Blurring a Name Doesn't Anonymise a Face: What GDPR Actually Says

Think your facial datasets are anonymized? Think again. For developers building computer vision (CV) pipelines or biometrics-heavy applications, the line between "pseudonymized" and "anonymized" data just became a high-stakes technical boundary. A recent EU court ruling has clarified a long-standing debate: if you strip the names from a facial dataset but retain the ability to re-identify those individuals—even through "additional information" like a lookup table or a specific encryption key—you are still processing personal data under GDPR. For those of us working with facial comparison algorithms, this ruling collapses the "metadata-only" defense. It implies that the face itself is the primary identifier. From a technical perspective, this means your Euclidean distance vectors and biometric embeddings are likely considered high-risk personal data under Article 9, regardless of how many layers of UUIDs you wrap them in. The Algorithm is the Identifier In the world of facial comparison