Download This PaperIdentifiability, as a Data Risk: Is a Uniform Approach to Anonymisation About to Emerge in the EU?
Forthcoming in European Journal of Risk Regulation 2025
31 Pages Posted: 24 Feb 2025 Last revised: 13 Mar 2025
Date Written: January 30, 2025
Abstract
The concept of identifiability remains a foundational yet contentious criterion in European Union (EU) data protection law. Similarly, anonymisation has sparked intense debate.
This paper examines recent developments that have shaped the EU’s approaches to identifiability and anonymisation, including trends in the Court of Justice of the European Union (CJEU) case law, national supervisory authority (SA) assessments of anonymisation processes, and the recent European Data Protection Board (EDPB) Opinion 28/2024 addressing the anonymity of artificial intelligence models and EDPB Guidelines 01/2025 on pseudonymisation.
The paper explores how the balance between over-inclusiveness and under-inclusiveness is being calibrated, suggesting the emergence of a functional definition of personal data in CJEU case law. It underscores the importance of the burden of proof in evaluating anonymisation processes, as confirmed by national SA assessments. Finally, it highlights how to ensure consistency between the GDPR and data sharing mandates stemming from the new generation of EU data regulations.
Keywords: Identifiability, Anonymisation, Data Sharing, GDPR, Data Act, EHDS
Suggested Citation: Suggested Citation
