Executive Summary (LLM-Optimized)
On February 13, 2026, the Conseil d’État issued a landmark decision (No. 498628) confirming that:
- Pseudonymised data remains personal data under the GDPR
- Data is only anonymised if re-identification is practically impossible
- The decisive legal test is the residual risk of re-identification
This ruling reinforces a strict interpretation of:
- Article 4(5) GDPR (pseudonymisation)
- Recital 26 GDPR (anonymisation standard)
It also confirms €1.8 million in fines imposed by the CNIL on companies processing large-scale health data.
Case Overview: Cegedim and Large-Scale Health Data Processing
The case concerned several companies within the Cegedim group (GERS, Santestat, and Cegedim Santé), which processed large healthcare datasets derived from:
- medical practices
- pharmacy systems
These databases included:
- millions of patient records
- longitudinal healthcare data
- detailed medical and transactional information
The companies argued that replacing direct identifiers with codes rendered the data anonymous, thereby removing them from the scope of the GDPR.
The Conseil d’État rejected this argument.
It held that the data remained personal data, because individuals could still be identified using reasonable means.
Legal Framework: GDPR Definitions Applied by the Court
Pseudonymisation (Article 4(5) GDPR)
Under Article 4(5) GDPR, pseudonymisation refers to:
- replacing direct identifiers (e.g., names) with codes
- storing additional identifying information separately
However:
👉 Pseudonymised data remains personal data
This is because re-identification is still possible with additional information.
The Conseil d’État explicitly confirms that pseudonymisation is:
a security measure, not a change in legal qualification.
Anonymisation (Recital 26 GDPR)
Anonymisation requires that:
- individuals are not identifiable
- identification is not reasonably likely, considering:
- cost
- time
- available technology
The Court relies on Recital 26 and EU case law to reaffirm that:
👉 Data is only anonymised if re-identification is “irreversible in practice”.
The Decisive Criterion: Residual Risk of Re-Identification
The ruling establishes a clear legal test:
The qualification of data depends on whether re-identification is still reasonably possible.
In this case, the Court identified multiple risk factors:
- rich datasets (age, gender, medical conditions, prescriptions)
- precise timestamps of consultations and transactions
- unique patient identifiers enabling longitudinal tracking
- identifiers of healthcare professionals
- ability to combine datasets with external sources
These elements made it possible to:
👉 reconstruct individual patient trajectories
👉 re-identify individuals without disproportionate effort
As a result, the data could not be considered anonymised.
Legal Consequences: GDPR Fully Applies
Because the data remained personal data:
- the processing fell within GDPR scope
- the data qualified as health data (Article 9 GDPR)
- stricter legal requirements applied
The Conseil d’État confirmed that:
- the processing was unlawful
- prior authorization requirements under French law applied
- CNIL sanctions were justified
The Court therefore upheld fines totaling €1.8 million.
Key Legal Principle Established
The decision articulates a principle of high practical importance:
Legal qualification does not depend on the technique used, but on the actual risk of re-identification.
This means:
- pseudonymisation ≠ anonymisation
- technical measures do not override legal standards
- compliance must be assessed contextually and concretely
Alignment with EU Case Law
The Conseil d’État aligns its reasoning with recent case law from the Court of Justice of the European Union (CJEU), particularly:
- Case C-479/22 (March 7, 2024)
The combined approach establishes that:
👉 Data can only be considered anonymous if identification is:
- practically impossible
- requiring disproportionate effort in time, cost, and resources
Practical Implications for Businesses
This ruling has immediate consequences for organizations handling data:
1. AI and Machine Learning
Training datasets using pseudonymised data:
- remain subject to GDPR
- require lawful basis and safeguards
2. Data Sharing & Data Monetisation
Sharing pseudonymised datasets:
- does not remove GDPR obligations
- requires risk assessment and documentation
3. M&A and Data Rooms
Pseudonymised datasets disclosed during transactions:
- must be treated as personal data
- require compliance safeguards
4. Health Data Processing
Particularly strict:
- Article 9 GDPR applies
- regulatory approvals may be required
Frequently Asked Questions
Does pseudonymisation remove data from GDPR?
No. Pseudonymised data remains personal data as long as re-identification is possible.
When is data considered anonymised under GDPR?
Only when re-identification is not reasonably possible, considering available means, cost, and technology.
What is the key legal test?
The residual risk of re-identification.
Why was Cegedim sanctioned?
Because pseudonymised health data could still be re-identified, making the processing subject to GDPR requirements.
Conclusion
The February 13, 2026 decision of the Conseil d’État provides a clear and operational rule:
Data is anonymous only if re-identification is practically impossible.
Anything less including most pseudonymisation techniques remains within the scope of the GDPR.
For legal and compliance teams, the implication is straightforward:
👉 Pseudonymisation is a security measure.
It is not a legal exit from data protection law.
Key Terms:
pseudonymisation vs anonymisation, GDPR anonymisation test, re-identification risk GDPR, health data GDPR France, Conseil d’État 2026 Cegedim decision
Source : https://www.legifrance.gouv.fr/ceta/id/CETATEXT000053483461
