Share This Article
A recent decision advertising cookie identifiers of the French Conseil d’État has reignited a fundamental debate in EU data protection law: when do online identifiers qualify as personal data under the GDPR?
The ruling confirmed the legality of a sanction imposed by the French data protection authority (CNIL) in relation to large-scale behavioural advertising activities. The most significant aspect of the decision concerns the legal qualification of advertising identifiers collected through cookies and tracking technologies.
Beyond its relevance for the adtech sector, the decision also raises broader questions about pseudonymisation and identifiability, which are increasingly central to debates on AI training and the future of EU digital regulation.
The Court’s Approach to Online Identifiers
Under Article 4(1) GDPR, personal data includes any information relating to an identified or identifiable natural person. Identification may occur directly or indirectly, including through an identifier such as a name, identification number, location data, or an online identifier.
Recital 30 of the GDPR explicitly refers to cookie identifiers, device identifiers, and similar technologies as potential elements that may make individuals identifiable.
In the case examined by the Conseil d’État, the advertising identifiers were associated with a large volume of additional data points, including:
-
IP addresses and geographic location
-
device identifiers
-
identifiers associated with partner websites
-
browsing history and user behaviour
-
interactions with advertisements and purchases
Through the aggregation of these data points, the system allowed the creation of detailed behavioural profiles linked to specific identifiers.
The court concluded that these identifiers qualified as personal data because the identification of certain individuals would not be technically impossible and could occur without disproportionate effort in terms of time, cost, or manpower.
In other words, even if the identifiers were pseudonymous and did not directly reveal the identity of individuals, the “mere possibility” of linking them to identifiable persons meant that they remained within the scope of the GDPR.
A Potential Tension with Recent CJEU Case Law
However, the reasoning adopted by the French court appears difficult to reconcile with the approach taken by the Court of Justice of the European Union (CJEU) in the case EDPS v. SRB on pseudonymisation.
In that decision (Read on the topic “Pseudonymization of Personal Data: CJEU Decision Shapes Direct Marketing and AI Training“), the CJEU clarified that the assessment of whether data qualifies as personal data must be conducted from the perspective of the entity processing the data.
If the controller does not possess the additional information necessary to identify individuals and has no reasonable means of obtaining it, the data may not necessarily be considered personal data for that controller.
This interpretation reflects an important principle of EU data protection law: identifiability must be assessed in a contextual and relative manner, taking into account the realistic capabilities of the actor involved.
The Conseil d’État decision appears to adopt a broader approach.
The court emphasized that identification of certain individuals was not technically impossible, particularly considering the volume of information associated with the identifiers and the possibility of combining multiple datasets.
This reasoning raises an important question: should the theoretical possibility of re-identification be sufficient to qualify data as personal data?
The CJEU has previously suggested that the analysis should focus on whether identification is reasonably likely, taking into account the means realistically available to the controller.
By contrast, the reasoning of the French court appears to rely more heavily on the structural characteristics of the broader data ecosystem.
This difference in approach may create legal uncertainty for organisations operating across the European Union.
Why This Matters for AI Training
The implications of this interpretation extend far beyond behavioural advertising.
The qualification of pseudonymised data as personal data is also central to ongoing debates on AI training datasets.
Many AI systems rely on large-scale datasets that include pseudonymised identifiers or behavioural information. In many cases, the developers of AI models do not possess the additional information required to identify individuals associated with these data points.
The question therefore becomes critical: should such datasets be considered personal data simply because identification may be theoretically possible somewhere within the broader data ecosystem?
This issue has become particularly relevant in the context of the Digital Omnibus package, where European policymakers are currently discussing whether the legal framework should clarify the concept of personal data when used for AI training purposes.
In recent policy discussions, some stakeholders have suggested introducing clearer rules on when pseudonymised datasets used for AI training may fall outside the scope of the GDPR.
The objective would be to provide legal certainty and facilitate the development of AI systems while maintaining appropriate safeguards for individuals.
However, decisions like the one delivered by the Conseil d’État may complicate this debate.
If courts adopt a broad interpretation according to which data remains personal data whenever re-identification is theoretically possible, the scope of the GDPR could expand significantly.
This would create challenges for organisations seeking to develop AI systems using large-scale datasets derived from digital services, behavioural analytics, or pseudonymised identifiers.
The Role of Data Ecosystems in Identifiability
Another important element highlighted by the decision is the role of data ecosystems in determining whether individuals can be identified.
The identifiability of individuals cannot be assessed by analysing a single data element in isolation. Instead, regulators and courts increasingly examine the entire ecosystem in which data is processed, including:
-
the scale of the dataset
-
the ability to combine multiple sources of data
-
the technological capabilities of the controller
-
the involvement of third parties
-
the purposes of the processing
In complex digital environments such as behavioural advertising, identifiers often circulate within networks involving advertisers, publishers, ad exchanges, and data brokers.
These interconnected ecosystems increase the ability to profile users and potentially re-identify them.
However, this ecosystem-based approach may also raise difficult questions about how far the notion of identifiability should extend.
If the possibility of re-identification somewhere in the digital ecosystem is sufficient to classify data as personal data, the concept of anonymisation may become extremely difficult to achieve in practice.
A Debate That Will Shape the Future of Data Regulation
The decision of the Conseil d’État therefore highlights a broader regulatory dilemma.
On the one hand, the GDPR adopts a broad definition of personal data to ensure that individuals remain protected in increasingly complex digital environments.
On the other hand, technological innovation—particularly in areas such as AI development, data analytics, and digital advertising—often relies on large-scale pseudonymised datasets.
Balancing these two objectives is becoming one of the most difficult challenges in European digital regulation.
As discussions continue around the Digital Omnibus package and the use of data for AI training, the interpretation of concepts such as identifiability, pseudonymisation, and anonymisation will play a decisive role.
For companies operating in both adtech and AI ecosystems, the message is clear: the legal boundaries of personal data remain fluid, and regulatory expectations around data governance are likely to become even more demanding in the coming years.
On a similar topic, you can read the article “Cookies cannot be processed on the basis of legitimate interest according to the Garante“.