ended. The Court made clear that controllers must assess the likelihood of re-identification from the perspective of the recipient, yet it stopped short of spelling out how far such an assessment must reach in practice. In complex data environments, where datasets circulate through webs of processors, contractors, and research partners, ensuring that anonymisation continues to hold up across multiple actors is far from straightforward. As participants in the European Data Protection Board’ (EDPB)s recent stakeholder event pointed out, placing the burden squarely on the sending controller seems disproportionate in practice as they are unlikely ever to gain a complete picture of the technical safeguards, anonymisation techniques, or security postures maintained by downstream recipients, particularly where onward transfers, intra-group sharing, or further processing by third parties come into play.

Second, the case itself turned on a relatively specific configuration – a processor acting on behalf of the controller – making it risky to generalise its findings across the far more varied data-sharing arrangements encountered in practice. Contemporary data sharing arrangements, however, frequently stretch far beyond such relatively contained relationships. Data may circulate among joint controllers, independent controllers, specialised research infrastructures, or intermediaries. Some commentators have thus cautioned against reading the decision too broadly, suggesting that the circumstances in which pseudonymised data genuinely fall outside the scope of personal data may remain comparatively rare.

Perhaps the Achilles’ heel of anonymisation now lies in the treatment of singling out – the ability to isolate an individual record within a dataset even when the person’s identity remains unknown. EU data protection law has long treated it as a key indicator of identifiability, reflected in Recital 26 GDPR as well as the earlier Article 29 Working Party guidance. Yet this creates a tension in contexts such as behavioural targeting or profiling, where individuals may be singled out without being identified by name. The central question is therefore whether the mere existence of a unique record should defeat anonymisation. Proponents of a contextual approach argue that singling out alone is insufficient; what matters is whether re-identification is realistically possible given available data, technical capabilities, and the effort required.

This view sits uneasily with a significant strand of data protection scholarship, which maintains that nameless profiles used for behavioural targeting should still fall within the scope of the GDPR. From this perspective, “pseudonymous” singling out is not genuinely anonymous as treating pseudonymised identifiers as falling outside the GDPR would risk turning pseudonymisation into a convenient escape hatch, particularly in the AdTech ecosystem. Some scholars go further, proposing that targeting itself – where an individual is selected from a group as the object of attention or treatment – should be understood as a form of identification alongside singling out.

These uncertainties become even more pronounced when anonymised data sharing is examined in concrete operational contexts. Participants in the EDPB’s consultations have raised questions ranging from how organisations should respond to breaches involving allegedly anonymised data at downstream recipients, to whether international data transfers should affect the assessment of identifiability, and how particularly sensitive datasets such as genetic information ought to be handled. Each of these scenarios exposes the challenges of carrying the Court’s reasoning forward into practice.

From doctrine to operational governance

What is more likely to emerge in the wake of EDPS v SRB is the gradual stabilisation of anonymisation methodologies revolving around a set of operational foundations e.g., structured threat modelling, impact assessments (potentially folded into data protection impact assessments), and robust audit frameworks. New forms of technical verification, independent re-identification testing, and specialised intermediary services might grow up around these practices as markets experiment with ways of building trust in anonymised data sharing.

At the same time, it remains worth observing how the emerging European approach may diverge from – or eventually converge with – established anonymisation frameworks already taking shape in jurisdictions such as the United Kingdom, United States, Canada, Singapore and China. Yet the discussions emerging from the recent multi stakeholder processes, which continue to diverge on several fundamental questions, suggest that consensus remains some distance away.

By directing attention to the realistic capabilities of data recipients, the CJEU has certainly nudged us towards a more operational understanding of anonymisation. Yet, the question is whether the door has opened widely enough to flesh out workable methodologies capable of translating the Court’s contextual reasoning into concrete compliance practices. It suffices to point out, however, that significant gaps remain, including how to define situationally relevant actors in re-identification risk assessments, how responsibilities should be distributed across complex chains of controllers and processors, and how transparency, verification, and auditing can realistically be maintained within multi-actor data ecosystems. These challenges are compounded by the technical opacity of many anonymisation techniques and the evolving security environments in which they are deployed. Given the dynamics of European data protection governance – where regulatory guidance has historically prioritised a high level of protection – it remains uncertain whether incremental clarification will suffice and operationalising the Court’s reasoning may ultimately require a more decisive regulatory turn, moving beyond cautious interpretation towards a clearer and more prescriptive framework for anonymised data sharing. Yet even after these challenges begin to be addressed through regulatory guidance and practical experimentation, a further judicial intervention – most likely in the form of a new dispute over anonymised data sharing – may still be required before the contours of what genuinely counts as GDPR-compliant anonymised data sharing begin to settle.