EU general court rules on the difference between pseudonymised and anonymised data

With its judgement of 26 April the EGC clarified when data that is passed on to a third party is still considered pseudonymised and when it is anonymised. This question is important because anonymised data no longer allow the re-identification of the data subject and are accordingly not to be classified as personal data. They therefore do not fall within the scope of the EU General Data Protection Regulation (GDPR) or other data protection regulations. Pseudonymised data, on the other hand, do.

The decision

The EGC clarified that the perspective of the data recipient is decisive when examining whether pseudonymised data that are transmitted to a third party are subsequently to be regarded as personal data. In this respect, it had to be determined whether the data recipient had means at his disposal that he could reasonably use to identify the data subjects. This was not the case, for example, if the identification of the data subjects was prohibited by law or was impracticable.

This assessment differs from the view recently taken by most (EU) data protection supervisory authorities and national courts, which have considered any possibility of re-identifiability - also by the data transmitter or third parties - as sufficient and have accordingly not limited themselves to the examination from the perspective of the data recipient.

The case

In 2018, the Single Resolution Board (SRB) conducted a hearing of creditors and shareholders of a Spanish bank in the context of the bank’s resolution. SRB passed on the comments received to a consultancy firm, such firm acting as a data controller. Previously, SRB replaced the names of the respondents with alphanumeric codes.

Some of the respondents lodged complaints with the European Data Protection Supervisor (EDPS). They argued that SRB had not informed them that the personal data collected would be transferred to the consultancy firm. In doing so, the SRB had violated data protection information obligations. These stipulate that the controller must, among other things, inform about the recipients or categories of recipients of the personal data - thus also about the consultancy firm.

The EDPS decided that the data transferred by SRB to the consultancy firm were not anonymised, but only pseudonymised. The fact that the consultancy was not mentioned as a potential recipient of personal data in SRB's privacy statement therefore constituted an infringement of data protection lasw, according to the EDPS.

SRB disagreed with this decision: It said it did not have to inform the respondents about the disclosure, as the consultancy as the data recipient had received only anonymised data.

The EGC agreed with SRB’s position and overturned the EDPS's decision: The EDPS had limited himself to the examination of re-identifiability by SRB. However, he should have clarified whether the consultancy firm as data recipient had the right and the actual possibility to access the additional information required for re-identification at the SRB. If this is not the case, it will be anonymised, and thus will not personal data for the consultancy firm.

While the judgment does not refer to the GDPR, but to the EU’s Regulation on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, this regulation is – in principle - identical to the GDPR. The judgement therefore also establishes a provisional precedent for matters that fall under the GDPR.

The consequences

The EGC's decision provides a little more clarity on when information relates to an "identifiable" person and is therefore to be considered "personal data" and when it is not. For example, it may be personal data for the data transmitter or third parties, but not for the data recipient.

The assessment of whether re-identification for the data recipient can be ruled out with sufficient probability requires an examination on a case-by-case basis. In particular, companies should consider whether means are available that can reasonably be used to identify the data subjects. This will often  not be the case for illegal means of or if re-identification would require disproportionate efforts. The result of the assessment should be documented in an appropriate way, especially if the assessment comes to the conclusion that the data is anonymized.

The ruling can still be appealed to the Court of Justice of the European Union (CJEU). This would be much welcomed due to the fundamental importance of the legal issues involved. It would be helpful if the CJEU would use this opportunity to give additional guidance as to where the threshold for anonymisation is reached.