The CJEU Ruling: The Rise of Confidential Computing 

The European data protection landscape has just shifted.  

In its landmark judgement in European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (Case C-413/23 P), the Court of Justice of the European Union has clarified one of the most persistent questions under the GDPR: 

At what point does pseudonymised data stop being considered personal data? 

The answer marks a turning point not only for privacy law, but for the technologies that enable compliance itself. The Court reaffirmed its relative approach to personal data classification, setting a new standard for legal certainty in data processing. And at the centre of this new paradigm sits confidential computing. 

The Main Question: When Does Pseudonymised Data Fall Outside the GDPR? 

Until now, the boundary between personal and pseudonymised data has been clouded by legal ambiguity. Organisations treated nearly all pseudonymised data as personal data, fearing the risk of re-identification. 

The CJEU has now redrawn that boundary with unprecedented clarity.  

It ruled that pseudonymised data is only personal data for a recipient who has the means reasonably likely to re-identify that individual. This means that whether data is personal depends on practical capability, not theoretical risk. 

The Court’s reasoning rests on three key elements: 

• Relative approach – The classification of data as “personal” depends on the context and the recipient’s realistic ability to re-identify individuals. 
• Practicality test – The test determines whether re-identification is reasonably likely. 
• Technical measures – Effective safeguards that make re-identification infeasible can place data outside the GDPR’s scope. 

As the Court itself declared: 

“pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725, in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable. (para 86)” 

This reasoning does more than interpret the GDPR. It creates a new compliance paradigm, where technical capability becomes the test of legality.  

The Technological Answer: Confidential Computing 

The SRB ruling opens the door for a new class of privacy architecture, one that ensures data cannot be re-identified not by policy, but by technical impossibility. This is the promise of confidential computing. 

Unlike traditional approaches, Confidential Computing ensures that data remains protected even while in use, protecting data and code at their most vulnerable. This helps organisations to control the exposure of their data to third parties and to demonstrate transparency regarding data management, usage, and protection.  

In legal terms, confidential computing creates a technical barrier so strong that the means for re-identification simply does not exist for the recipient. This aligns perfectly with the SRB test: when re-identification is not reasonably likely, GDPR obligations for personal data may not apply. 

How Klave Operationalises the SRB Standard 

Klave brings these concepts from theory to practice. Its architecture enforces confidentiality and integrity by design. 

Built entirely on Confidential Computing, Klave ensures that data confidentiality and integrity are enforced by hardware, not human discretion. Every computation is accompanied by cryptographic proof and verifiable evidence that no one, not even Klave, can access the data in clear form. 

This has direct legal implications. Under the SRB framework, a recipient who technically cannot re-identify individuals does not hold personal data. Klave’s design achieves exactly that: 

• Data remains encrypted during processing. 
• Participants cannot extract or correlate identifiers. 
• Re-identification is not reasonably likely; it is technically precluded. 

In effect, Klave allows organisations to prove that they do not have the means reasonably likely to re-identify data, a direct response to the SRB ruling’s logic. 

Why Confidential Computing is the Way Forward 

The CJEU SRB ruling doesn’t just clarify GDPR, it demands a higher standard of proof. Confidential computing is the first technology capable of meeting it, and Klave makes it practical, performant, and provable. 

Regulators, technologists, and privacy experts increasingly converge on one view: future-proof compliance must be grounded in architecture, not in policy. The SRB ruling validates this shift, emphasising the role of technical controls in defining whether data even counts as personal. 

Klave embodies this philosophy. By integrating confidential computing at its core, it creates a verifiable, enforceable boundary around data that satisfies both technical and legal scrutiny. 

With Klave, organisations can achieve what regulators have long called for but few could deliver: legal certainty for pseudonymised data, grounded in cryptographic truth. 

Explore how Klave enables legally certain, privacy-preserving computation at klave.com. 

References 

Court of Justice of the European Union (September 4, 2025). EDPS v Single Resolution Board (C-413/23 P). Link 

Norton Rose Fulbright (September 4, 2025). Pseudonymised data could fall outside data protection law – introducing the “means reasonably likely” assessment. Link 

Covington (September 4, 2025). EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties.  Link 

Hunton (September 10, 2025). Eu Court of Justice Clarifies Definition of “Personal Data” in the Context of Pseudonymization. Link 

Clifford Chance (September 10, 2025). Pseudonymized data after EDPS v SRB. Link 

Latham & Watkins (September 16, 2025). CJEU Confirms Personal Data as a Relative Concept. Link 

Jones Day (September 2025). CJEU Clarifies Scope of Personal Data in EDPS v SRB Decision. Link 

Taylor Wessing (September 17, 2025). Analysis of the CJEU Judgement in Case C-413/23 P (EDPS v SRB). Link