SRB GDPR case on pseudonymised data ends without court ruling

A high-profile case concerning the interpretation of pseudonymised data under the EU General Data Protection Regulation (GDPR) has ended without a ruling. The dispute involved the Single Resolution Board and the European Data Protection Supervisor and was seen as potentially significant for how EU law treats data that cannot be directly linked to individuals without additional information.

At the core of the case was the question of whether pseudonymised opinions should still be considered personal data under the GDPR. The judges were also asked to examine how realistic the risk of reidentification must be, and what notification obligations apply when such data is processed or shared.

After initial proceedings, the matter reached the Court of Justice of the European Union, which provided interpretative guidance on key GDPR concepts related to identifiability and data protection responsibilities. Following this intervention, the case was sent back to the General Court for further handling.

Subsequently, both the Single Resolution Board and the European Data Protection Supervisor decided to withdraw the case. As a result, the proceedings ended without a final judgment that would have formally clarified the status of pseudonymised data under EU law.

Legal experts note that, despite the absence of a definitive ruling, the guidance issued by the Court of Justice of the European Union continues to influence enforcement practice. Data protection authorities across the EU are expected to take these principles into account when updating or applying guidance on pseudonymisation and personal data processing.

The withdrawal leaves some legal uncertainty in place, but reinforces the role of existing CJEU case law in shaping how regulators assess identifiability, reidentification risks, and compliance duties under the GDPR.