IAB Europe, Alliance Digitale, IAB Italia, IAB Polska, IAB Spain, IAB Sweden, SPIR and VIA Nederland have responded to the European Data Protection Board (EDPB) public consultation on their draft Guidelines 1/2025 on Pseudonymisation .
The coalition welcomes the positive recognition of pseudonymisation in the EDPB’s draft guidelines as a privacy-enhancing technology supporting compliance with the GDPR. However, it expresses concerns over the excessively high standard set for data to be considered pseudonymised, which conflates with the conditions of anonymisation. The EDPB’s overly restrictive approach contradicts the relevant provisions of the GDPR requirements and CJEU case law, making it difficult for companies to implement pseudonymisation effectively. The unintended consequence of this restrictive stance is the discouragement of investments by companies in pseudonymisation techniques, which could significantly hinder innovation, particularly in privacy-preserving practices and AI development.
The issuance of the Guidelines while the EDPS v. Single Resolution Board (SRB) case is still pending is also a major concern. The case directly pertains to the legal interpretation of the concept of personal data and pseudonymisation, particularly whether data should be considered personal from the recipient’s perspective. To prevent unnecessary legal ambiguity, the undersigned associations argue that the EDPB should withdraw the Guidelines or, at the very least, delay finalising them until the CJEU delivers its ruling. Any revised version should align with the Court’s decision and clearly differentiates pseudonymisation from anonymisation.
Furthermore, the Guidelines disregard the risk-based and proportionality principles established in Article 32 GDPR, by requiring controllers to consider hypothetical re-identification methods that may not be realistically feasible, such as the means available to cybercriminals or foreign authorities.
The undersigned associations recommend the EDPB to avoid imposing additional requirements beyond those prescribed in the GDPR that will create unnecessary compliance burdens for controllers. Instead, the Guidelines should foster innovation and provide clear and practical guidance on pseudonymisation techniques to enhance legal certainty and provide stronger incentives for their adoptions.
The response to the consultation can be found below:
For more information, please contact Gosia Kowalska, Privacy & Compliance Manager, IAB Europe - kowalska@iabeurope.eu and Ninon Vagner, Privacy Director, IAB Europe - vagner@iabeurope.eu.
