EU Court of Justice ruling narrows definition of “personal data,” stating pseudonymized data is only personal if re-identification is “reasonably likely” for the recipient. This shifts how organizations handle such data, impacting sectors like AdTech and AI training. Compliance obligations for GDPR remain based on the original controller's capabilities. Organizations can share pseudonymized data more freely, but must assess re-identification risks carefully.
