The CJEU rules that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.
The Court of Justice of the European Union (CJEU) has delivered its judgment in case C-413/23 EDPS v. SRB, addressing questions on the scope of personal data regulated by the EU institutions’ version of the GDPR – Regulation 2018/1725 (which is materially equivalent to the GDPR). The CJEU closely followed the Advocate General’s Opinion in this case. For further detail on the Opinion, see this Latham blog post.
Of practical significance for businesses subject to the EU GDPR, the CJEU ruled that the categorisation of personal data as pseudonymous or anonymous should be assessed from the relative perspective of the recipient/holder of that data. Data could therefore be pseudonymous in the hands of one party (i.e., the discloser of that data, with access to relevant re-identification information) and anonymous in the hands of another (i.e., the recipient of that data, without reasonable access to the re-identification information).
Background
In 2020, the European Data Protection Supervisor (EDPS) issued a decision that the Single Resolution Board (SRB), the central resolution authority within the Banking Union, allegedly breached its transparency obligations under the EU institutions’ GDPR by failing to include in its privacy notice information on its disclosure of personal data to a third-party professional services firm, in the context of a bank resolution procedure. The SRB challenged this decision, and argued that the relevant data was anonymous when the recipient firm received it. Indeed, the SRB stated it shared the data in pseudonymised form and did not provide the firm with the re-identification information, therefore, the firm could not reasonably identify the relevant individuals. On this basis, the SRB argued that the firm was not a recipient of regulated personal data from the SRB as anonymous data falls outside the scope of personal data regulated by the EU institutions’ GDPR. Therefore, the SRB took the position that it was not required to include information on that disclosure in its privacy notice.
The EDPS rejected the SRB’s position on this point and instead held that the SRB had shared pseudonymous data rather than anonymous data with the recipient firm, as the relevant individuals could be re-identified with the information held by the SRB. The fact that the firm itself did not have that re-identification information was insufficient to render the data anonymous, in the EDPS’ view.
In 2023, the General Court of the European Union (General Court) annulled the EDPS’ decision (ruling of 26 April 2023, T-557/20). The General Court ruled that the EDPS had been wrong to conclude that personal data that was pseudonymous for the SRB, as the data discloser was automatically pseudonymous (rather than anonymous) for the firm as the data recipient. Instead, the General Court considered that the EDPS should have assessed whether the disclosed data was pseudonymous or anonymous for the firm from its perspective as recipient, rather than from the SRB’s perspective as discloser. As the EDPS had not carried out such an assessment, the General Court rejected the EDPS’ conclusion that the disclosed data was pseudonymous and, therefore, personal data regulated by the EU institutions’ GDPR.
The EDPS appealed the General Court’s decision to the CJEU.
CJEU Judgment
The CJEU set aside certain aspects of the General Court’s 2023 judgment and referred those elements of the case back to the General Court, whilst giving final judgment on several substantive issues around the scope and nature of personal data.
Scope of Personal Data
In its judgment, the CJEU rejected the EDPS’ argument that pseudonymised data should automatically be considered pseudonymous (rather than anonymous) if the re-identification information still exists. In this regard, the CJEU explicitly denied the “absolute” personal data approach advocated by the EDPS. Rather, the CJEU found that the nature of personal data should be assessed from the perspective of the entity receiving and processing that data. If that entity has reasonable means to identify the relevant individuals from the pseudonymous data, it is deemed to be processing personal data as regulated by the EU institutions’ GDPR. If, on the other hand, that entity does not have reasonable means to identify the relevant individuals, it is processing anonymous data outside the scope of the EU institutions’ GDPR. The CJEU’s approach on this point is in line with previous CJEU case law regarding the interpretation of personal data under the GDPR.
In practice, the CJEU’s approach means that the same data could be considered pseudonymous in the hands of one entity, but anonymous in the hands of another. In reaching this conclusion, the CJEU rejected the EDPS’ argument that such a “relative” assessment of personal data would unduly narrow the concept of personal data and undermine the protection afforded to individuals by the GDPR.
Transparency
The CJEU sought to draw a distinction between the categorisation of data as personal data or anonymous data and the question of the SRB’s compliance with its transparency obligations. The CJEU found that the SRB was required to include in its privacy notice information about its disclosures to the recipient firm. In this regard, the CJEU rejected the SRB’s argument that such information was not required in its privacy notice, as the relevant data was anonymous when received by the recipient firm and therefore outside the scope of the EU institutions’ GDPR. The CJEU reached its conclusion on the basis that the relevant transparency obligations apply to the SRB as the controller collecting personal data from the individuals, and require the SRB to inform those individuals of the processing and disclosure of their personal data at the time that data was collected. As the relevant data was personal data in the SRB’s hands when it was collected by the SRB (which is not disputed), the SRB was obliged to inform the individuals of its disclosure to the recipient firm, irrespective of whether that data was ultimately considered pseudonymous personal data or anonymous data in the hands of the recipient firm at a later point in time.
Opinions of Individuals as Personal Data
The CJEU agreed with the EDPS that an opinion necessarily relates to the individual that authored it, and is therefore the personal data of that individual. Further, that a specific assessment of the content, purpose, and effect of the opinion is not required. Unlike the Advocate General, the CJEU did not expressly set out the contrasting approach for the subjects of opinions, i.e., that an opinion cannot be presumed to relate to the subject of that opinion and, therefore, an assessment would be required to determine whether such an opinion is the personal data of its individual subject. However, this approach is implied in the CJEU’s reasoning.
Implications
Though the CJEU’s decision was made under the EU institutions’ version of the GDPR, the concepts and definitions of personal data are identical to those in the GDPR. Therefore, it is very likely that national courts and data protection authorities will apply the judgment to the interpretation of personal data under the GDPR.
The CJEU’s endorsement of personal data as a relative concept — to be assessed from the perspective of the recipient — is a welcome clarification for many organisations deploying pseudonymisation and anonymisation measures when sharing or receiving personal data from others. This may be particularly relevant for organisations conducting scientific research with health data or for the training of artificial intelligence systems with data sets provided by third parties.
The CJEU’s approach to transparency serves as a valuable reminder for organisations to consider their transparency obligations based on the personal data and processing they collect and carry out. Moreover, a reminder of the requirement to provide information to individuals at the time of data collection, notwithstanding the potential for any recipients with whom they share personal data to position themselves as processing anonymous data (outside the scope of the GDPR).