On 26 April 2023, the Court of Justice of the European Union ("CJEU" or the "Court") rendered an interesting new judgment that reopens the discussion about the problems posed by the legal protection of pseudonymized data. The Eighth Chamber, Extended Composition, of the General Court issued a judgment in case T-557/20 which involved the Single Resolution Board, as the central resolution authority within the European Banking Union ("Single Resolution Board" or "SRB") and the European Data Protection Supervisor ("EDPS").
The judgment establishes the criteria for classifying pseudonymized data as anonymous, clarifies that a person's opinions are not automatically considered personal data but instead they require a contextual assessment, and asserts the need to assess the risk of re-identification from the data recipient’s perspective. The Court recalls and restates the Breyer case, which has greatly influenced the Court's approach in this case.
In June 2017, the SRB decided to implement a resolution scheme for Banco Popular Español, SA. As part of this process, the SRB received assessments and opinions from various stakeholders, which also addressed the valuation of difference in treatment of the bank's shareholders and creditors carried out by the consulting firm Deloitte.
The responses received in connection with the aforementioned valuation of treatment were also forwarded to Deloitte, which, in its capacity as an independent valuer, had to examine whether its assessment remained valid in light of these comments. To protect the privacy of the individuals involved, the SRB distributed this information using pseudonymized data, replacing each individual's name with an alphanumeric code.
After several complaints were received by EDPS, based on the fact that the respondents had not been informed that the data collected through the questionnaire would be transferred to a third party, the question that arose was whether Article 15 had been infringed (the right of the data subject to be informed) para. (1)(d) of Regulation (EU) 2018/1725. The EDPS upheld this claim, considering that the data continued to be personal data even if it was transferred only in pseudonymized form.
Thus, according to the EDPS, the difference between pseudonymous and anonymous data is that, in the case of anonymous data, there is no “additional information” that could be used to attribute the data to a specific data subject, whereas, in the case of pseudonymized data, there is such additional information. As it is already known, in the case of anonymous data, it is not possible to draw conclusions about the identity of the person concerned, reason why anonymous data is not subject to the data protection legislation.
2. Court Judgment
The Court carried out an analysis from several perspectives, consolidating its previous case-law.
Thus, the Court noted that the EDPS classified as personal data all the comments made by the affected shareholders and creditors during the consultation phase, without analyzing the content of the information sent by the SRB to Deloitte. Thus, the Court ruled that although personal opinions or viewpoints may constitute personal data, they are not automatically presumed to be personal data. Such a conclusion must be based “on the examination of whether, by its content, purpose or effect, a view is linked to a particular person”, thus recalling the Judgment of December 20, 2017, Nowak (C 434/16, EU:C:2017:994).
The CJEU also emphasized that, in order to determine whether shared pseudonymized data constitutes personal data, it is essential to take into consideration the perspective of the data recipient. Thus, the Court made reference to the Judgment of October 19, 2016, Breyer (C‑582/14, EU:C:2016:779), whose conclusion was that: “a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data (…), in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.”. Therefore, in order to establish whether pseudonymized information sent to a data recipient constitutes personal data, the data recipient’s perspective should be taken into account: if it has no additional information that would allow it to re-identify the data subjects and has no legal means available to access such information, then the data transmitted may be considered anonymized and therefore it does not represent personal data.
The CJEU also stated that it was the EDPS’s responsibility to examine whether the data transmitted to Deloitte constituted, in relation to Deloitte itself, personal data. However, the EDPS merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s. The fact that the data discloser has the means to re-identify the data subjects is irrelevant and does not mean that the shared data is also automatically personal data from the recipient’s perspective.
Therefore, as the EDPS did not investigate whether Deloitte had the legal and practical means to access the additional information necessary to re-identify the authors of the comments, the EDPS could not have concluded that the information provided to Deloitte represented information relating to an "identifiable natural person" in the sense of article 3 (1) of Regulation 2018/1725.
The detailed analysis of the CJEU judgment and of the Breyer case-law reveals how important it is to assess the data recipient's perspective and the technical means available in the process of determining whether the data can be classified as personal data or anonymous data. The fact that the data discloser has the necessary information and possibilities for re-identification is irrelevant to establish whether the transferred data is personal data from the recipient’s perspective. Thus, the Court added an essential dimension to the data classification analysis, taking into account not only the nature of the data itself, but also the context and the technical means available to the recipient.
3. Conclusions and Developments
The practice has shown various situations where pseudonymized data is used in the form of alphanumeric codes. For example, in the medical industry, a company may hold a set of sensitive data regarding the health condition of data subjects (e.g., their names, medical disorders and treatment history). To protect the confidentiality of this information while it is sent to third-party scientific or medical research organizations, the company may replace this sensitive data with unique alphanumeric codes. Similarly, banks and financial institutions may use alphanumeric pseudonymization when sharing customer transaction data with external audit firms for fraud detection purposes.
Therefore, through the reasoning presented in this new case-law, the CJEU brings a significant contribution to the progress of personal data processing practices in the European Union. By referring to the previous case-law in the Breyer case, an essential clarification has been brought: the supervisory authorities are required to make a particular assessment in order to determine whether the data in question can be considered or not as personal data. This opens a genuine Pandora's box, in that the same data can be considered both personal and non-personal data, depending on the specific circumstances and the actual ability of each party to identify the data subject. Therefore, this approach comes with a challenge that is likely to generate unpredictable results.
By Monica Iancu, Partner, Andra Gheorghe, Managing Associate and Alina Zaharia, Junior Associate, Bondoc si Asociatii