Consolidation of the French doctrine on personal data and pseudonymisation after the CJEU’s SRB ruling
Whether pseudonymised data qualifies as personal data is one of the most consequential questions in EU data protection law. This issue has been settled by the Court of Justice of the European Union (“CJEU”) in its SRB ruling of 4 September 2025 (C-413/23), a much-commented decision arguably read too broadly. But not in France, which has produced a subtle body of doctrine on this issue. The French Conseil d’État anchored its reading in its decision n°498628 of 13 February 2026, followed by the French data protection authority (“CNIL”), imposing a high administrative fine to IQVIA Operations France in its recent decision SAN-2026-008 of 26 May 2026. Read together, these decisions show a French doctrine that is firmly settled and subtly aligned with EU case law.
Step one: The CJEU’s SRB ruling: personal data as a relative, fact-sensitive notion
The SRB, the Single Resolution Board (EU authority responsible for the orderly resolution of failing banks within the Banking Union) had collected stakeholder comments, assigned each a randomly generated alphanumeric code, and transmitted the pseudonymised comments to Deloitte for evaluation. The CJEU held that pseudonymisation may, depending on the circumstances, prevent recipients other than the controller from identifying the data subject, so that for them, the person is no longer identifiable.
The Court attached two conditions to that outcome for a recipient: the recipient must be unable to reverse the pseudonymisation measures in any processing under its control, and those measures must effectively prevent the recipient from re-attributing the data to the individual, including by cross-referencing other information. Conversely, the controller that had performed the pseudonymisation normally retains the additional information and therefore continues to hold personal data. The Court also stressed that the relevant perspective for assessing identifiability depends essentially on the circumstances of each case, and expressly situated SRB in the continuity of its earlier Breyer (C-582/14) and OC v Commission (C-479/22) rulings. The “reasonable means” test of recital 26 GDPR remains the governing standard.
Step two: The French Conseil d’État (13 February 2026) applies a concrete re-identification test
Drawing on the aforementioned OC v Commission ruling, the French supreme administrative court, the Conseil d’État, held that data can be treated as anonymised only where the risk of identification is insignificant and re-identification is practically unrealisable, requiring a disproportionate effort in time, cost and labour.
The French supreme court therefore endorsed the CNIL’s concrete assessment of re-identification risk in this case concerning health databases fed by data collected from physicians and pharmacies, which included numerous and various data: the authority had established that pseudonymity could be lifted by reasonable means, so the data, though pseudonymised, were not anonymised. With no serious difficulty of interpretation, the Conseil d’État declined to refer a preliminary question to the CJEU, which is a strong signal that the French and EU positions coincide.
Step three: The CNIL’s IQVIA decision (26 May 2026): SRB not a passport to anonymity for the controller
IQVIA operates two health-data warehouses built from data collected from pharmacies and physicians’ software, pseudonymised through successive trusted third parties. After SRB, IQVIA argued that the warehoused data were anonymous and thus outside the GDPR, invoking the fact that the same dataset could be personal for one entity and anonymous for another unable to identify individuals by reasonable and lawful means.
CNIL rejected this on several grounds, offering welcome clarifications of its doctrine.
First, CNIL distinguishes the position of a controller from that of a mere recipient of pseudonymised data. IQVIA is not a recipient like the Deloitte in SRB; it designed and governs the entire processing chain from collection onward.
Second, unlike isolated, randomly coded comments like in SRB, IQVIA’s data are rich and permit longitudinal tracking of each patient through a unique identifier.
Third, echoing the EDPB’s 2021 WhatsApp binding decision, the fact that IQVIA had not intention to re-identify the patients is irrelevant. What matters is the fact that even a single person can be re-identified by reasonable means. The CNIL showed that combining warehouse data with open-source information allowed a patient to be isolated in minutes.
Fourth, the CNIL refined the “unlawful means” limb of Breyer (reprised at point 82 of SRB): a contractual ban on re-identification agreed between private parties is not an identification “prohibited by law.
CNIL concluded that pseudonymisation here did not eliminate the correlation risk, so the data remained personal for IQVIA.
Considering that, IQVIA was therefore indeed processing personal data, and was fined €5,000,000 for various infringements of the GDPR and was issued injunctions under a daily penalty.
Article provided by INPLP members: Charlotte Barraco-David and Marie-Hélène Tonnellier (OYAT, France)
Co-Author: Clyde Coutellier
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)