Between Nuance and Caution: How to Read the CJEU in EDPS v SRB

The author analyses the recent ruling of the CJEU in the case EDPS v SRB. She highlights the broader implications for data protection practice, advocating for a principle-based approach to anonymisation while warning against two key pitfalls:
• First, formulating a test that disregards established de-identification techniques and statistical disclosure control methods. Although the ‘means’ test for identifiability is grounded in a standard of reasonableness, it is important not to undermine the framework by reducing it to a casuistry based merely on subjective judgment calls.
• Second, adopting a formalistic definition of personal data that downplays the impact of singling out in potentially harmful contexts, such as profiling or taking action in relation to individuals. Identifiability rests on two factors: whether individuals can be distinguished from one another (distinguishability), and whether additional identifying information is accessible that could then be associated with person-level data and reveal their identity (accessibility). Because assessing accessibility often relies on threat modelling assumptions, given the difficulty of precisely mapping the information a situationally relevant attacker might possess, it is more appropriate to focus on distinguishability only when the potential for harm to data subjects is significant.
The author also shows how to reconcile the EDPB guidelines on pseudonymisation with the CJEU ruling.