Council of State (13/02/2026): Pseudonymization ≠ Anonymization — DLP and GDPR Transfers

13 February 2026 — Council of State. France’s highest administrative court upheld CNIL fines against GERS/Santestat/Cegedim Santé: “pseudonymized” health datasets remained re‑identifiable with “reasonable means,” and thus were still personal data. Bottom line: security (Art. 32) and transfer (Chapter V) duties fully apply to pseudonymized datasets shared internally, with processors, or to the cloud. Reference: Council of State, No. 498628, 13/02/2026 and commentary by Inside Privacy, HSF Kramer, Seban.

The facts

The Council of State (10th–9th joined chambers) dismissed the appeals and confirmed fines (€800k / €200k / €800k). Variables (patient codes, prescriber IDs, age, conditions, treatments, fine‑grained dates, regional areas) enabled singling out and linkage with “reasonable means.” The objective possibility of re‑identification suffices, regardless of whether the company actually re‑identifies.

The legal framework

• GDPR Article 32: security measures, including pseudonymization “where appropriate” — which does not transform personal data into anonymous data. CNIL guidance: Anonymization, Pseudonymization. See also our page on the GDPR, including Articles 32 and 44–49.
• Articles 44–49 GDPR: a pseudonymized dataset remains a personal data transfer when exported; Article 46 mechanisms and supplementary safeguards remain required. EDPB resources: Anonymization.
• Judicial interpretation: a realistic test of re‑identification risk (granularity, external linkage, ordinary means). Official decision: CE 498628, 13/02/2026.

Practical outcome across Europe (LU/BE/FR/DE): treat pseudonymized datasets shared with vendors/subsidiaries/cloud as personal; apply Article 32 and, for any third‑country disclosure, Chapter V of the GDPR.

Why this is a technical turning point

Some argued that a recipient without the “key” fell outside the GDPR. The ruling adopts a pragmatic re‑identification assessment, tightening the expected state of the art for security and transfers. Organizations should evidence and audit these controls within an ISMS aligned to ISO 27001 in Luxembourg and across the EU.

The reference DLP stack

• Classification and labeling: detect PII/PHI and quasi‑identifiers (age, prescriber codes, diagnosis codes, precise timestamps, geo). Patterns, EDM/IDM, business dictionaries (ATC/ICD), contextual rules.
• Endpoint/egress DLP: block/quarantine/justify exports (email, web/cloud, SFTP, print, clipboard, USB); dynamic masking and on‑the‑fly encryption for authorized but sensitive flows.
• Network/Cloud DLP (CASB/CSPM): outbound TLS inspection, SaaS/public storage upload controls, tenant allow‑lists and geo‑fencing; tamper‑proof logging and exception workflows.
• Transfer governance (Chap. V): recipient mapping, re‑ID assessment (singling‑out/linkability/inference), tool‑assisted “transfer/no‑transfer” decisions, regional confinement, EU‑managed keys, client‑side encryption.
• Chain of evidence: DLP logs, exception tickets, dataset fingerprints, FP/FN reports.

Standards: ISO/IEC 27001:2022 Annex A 8.12 (DLP), 8.10 (Deletion), 8.11 (Data masking), 8.21 (Network security), 8.23 (Cryptography). Summaries: Bastion – Annex A, ISO27001.com – A.8.12. EDPB (2025–2026): EDPB.

How Luxgap delivers

• ISO 27001 governance: DLP policy grounded in re‑identification risk and sensitive‑flow mapping. Workshops with business, IT, and compliance.
• Externalized DPO and CISO: legal qualification “pseudo ≠ anonymous,” transfer (Chap. V) analysis, legal bases, safeguards, exception procedures. Explore our certified DPO mandate.
• Managed SOC (as needed): 24/7 monitoring of DLP/CASB signals, IAM/Cloud correlation, real‑time alerts, support for CNPD/NIS 2 notifications. See our managed SOC.

Proof of value (4–6 weeks): three high‑risk channels (email, collaborative SaaS, object storage), precise sector quasi‑identifier detection, and a “transfers & exceptions” dashboard for DPO/IT/Legal.

Field case (EU/Luxembourg)

• Discovery of “pseudonymized” exports sent to personal mailboxes (attachments).
• DLP rules targeting prescriber codes + act dates + age/gender; automatic masking and approved secure channel.
• Transfer governance: default block outside the EU, exceptions logged via IDP, SCCs applied where needed.

Outcome: 78% reduction in exfiltration incidents across 3 pilot channels and a compliance dossier ready (Art. 32 and Chapter V) for internal audit/DPO oversight.

First concrete steps

1. Build a “red list” of high‑individualization attributes (extreme ages, precise timestamps, prescriber/supplier IDs, fine‑grained geo).
2. Sandbox DLP detection of these co‑occurrences on 2 channels (outbound email, SaaS upload) and measure false positives.
3. Default‑block out‑of‑EU sends from generic accounts; open case‑by‑case with full traceability.
4. Gate “pseudonymized sharing” with a legal (Chap. V) and technical checklist (masking, client‑side encryption, geo‑fencing, EU keys).
5. Document the “pseudo ≠ anonymous” analysis in your ISMS (ISO 27001: A 8.12, A 8.11) and GDPR register.

Official sources

• Council of State, No. 498628, 13 February 2026: conseil-etat.fr
• CNIL – Anonymization of personal data: cnil.fr
• EDPB – anonymization/pseudonymization resources: edpb.europa.eu
• ISO/IEC 27001:2022 – Annex A 8.12 (summaries): bastion.tech, iso27001.com
• Topical analyses: Inside Privacy, HSF Kramer

In short: a patient code is not an invisibility cloak. Properly tuned DLP plus transfer governance prevents “grey” exfiltration and evidences compliance with GDPR Articles 32 and 44–49.

Get in touch to assess your pseudonymized flows and operationalize DLP/Chapter V controls.