The courts ruled in September 2025 that pseudoanonymized data can still count as personal data, if it is not sufficiently anonymized, under the definition as it existed at the time. Since personal data comes with a whole bunch of requirements under the GDPR that meant that even if data is pseudoanonymized, it might not be sufficient to be free of GDPR restrictions
The revision from November 2025 aimed to say “no actually pseudoanonymized data is not personal data after all” even if it contained identifiable information. I could see that introducing a loophole where companies start claiming that they “sufficiently” pseudoanonymized their data, even though it’s still full of identifiable information.
Scrapping that revision just brings us back to the position we were in back in September, where pseudoanonymized data is not automatically anonymous. If the pseudoanonymized data contains identifiable information it is personal information, and thus comes with the additional requirements of the GDPR. (If I’m understanding this correctly)
Edit: Also worth noting that this follows a recommendation by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), that the definition of personal data “should say what personal data is, instead of what it is not”, in order to avoid legal uncertainty resulting from the revision in November.
The courts ruled in September 2025 that pseudoanonymized data can still count as personal data, if it is not sufficiently anonymized, under the definition as it existed at the time. Since personal data comes with a whole bunch of requirements under the GDPR that meant that even if data is pseudoanonymized, it might not be sufficient to be free of GDPR restrictions
The revision from November 2025 aimed to say “no actually pseudoanonymized data is not personal data after all” even if it contained identifiable information. I could see that introducing a loophole where companies start claiming that they “sufficiently” pseudoanonymized their data, even though it’s still full of identifiable information.
Scrapping that revision just brings us back to the position we were in back in September, where pseudoanonymized data is not automatically anonymous. If the pseudoanonymized data contains identifiable information it is personal information, and thus comes with the additional requirements of the GDPR. (If I’m understanding this correctly)
Edit: Also worth noting that this follows a recommendation by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), that the definition of personal data “should say what personal data is, instead of what it is not”, in order to avoid legal uncertainty resulting from the revision in November.