Does pseudonymised data lose its personal reference if the recipient has no way of re-identifying the person? If so, the data would be anonymised and the General Data Protection Regulation (GDPR) would no longer apply. The General Court of the European Union (EGC) had to rule on this question. The verdict should provide relief for some companies (ruling of 26 April 2023, case reference: T-557/20).
Background to the decision
The focus is on an action for annulment pursuant to Art. 263 TFEU before the General Court of the European Union, which often serves as the first instance to the CJEU.
The plaintiff was the Single Resolution Board (SRB), which brought an action against the decision of the European Data Protection Supervisor (EDPS) of 24 November 2020.
One of the SRB’s tasks is to ensure that financial institutions at risk of insolvency are wound up in an orderly manner while minimising the impact on the real economy. In the course of such resolution proceedings against a Spanish bank, the SRB sent an electronic contact form to the respective shareholders and creditors, allowing them to exercise their right to be heard.
The responses were then forwarded to a consultancy firm, which was tasked with analysing the responses. Before being forwarded, the names of the respondents were given an alphanumeric code consisting of a 33-digit randomly generated identification number.
The consulting firm therefore had no knowledge of the identity of the interviewees. Decoding or access to the corresponding database was not possible for the consulting firm. Only the SRB was able to decode the codes and assign them to a specific person thanks to a corresponding database.
After receiving several complaints regarding this transfer of the coded opinions, the EDPS decided that this procedure constituted a violation of Art. 15 (1) lit. d Regulation (EU) 2018/1725 (analogous to Art. 13 (1) lit. e GDPR, which defines the obligation to inform recipients). In the opinion of the EDPB, the SRB should have informed all data subjects that their personal data might be passed on to the consulting firm. It was already sufficient for the SRB to have the additional information on the basis of which re-identification was possible.
The SRB, on the other hand, was of the opinion that there was no obligation to provide information, as the transfer of the data had not led to pseudonymisation. Rather, the data had remained anonymous, as the consulting firm had no possibility of re-identification.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The judgment
The EGC followed the SRB’s opinion and annulled the EDPS’s decision.
According to the judgment, Art. 3 No. 1 Regulation 2018/1725 sets two requirements for the term personal data:
- the existence of an “identified or identifiable” person and
- a “reference” to a natural person.
Personal reference can be omitted for pseudonymised data
The EGC first examined whether the information disclosed related to an identified or identifiable natural person. In this case, it concerned the disclosure of pseudonymised data. This must be distinguished from anonymised data. If data is anonymised, there is no reference to a natural person anymore.
The EGC has now clarified the following with regard to pseudonymised data:
- The pseudonymisation of data can also have an anonymising effect. In the case of pseudonymisation, the personal reference is initially removed. However, it is still possible to assign the data to a person and identify them.
- The judges of the EGC are of the opinion that the theoretical possibility of identification alone is not sufficient. The re-identification of the person must also be practically and legally possible.
Recipient view decisive for personal reference
In its reasoning, the EGC referred to a CJEU ruling from 19 October 2016 (Ref.: C-582/14). In this judgment, the CJEU found that IP addresses could constitute personal data if the provider of the online media service received additional information from the internet access provider.
In this case, the EGC found that the recipient’s perspective is decisive for the assessment of the personal reference of data. If the data was passed on pseudonymised, it could potentially become anonymous data when it is passed on. According to the EGC, this must be based on the recipient. If the recipient does not have access to the additional information or if access is not practically feasible, the pseudonymised data would become anonymised data.
The fact that the sender of the data has the possibility of re-identification is irrelevant here. The existence of a theoretical risk of re-identification is not decisive. Rather, the possibility of a practical and legal implementation of re-identification is required.
Conversely, this means that If the recipient can practically and legally re-identify the data subject, the pseudonymised data will remain pseudonymised.
In this case, the consultancy had no additional information regarding the statements. The consultancy would not have been able to draw any conclusions about the individuals or otherwise re-identify them from the alphanumeric codes alone. Only the SRB had access to the associated identification database, which could have been used to identify the persons concerned.
As a result, the General Court annulled the EDPS’s decision. According to the judges, the EDPS should have examined whether the consulting firm had the necessary means for re-identification (e.g. access to the database) or whether re-identification was sufficiently probable.
Legal assessment
Relative instead of absolute personal reference
In its judgment, the EGC chose the path of relative personal reference:
- It is not necessary that re-identification is already theoretically possible – even by third parties (absolute personal reference).
- The personal reference of pseudonymised data is rather dependent on whether the re-identification of persons is also practically and legally feasible (relative personal reference).
Such a risk would not exist if the re-identification would have required a “disproportionate amount of time, cost and labour, so that the risk of identification would have appeared de facto negligible”.
Furthermore, the risk does not exist if it is not legally permissible for the recipient to access the data required for re-identification.
Statements and opinions may constitute personal data
In the course of the proceedings, however, the EGC also found that the comments themselves could well contain information about individuals. Consequently, the texts could be categorised as personal data, as it could not be completely ruled out that personal views or opinions constituted personal data. It would have to be examined on a case-by-case basis whether their content, purpose and impact could be linked to a specific person.
Relevance for practice
Even though the EGC examined standards from Regulation (EU) 2018/1725 and not from the GDPR, the entire judgment can be applied analogously to the GDPR.
The judgment is extremely interesting in practice. It makes it easier to (further) process data that has already been pseudonymised and may save companies the effort that would otherwise be required to fulfil data protection obligations – for example, the conclusion of a data processing agreement, a joint controller agreement or data protection documentation obligations.
Therefore, when companies work with pseudonymised data, they should check whether the recipient has the necessary means for re-identification or whether re-identification is sufficiently probable in both practical and legal terms.
If there is no such risk of re-identification, the GDPR does not apply to the corresponding data processing and the associated obligations do not apply. An additional safeguard is to contractually prohibit re-identification or to have the means for re-identification guaranteed by means of a fiduciary contract.
It must also be considered whether the pseudonymisation by the original controller was lawful before transmission. This requires a corresponding legal basis from the original controller.