A new ruling from the Court of Justice of the European Union (CJEU) could become influential in defining the boundaries of what is classified as personal data. At SND’s legal network meeting on 19–20 November 2025, participants discussed whether the judgment signals a possible shift away from a strict interpretation of the concept of personal data towards a more nuanced and context-dependent assessment – something that could ultimately have implications for research.
Is context more important than the code key?
In the case C-413/23 P, the CJEU opens up for an approach where the classification of data as personal data must be assessed in its context. This would mean that it is not sufficient to consider whether a code key exists somewhere. Instead, the Court emphasizes how realistic the possibilities of identification are for the specific actor processing the data, using additional information.
The Court thus underlines that pseudonymized data may constitute personal data for an actor who has access to the code key, while at the same time being considered anonymous data for someone who lacks the practical and legal means to re-identify individuals in the data. Practical and legal means include all means reasonably available, such as technical, legal and organizational tools, or other additional information at the actor’s disposal. This potentially implies that a more nuanced, case-by-case, contextual assessment is required when determining whether data should be considered personal data.
A growing debate
The CJEU judgment has contributed to the debate about personal data and how to assess the risk of identifiability in data. Some argue that it could open the door for certain pseudonymized materials to be regarded as anonymous in the future, at least for recipients who lack realistic ways to re-identifying research participants in data. Others take a more restrictive view, arguing that the Court is instead clarifying how strict the assessment must be.
How the ruling should be interpreted in practice remains unclear, and not all issues have been resolved, as one question has been referred back to the court that issued the original decision. The Swedish Authority for Privacy Protection (IMY) has so far refrained from commenting on the judgment and is awaiting guidance from the European Data Protection Board (EDPB), which as recently as December 2025 organized a stakeholder meeting on the case (see discussion points from the meeting). The EDPB meeting has not yet resulted in any clear position. Pending further guidance, the legal situation therefore remains somewhat uncertain, which means that existing routines for handling personal data should not be changed at this stage.