When pseudonymized data can no longer directly or indirectly identify a physical person and thus fall outside of the scope of the GDPR?
This is the question the General Court of the European Union (EGC) deals with in its ruling of 26 April 2023, case reference: T-557/20. The EGC in its verdict adopts a practical approach which should give relief to modern industry, e-economy and online services.
The EGC held that the answer depends on whether a recipient of pseudonymized data, holds or may reasonable likely acquire information that eventually can identify a natural person.
Background to the decision
The case was brought before the EGC, which can serve as the first instance to the CJEU, by an action of the Single Resolution Board (SRB) based on Article 263 TFEU against the revised decision of the European Data Protection Supervisor (EDPS) following five complaints about the transfer of data collected by the SRB to a third party, which was a consulting company, without informing the complainants, prior to the transfer.
The SRB, namely the central resolution authority within the Banking Union of the EU and under Regulation (EU) No 806/2014 for the framework of a Single Resolution Mechanism, adopted a resolution scheme for a Spanish bank which was bankrupted. In this procedure the SRB called via its website shareholders and creditors that may be affected by the resolution of the bank to register online and provide proof of their ID and their capacity as shareholders or creditors in order to exercise their right to be heard. A relevant privacy notice was also published on its website. At a second stage, the SRB sent an email to those considered to be affected and asked them to complete a form with their opinions. After their names had been replaced with an alphanumeric code consisting of a 33-digit randomly generated identification number, the responses were forwarded to a consultancy firm, which undertook to analyse them. However, the privacy notice on the website had no information about this transfer or other recipients except the SRB itself.
On that ground the EDPS, after receiving five complaints, found that the transfer of these coded responses was in violation of Art. 15 (1) (d) of Regulation (EU) 2018/1725 (analogous to GDPR Art. 13 (1)(e) obligation to inform the recipients).
The SRB argued that there was no obligation to provide information, because the transmitted data to the consulting firm did not constitute personal data, but were anonymous data for the consulting firm, even if the information allowing re-identification is not irrevocably eliminated and resides with the original processor of data (i.e. SRB); this is so because the consultancy firm had had no access to the database with original collected data and thus there was no possibility of data subjects being reidentified by the consulting firm.
The judgment
The EGC adopted the SRB’s arguments and annulled the EDPS’s decision.
The criteria according to the Court that Article 3(1) of Regulation 2018/1725 sets to define ‘personal data’ are two:
– the information ‘relates’ to a natural person, meaning that by reason of its content, purpose or effect is linked to a particular person (with ref. to Nowak case C‑434/16)
– the information relates to an ‘identified or identifiable’ natural person (with ref. to Breyer case C‑582/14).
As it was stated by the EDPS during the hearing of the case, the additional information necessary to identify the authors of the comments (respondents in the forms) consisted of the alphanumeric code and the identification database of the SRB.
The EGC held that first, the EDPS in his decision had not examined whether opinions within a form, transmitted to the consultancy company, could relate to a particular natural person by their content, purpose and effect. Second, the EDPS wrongfully considered the transmitted data as pseudonymized data (i.e. information related to an identifiable natural person) because he took for granted, that additional information existed, which could identify natural persons. In that respect, he did not take into account that the necessary additional information for re-identification of respondents was in the hands of the SRB and not in the hands of the consulting firm, which had no access to the SRB’s database, which included names and IDs.
The decisive factor for the Court was if the recipient of the disclosed coded data could in a reasonably possible manner or with means likely reasonably to be used, to identify the data subject and not generally, if additional information that could led to identification existed somewhere.
In other words, the possibility of combining additional information for the identification of a natural person is not sufficient on its own; such possibility must not have been prohibited by law or be practically impossible in the sense that it would have required a disproportionate effort in terms of time, cost and man-power effectively rendering the risk of identification insignificant (see judgment Breyer, C‑582/14 para. 46).
Further and most notably, that possibility according to the EGC must be examined by reference to the position of the recipient of the data and not just by reference to the position of the exporter of the data.
The EGC concluded that the transmitted data was not information relating to an ‘identifiable natural person’; in his decision the EDPS had not examined from the perspective of the consulting firm if the firm “had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments” (see EGC judgment T-557/20 para. 105), which was not the case as the firm was not allowed by law to have access to the identification database of the SRB.
As the EDPS has lodged an appeal against the judgment of the EGC, it remains to be seen if the bold step of the EGC will be endorsed by the CJEU.
Date: 9 October 2024
Author of the Article: Eleni Zafeiri, Lawyer & Legal Consultant at Markou & Co LLC
References:
Regulation (EU) 2018/1725 (http://data.europa.eu/eli/reg/2018/1725/oj )
Regulation (EU) 2016/679 (GDPR) (http://data.europa.eu/eli/reg/2016/679/oj )
EGC judgment T-557/20 (62020TJ0557 (europa.eu)
CJEU Case Nowak C-434/16 (EUR-Lex – 62016CJ0434 – EN – EUR-Lex (europa.eu))
CJEU Case Breyer C-582/14 (EUR-Lex – 62014CJ0582 – EN – EUR-Lex (europa.eu))
