1. Introduction

On 12 December 2025, the European Data Protection Board (EDPB) hosted a focused stakeholder event to gather input for its upcoming guidelines on anonymisation and pseudonymisation in the aftermath of the SRB judgment of the Court of Justice[1]. 

For organisations in the life sciences sector — from pharma and medtech to digital health, academic research institutions, CROs, and AI developers — the discussion could not be timelier. As data driven innovation accelerates and secondary use of health and research data expands, the boundary between “personal data” and “anonymous data” increasingly determines what is possible, permissible, and sustainable under the GDPR and also under other laws such as the upcoming EHDS.

The EDPB’s current position — that data is personal whenever anyone has the means to identify the individual^[2] — has long been considered overly rigid by industry. The SRB judgment challenged this absolute approach and confirmed that identifiability depends on the specific circumstances of the case, including the perspective of the relevant actor. The stakeholder event made clear that the EDPB has acknowledged that its prior framework requires reassessment. 

The purpose of the event was for the EDPB to assess the implications of the SRB judgement for the guidelines on anonymization and pseudonymisation and gather input from selected representatives from different sectors on points of relevance for the new guidelines. Participants were divided into breakout groups to discuss the questions identified in the discussion paper the EPDB had published on its website prior to the event. The discussion paper can be found here. 

This article provides a breakdown of the stakeholder discussions, highlights the open questions emerging from SRB, and offers some practical guidance for life sciences organisations preparing for the upcoming guidelines expected in 2026.

2. Determining the Relevant Perspective

In the SRB judgment, the CJEU had indicated that the relevant perspective, in essence, depends on the circumstances of each individual case. With its first question, the EDPB therefore aimed to get input on what determines the relevant perspective and the use cases where further guidance could be beneficial regarding the contextual assessment of the relevant perspective(s). 

Participants agreed that guidance on this issue is urgently needed—particularly for controller‑processor relationships, joint controllership scenarios and data-sharing ecosystems involving multiple recipients. 

Most stakeholders took the position that the relevant perspective should always be that of the data recipient (recipient-centric approach). If the recipient cannot identify individuals—due to technical, contractual or organisational safeguards—the data should arguably not be considered personal data for that recipient.

Other participants, however, suggested that at least in controller‑processor contexts, the perspective of the controller would remain decisive (controller-centric approach). In this view, processors may still handle personal data even when they themselves lack any means of re‑identification.

It remains to be seen which approach the EDPB will implement in its upcoming guidance, but is clear that this discussion is very relevant for the life sciences sector, Healthcare providers and life sciences companies frequently engage service providers—laboratories, cloud platforms, analytics vendors—who operate on datasets that, in their hands, cannot be linked back to individuals. Adopting a recipient‑centric approach would significantly reduce compliance burdens for such processors, while embracing a more controller‑centric model would continue to treat these actors as engaged in personal‑data processing.

The lack of clarity also extends to joint controllership, which is pervasive in multi‑site clinical trials, public‑private partnerships and cross‑sector collaborations. If one joint controller has no realistic means of identifying data subjects, does joint controllership still endure? And what does that mean for the allocation of compliance responsibilities?

This is clearly an area where the upcoming EDPB guidance will be decisive for research operations and international life‑sciences collaborations.

3. Reasonably Likely Means: What Counts and How to Measure It?

One of the key questions focused on how to determine “means reasonably likely to be used” for re‑identification—an expression central to recital 26 GDPR and now refined by the SRB judgment. According to the CJEU, circumstances determine which means are ‘reasonably likely’ to be used and the EPDB therefore asked the participants’ input on what kind of measures a controller can implement to limit the means ‘reasonably likely’ to be used. 

Stakeholders noted that “reasonable likely” is a broad and undefined term which requires further clarification in caselaw and guidance. They urged the EDPB to provide:

• Clearer criteria or metrics to quantify re‑identification risk;
• Guidance on how to treat residual risks and incidental information;
• Clarification that the test should be grounded in realistic, not merely theoretical capabilities.

Several participants emphasized that time, cost and human resources should play an integral role in the assessment, as should the lawfulness of re‑identification. This framing aligns closely with the operational reality in life sciences, where sophisticated datasets (e.g., omics data, imaging data, longitudinal health records) could technically be re‑identified in theory—but not without extraordinary effort and illegal behaviour.

Importantly, many argued that a controller’s technical, contractual and organisational safeguards (e.g., prohibitions on re-identification, audit rights, access controls) should meaningfully affect whether recipients are considered to have “reasonably likely” means.

