Europe: EU General Court Clarifies When Pseudonymized Data is Considered Personal Data

On 26th April, the General Court of the European Union (EGC), published its judgment in Case T-557/20, Single Resolution Board (SRB) v European Data Protection Supervisor (EDPS), in relation to the threshold between pseudonymous and anonymous data.

The EGC held that pseudonymised data transmitted to a data recipient will not be considered personal data if the recipient of the data does not itself have the means to re-identify the individuals. The EGC also clarified that an individual’s views and opinions are not, by default, personal data – a case-by-case assessment is required.

Background

As a result of a resolution scheme, affected shareholders and creditors were asked by the SRB to submit comments as part of the right to be heard process. The SRB then shared these comments with a third party consulting firm. The SRB pseudonymised the comments before sharing with the third party consulting firm by replacing the name of each individual with alphanumeric code. The consulting firm was not provided with the decoding key capable of linking the alphanumeric codes to individual respondents. As a result, a number of claims were filed to the EPDS against the SRB by affected shareholders and creditors, alleging that the SRB had failed to inform them that their personal data would be transmitted to third parties. The SRB argued that the data transmitted were anonymised and therefore were not personal data.

The EDPS held that SRB had shared pseudonymised data (rather than anonymised data) with the consulting firm –  the alphanumeric code used by the SRB allowed the SRB to link the comments to an individual,  even though the third party consulting firm did not have the decoding key and were not able to identify any individuals. As a result, the EDPS held that the personal data had been shared with the third party consulting firm in breach of the SRB’s information obligations.

The SRB appealed to the EGC, rejecting the EDPS determination that the information transmitted to the consulting firm constituted personal data.

Key takeaways from the EGC Decision

  • The EGC held that in order to determine whether the information transmitted to the third party constituted personal data, “it is necessary to put oneself in [the third party’s] position in order to determine whether the information transmitted to it relates to ‘identifiable persons’.” The information transmitted to the consulting firm did not constitute information relating to an ‘identified natural person’, as the data recipient did not have any means to re-identify the individuals –  SRB alone held the additional information that enabled the affected shareholders and creditors to be identified.
  • The EGC clarified that whether the data constitutes ‘personal data’ – and therefore falls within the scope of the GDPR – depends on whether the recipient has the means available to it to enable it to access the additional information necessary to re-identify the individuals. The fact that the sender has the means to re-identify individuals does not mean that the transmitted data is automatically also personal data in the hands of the recipient.  However, the EGC did not expressly state the specific conditions for data to be considered anonymous.
  • The EGC concluded that although personal views or opinions may constitute personal data, they cannot be presumed to contain personal data and instead an examination should be carried out of whether, by its “content, purpose or effect, a view is linked to a particular person”. 

Commentary

The EGC decision provides welcomed clarity on what information may constitute ‘personal data’, particularly in relation to the test for pseudonymised data versus anonymised data. In particular, the decision confirms that data received by a recipient which does not have the means available to enable that recipient to re-identify individuals, results in the data not amounting to personal data in the hands of the recipient – the fact the sender is able to re-identify the individuals does not mean that the transmitted data is automatically also personal data for the recipient. However, it should be noted that the EDPS will likely appeal this ruling to the Court of Justice of the European Union.

For further information or if you have any questions, please contact your usual DLA Piper contact.