An interesting question continues to be whether encrypted personal data is still “personal data” for purposes of the European Union’s General Data Protection Regulation (GDPR), thereby making the processing of such data subject to the GDPR’s extensive compliance obligations.  The answer largely hinges on the precise meaning and implications of encryption.  Simply asserting that encrypted data is “anonymized” is insufficient and inaccurate for concluding that it no longer fits within the GDPR’s definition of personal data—information relating to an “identified or identifiable natural person.”​

If an organization encrypts data under its control, thus rendering the data no longer directly “identified,” does it remain “identifiable?”  Possibly.  The GDPR clearly indicates that if data is neither identified nor identifiable, it is no longer considered personal data and thus falls outside GDPR’s scope.​

But first, what precisely is encryption?  Josh Gresham describes encryption on the IAPP blog as a process where a party “tak[es] data and us[es] an ‘encryption key’ to encode it so that it appears unintelligible. The recipient uses the encryption key to make it readable again.  The encryption key itself is a collection of algorithms designed to be completely unique, and without the encryption key, the data cannot be accessed.  As long as the key is well designed and securely managed, the encrypted data remains protected.”

Gresham’s definition includes several critical conditions: Notably, “the assumption that the encryption algorithm is well-designed and the encryption properly executed.”  This raises questions about the quality and robustness of encryption—specifically, how unintelligible must data be to qualify as effectively non-identifiable?  Gresham proposed that the European Data Protection Board (EDPB) establish and maintain updated standards or a recognized list of acceptable encryption technologies to ensure clarity and compliance.​

Yet even robust encryption will not guarantee absolute non-identifiability, only reasonable protection in practical terms.  This perspective aligns clearly with GDPR Recital 26, which instructs organizations to “determine whether a natural person is identifiable” by considering all means reasonably likely to be used”—including the feasibility of singling out individuals directly or indirectly.  Recital 26 further explains that to assess if identification means are reasonably likely to be used (and successful), one must evaluate objective factors such as the costs, required time, and existing technological capabilities at the time of processing and subsequent developments.  This reasonable likelihood of de-encryption (or re-identification) was the motivation behind the Signal messaging app’s highly-publicized encryption protocol facelift in 2023 to PQXDH, in order to (theoretically) keep its encryption ahead of advances in quantum computing which could enable cracking older less sophisticated encryption codes.

This is the same point argued by a group of British data scientists a few years ago in Computer Law & Security Review, challenging the presumption that all “pseudonymized” (as opposed to “anonymized”) data relating to an identified or identifiable individual remain “personal data” under GDPR.  As I wrote a few years ago, complicating matters further is the ongoing casual usage of “anonymized aggregated data” in contracts with third-party vendors.  For example, contracts often specify: “[VENDOR] may utilize Customer’s Performance Data… to produce anonymized aggregated data, industry reports, or statistics (‘Aggregated Data’) for commercial purposes, provided Aggregated Data does not identify the customer or their clients.”

The precision view of data anonymization—represented notably by the Advocate General’s opinion in the European Court of Human Rights in the landmark pre-GDPR 2016 case of Breyer v Germany (Case 582/14)—holds that data remains “personal” if any party, such as an internet service provider, possesses additional information that could reasonably lead to identification.  Thus, even dynamic IP addresses could constitute personal data if reasonably linked to specific individuals.​

In contrast, a more pragmatic approach reflected in recent EU cases holds (consistent with Recital 26) that absolute anonymity (or non-re-identifiability) is not the appropriate test.  Instead, the decisive factor is whether data can realistically and practically be linked back to individuals through reasonable effort and available technologies.​

For instance, the Court of Justice of the European Union addressed a closely related scenario in 2023, in Single Resolution Board (SRB) v EDPS (Case T-557/20), holding that pseudonymized data transmitted to third parties who lack realistic access to re-identification keys could, in their hands, fall outside GDPR’s definition of personal data.  Advocate General Spielmann, in his 2025 Opinion on the pending appeal (C-413/23 P), confirmed this view but emphasized that a strict standard should apply: Encrypted data only becomes truly anonymous when there is practically no risk of re-identification, even considering future technological advancements.  He explained that “it is only where the risk of identification is non-existent or insignificant that data can legally escape classification as ‘personal data.’”​

As the data scientists note in Computer Law & Security Review, in discussing the opinion of the Court of Justice of the European Union (CJEU) in Breyer v Germany (see above):

“it was necessary to determine ‘whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject.’  They concluded that the data were personal, but only because of the existence of legal channels enabling the competent authority to obtain identifying information from the internet service provider in the event of a cyber-attack.”

In the authors’ view, the GDPR’s contemplated use of the term “pseudonomization” and the concept of de-identification should not be understood as dispositive for whether data is “personal” – in fact, such data is presumed personal as a default.  Rather, “it is Recital 26 and its requirement of a ‘means reasonably likely to be used’ which remains the relevant test as to whether data are personal”.

John Gresham in his IAPP commentary wrote that encryption is neither pseudonomization nor anonymization.  That’s because, as discussed above, de-identified encrypted data may or may not be able to be re-identified, depending on the availability (or security) of the encryption key, but also depending on the design (and implementation) strength of the encryption itself.  Assuming sufficiency of the latter, Gresham seems to suggest that encrypted personal data processed by parties who directly implemented the encryption should remain viewed as personal data on the presumption that those parties retain a re-identification key (i.e. pseudonomized data).  That same data in the care of downstream third parties without reasonable access to that key should not be so viewed (i.e. anonymized data) – though this stance remains controversial.

Several commenters to Gresham’s post, however, disputed the notion that encryption could ever sufficiently anonymize data under GDPR.  Marcus Mueller noted that GDPR Articles 4 and 5 explicitly apply to encrypted data regardless of the processor’s access to the encypted content or to the meaning of the encrypted data, stressing the continued application of GDPR’s “integrity and confidentiality” requirements.  And Michiel Benda simply points out that “downstream third parties without reasonable access to [the encryption] key” (my words) do not practically exist.

In fairness, Gresham did not advocate for removing encrypted, anonymized data from data protection governance, which anonymization would only reduce, not eliminate.  He argued instead that, since in practical terms, a processor of encrypted data “isn’t really processing personal data”, a better practical focus of achieving GDPR’s data privacy protections might be to establish and maintain a list of acceptable encryption technologies to truly anonymize data.  Standards for acceptable encryption should be sufficiently high in order to justify lower GDPR obligations such as notifying data subjects of data breaches. 

While encryption significantly enhances data protection, organizations should remain cautious.  Under current legal interpretations, encrypted personal data remains within GDPR’s jurisdiction unless the data is demonstrably and irreversibly anonymized. Organizations should therefore treat encrypted personal data prudently, maintaining comprehensive privacy compliance frameworks and recognizing encryption as supplementary rather than substitutive for rigorous data privacy practices.​