For life sciences organisations, a clearer risk‑assessment methodology would be transformative. Today, many hesitate to classify research data as anonymised—even when robust safeguards are in place—due to uncertainty about how regulators assess “reasonable” identifiability. A more nuanced, risk‑proportionate standard would better reflect the realities of scientific research and the safeguards typically deployed by responsible actors.

4. Indirect Identification: The Scania Shadow and Its Implications

The EPBD also wanted to get the stakeholder’s input on the nature and impact of indirect means of identification available through a transmission of the data in question to third parties. In the Scania case^[3], to which the CJEU explicitly referred in its SRB judgment, the CJEU had indicated that such indirect means could potentially lead to a change of nature of the data; anonymous data could become personal data which may also have consequences for the original controller. 

Stakeholders warned the EDPB to be careful when extrapolating from the Scania case. They emphasised that it is also here important to look at the actual possibilities, and not only the theoretical. In many data ecosystems, there may be parties downstream that potentially have means to re-identify but this does not mean that all recipients have realistic access to the relevant datasets or contextual information. 

The life sciences concern is obvious: Does the existence of a possible downstream re‑identification route pull an upstream actor back into GDPR scope, even when they cannot identify individuals in practice? This affects potentially a lot of activities in the life sciences sector e.g. clinical trial operations, longitudinal RWE data repositories, collaborations with academic centers, transfers to external analytics or AI service providers, etc. 

Stakeholders also asked how “indirect controllers” could comply with obligations such as transparency or breach notification when they have no relationship with the data subjects — an issue particularly relevant in multi‑site research and data‑donation environments. They called for guidance from the EPDB on this matter. 

5. Problematic Use Cases and Technological & Organisational Measures

Last, the EPDB aimed to get input on which use cases would be problematic for controllers in deciding whether pseudonymized data are personal data for a given recipient and what would be technical and organizational measures that the controller could apply and a recipient could not lift.

Stakeholders identified several problematic contexts—including ad‑tech, blockchain, cloud infrastructures, AI and data‑space ecosystems—where the number of potential data recipients is wide and dynamic. In such cases, it will be difficult for the controller to assess whether the data is personal data or not for all of the possible recipients (also taking into account that the data can be transferred to another party that might have reasonably likely means to identify the data subject even if the first recipient has not).

In such contexts, participants agreed that no single measure can guarantee anonymisation. Rather a combination of different technological, contractual and organizational measures would be required to prevent re-identification. On the technical side, technologies like differential privacy, homomorphic encryption and synthetic data were mentioned. In terms of contractual and organizational measures, strict prohibitions on re-identification were mentioned in connection with measures such as strict access control and logging, secondary use limitations, data retention and deletion policies, ongoing monitoring and audit rights and notification obligations in case of new identification risks.

The controller would need to continuously monitor developments and update the re-identification risk assessment, also to cater for future developments (e.g. AI, quantum computing, data leaks). Also here, stakeholders warned that the obligation on the controller to assess re-identifiability risks at the side of the recipient should be limited to what is reasonably foreseeable for the controller based on the actual transfer(s). 

A lot of the above measures are already familiar to life sciences organisations, but the upcoming guidelines may create new expectations for documentation, periodic review, and transparency about risk assumptions.

6. Digital Omnibus: The Elephant in the Room

The Digital Omnibus package that was published by the Commission in November 2025 just before the EDPB stakeholder event was the big elephant in the room. 

The Digital Omnibus proposes among other things an amendment to the definition of personal data in Article 4(1) GDPR to clarify that information relating to a natural person  shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. This amendment is meant to clarify the impact of the SRB judgment, but also seems to go a bit further than the CJEU in its SRB judgment. 

During the event, however, the EPDB did not want to discuss the Digital Omnibus at all but wanted stakeholders to just focus on the current GDPR framework. The EDPB and the EDPS are currently preparing a joint opinion on the Digital Omnibus which is expected to be published in early 2026. 

7. Conclusion and next steps

The EDPB’s stakeholder event confirms a pivotal shift: SRB has forced a move away from the rigid, all or nothing interpretations of anonymisation and pseudonymisation that have long challenged data driven industries. For the life sciences sector, the promise of greater legal certainty — and more practical, context sensitive rules — could unlock more responsible innovation, smoother data collaboration, and reduced regulatory friction.

But the details matter. The upcoming 2026 guidelines will reshape how organisations classify, protect, and share health and research data. Life sciences organisations should use the coming months to stress test existing data flows, refine their risk methodologies, and prepare for a more nuanced — but also more demanding — regulatory landscape.