Go Back
Data Privacy Alerts

EU Court Rulings Redefine Personal Data and Reinforce Cross-Border Transfer Frameworks

Check out this data privacy alert to learn the implications of two recent rulings from European courts.

Why the European Court Rulings Matter

Two landmark rulings from European courts are reshaping how companies interpret the scope of “personal data” under the GDPR and validating the current EU–U.S. data transfer framework. The decisions highlight the growing need for contextual data understanding, evidentiary compliance, and legally sound transfer governance.

Background on the European Court Rulings on Privacy

In September 2025, two influential judgments—one from the General Court of the European Union and the other from the Court of Justice of the EU (CJEU)—delivered critical updates for privacy and compliance professionals managing international data flows and anonymization strategies:

  1. Validation of the EU–U.S. Data Privacy Framework (DPF): The General Court upheld the European Commission’s adequacy decision enabling data transfers to U.S. entities certified under the DPF. The challenge brought by French MEP Philippe Latombe was dismissed on procedural grounds, with the court concluding he lacked the legal standing to represent either the French National Assembly or himself in this context.
  2. Clarification of What Constitutes Personal Data: In a separate case involving Deutsche Telekom, the CJEU ruled that pseudonymized data held by one party is not considered personal data if that party cannot reasonably re-identify the individuals—particularly when the key linking data is held by a separate organization. This narrows the interpretation of “personal data” and puts sharper focus on who has access to re-identification mechanisms.

Key Implications and Takeaways of these Privacy Rulings

  • Context Matters More Than Ever: These rulings emphasize that data classification cannot rely solely on structure (e.g., presence of tokens or identifiers), but must also account for context—who holds the data, what access they have, and what re-identification means are available.
  • DPF Valid for Now, but Caution Advised: While the DPF survives this latest legal scrutiny, previous frameworks like Privacy Shield and Safe Harbor were eventually struck down. Organizations relying on the DPF must maintain strong fallback mechanisms (SCCs, Transfer Impact Assessments, etc.) and readiness for potential legal reversals.
  • Proving Pseudonymization Is Now Critical: Pseudonymization may limit GDPR obligations—but only if companies can demonstrate (with evidence) that they do not and cannot reasonably re-identify data subjects. This raises the bar for internal data sharing, processor relationships, and how records of processing activities (ROPAs) are structured.
  • Recordkeeping and Risk Evaluation are Central: Regulators increasingly expect organizations not only to implement safeguards, but to document and justify them. Real-time visibility into data flows, access rights, and legal bases for processing is now essential for defending compliance positions.

The article rightly emphasizes how September’s EU rulings reset expectations for GDPR compliance. The EU General Court’s decision to uphold the EU–U.S. Data Privacy Framework (DPF) offers short-term stability for transatlantic transfers, but history with Safe Harbor and Privacy Shield shows adequacy decisions can collapse. Organizations should treat the DPF as valid today while maintaining fallback measures such as SCCs and Transfer Impact Assessments.

Equally significant is the CJEU’s clarification in EDPS v. Single Resolution Board that pseudonymized data may not qualify as personal data if the recipient cannot reasonably re-identify individuals. This makes classification context-driven, focusing on who holds re-identification keys. As the article notes, compliance now requires evidence over labels—updated ROPAs, documented safeguards, and defensible pseudonymization are essential. Companies that invest in continuous data mapping and governance will be best prepared for regulatory scrutiny.

Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product Marketing, Privacy, Exterro

Data Privacy Tip from Exterro

To remain compliant with evolving interpretations of data privacy law—especially when dealing with pseudonymized data or cross-border transfers—organizations must build an operational understanding of what qualifies as personal data in their specific context. This means tracking where data flows, how it’s transformed, and who can access it—without relying on generalized assumptions.

An automated data mapping solution that embeds privacy intelligence, risk evaluation, and context-driven controls is essential to get this right. If you’re looking for practical guidance on how to build this defensible foundation, explore Exterro’s expert resource The Risks Hiding in Your Data

Download PDF

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy Policy
Do Not Sell or Share My Personal Information