The European General Court ("EGC") recently delivered a decision in case T-557/20, finding that the perspective of the data recipient is decisive when examining whether data that are transmitted to that recipient are to be regarded as pseudonymised data or anonymised data. The distinction is important as pseudonymised data constitutes "personal data" within the meaning of the GDPR, whilst anonymised data falls outside the scope of the GDPR. It remains to be seen whether the decision will be appealed to the Court of Justice of the European Union ("CJEU").
Background
Under the GDPR, “personal data” is defined in Article 4(1) as "any information relation to an identified or identifiable natural person". Recital 26 GDPR further states: "To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.” Article 3(1) and Recital 16 of Regulation 2018/1725, respectively, contain equivalent provisions, which are applicable to EU institutions and bodies when they process personal data.
Whilst pseudonymised data is deemed to be personal data to the extent that it can be linked back to a particular person, anonymised data falls outside the scope of the GDPR as it no longer allows a data subject to be re-identified. An important issue arose in this case as to when personal data may be considered to have been truly anonymised.
The Facts
The EU's Single Resolution Board ("SRB"), which ensures the restructuring of failing banks to minimise economic harm, conducted a hearing of creditors and shareholders of a Spanish bank in the context of the bank’s resolution. SRB passed on the comments received to a consultancy firm, which it engaged to provide a valuation about whether shareholders and creditors would have received better treatment if the Spanish bank had entered into normal insolvency. When sharing the comments with the consultancy firm, SRB replaced the names of the respondents with alphanumeric codes.
Some of the respondents lodged complaints with the European Data Protection Supervisor ("EDPS"). The EDPS supervises processing of personal data by EU bodies, such as the SRB under EU Regulation 2018/1725, which contains similar provisions as the GDPR. The respondents argued that SRB had breached EU Regulation 2018/1725, by not informing them that their personal data (in the form of their comments) would be transferred to the consultancy firm.
The EDPS agreed, finding that the data transferred by SRB to the consultancy firm was pseudonymised only, and not anonymised. The fact that the consultancy firm was not mentioned as a potential recipient of personal data in SRB's privacy statement therefore constituted an infringement of data protection laws, according to the EDPS.
SRB disagreed with the EDPS's decision. It argued that it did not have to inform the respondents about the disclosure, as the consultancy firm had received only anonymised data.
The Decision
The EGC agreed with SRB’s position and overturned the EDPS's decision.
In coming to its decision, the EGC noted that the EDPS had not examined whether the information disclosed to the consultancy firm constituted personal data, on the grounds that it "related" to a particular individual by reason of its "content, purpose or effect" (in line with the CJEU's decision in Nowak C-434/16).
Instead the EDPS had limited itself to an examination of whether the information transmitted to the consultancy firm related to an identified or identifiable natural person. The EGC held that, given the alphanumeric codes put in place by the SRB, that the information transmitted to the consultancy firm did not concern "identified" persons. The issue therefore was whether the information related to "identifiable" persons.
The SRB submitted that data are rendered anonymous for a third party, even if the information allowing re-identification is not irrevocably eliminated and resides with the original processor, as long as the data are shared with that third party in such form that re-identification is not reasonably likely.
The EDPS contended that the fact that the consultancy firm did not have access to the information held by SRB that would enable re-identification did not mean that the pseudonymised data transmitted to the consultancy firm became anonymised data. The EDPS argued that the distinction between pseudonymous and anonymous data came down to whether there was any "additional information" that could be used to attribute the data to a specific individual. If there were not, then the data was anonymous. The EDPS argued the data transmitted to the consultancy firm was personal data because SRB held additional information from which the respondents could be identified.
The EGC rejected EDPS's argument, finding that the EDPS should have examined whether it was possible to re-identify the participants from the consultancy firm's perspective. The ECG extensively cited the CJEU's decision in Breyer (C-582/14) in coming to its conclusion. The ECG held that it was clear from Breyer, that the EDPS should not have concluded that the information transmitted to the consultancy firm constituted "personal data," without examining whether the consultancy firm had a legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments.
Comment
The EGC's decision shows that when examining whether pseudonymised data that are transmitted to a third party are subsequently to be regarded as personal data, it is essential to examine whether it is possible for the third party recipient to re-identify the individuals to whom the information relates. In this respect, it had to be determined whether the third party recipient had legal means that it could reasonably use to identify the data subjects. This would not be the case, for example, if the identification of the data subjects was prohibited by law or was impracticable.
The EGC's decision provides some further clarity on when information relates to an "identifiable" person and is therefore to be considered "personal data" and when it is not. For example, it may be personal data for the data transmitter, but not for the third party recipient.
While the judgment does not refer to the GDPR, but to EU Regulation 2018/1725, to the extent that this regulation is in principle identical to the GDPR, it also provides some guidance on the scope of the concept of "personal data " under the GDPR.
The ruling may be appealed to the CJEU, which would be helpful due to the need for legal certainty in regard to the scope of the concept of "personal data," and when data may be deemed to be truly anonymised.
Contact Us
If you would like more information, please do not hesitate to contact any member of our Technology and Innovation Group.
UPDATE: Please note this decision by the EGC was appealed to the CJEU on 4 August 2023, on a number of grounds. In particular, it has been claimed that the EGC incorrectly interpreted the definition of "personal data" and "pseudonymisation" in Articles 3(1) and (6) of Regulation 2018/1725, by requiring the EDPS to assess whether the information at stake in the case was personal data taking the perspective of the recipient, and by omitting to give consideration to the notion of pseudonymisation. The CJEU's decision is eagerly awaited.