A new EU General Court ruling has nuanced the threshold between pseudonymous and anonymous data. In particular, it clarifies that supervisory authorities need to carry out a “test” to assess whether data can be deemed personal data or not, opening the possibility of pseudonymized data not being deemed personal data. Under this approach, the same data in different hands can qualify as both personal data and non-personal data, depending on the factual and legal circumstances in the specific scenario, and the actual ability of each party to identify the data subject. Note that this ruling can still be appealed with the European Court of Justice (which is likely to occur).
Context of the Judgment
In the context of a resolution scheme of a well-known Spanish Bank and personal data processed during the right to be heard process, claims were filed to the European Data Protection Supervisor (EDPS) against the Single Resolution Board (SRB) due to the alleged lack of information on the data sharing by SRB to third parties. Data was shared after a pseudonymization process (without recipient having the “decoding” key). The EDPS deemed that SRB breached the duty of information, and as such pseudonymized data was deemed personal data. However, SRB appealed the EDPS’s decision, and the General Court annulled the same, recognizing the need to assess the recipient of information’s capability to reidentify the individuals behind the pseudonymized data. The ruling opens the possibility of coded information not being personal data per se. It must be highlighted that this judgment can be appealed to the European Court of Justice.
Under the GDPR, information that can directly identify a person is considered personal data (e.g. name and surname). Information that could identify individuals with additional information (and reasonable efforts) may also be considered personal data. This is the case of pseudonymized data, such as coded information or encrypted data.
As a result, the border between pseudonymity and anonymity has always been a battlefield. Reaching true anonymization has become difficult in practice due to technical developments. There are many occasions where companies have databases where in practice it is impossible to identify individuals. However, authorities still consider that these databases allow identification with the “help” of third parties (ergo the databases contain personal data in their view).
Situation before the ruling
The level of efforts required to identify individuals, the potential advantage for the “controller,” and the techniques available have always been factors to consider when assessing whether anonymity has been reached or not (e.g. this report of the GT29 of 2007). However, the “bar” was set by the ECJ in Case C‑582/14. In summary, the court ruled that a dynamic IP address registered by an online media services provider was personal data because with additional information provided by the internet service provider (the telecoms operator), the online media services provider could “identify” the individual. This is an extremely high threshold for anonymity. The court even admitted that internet service providers are not allowed to transmit this data to the online service provider. However, in the words of the court “in the event of cyber attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider”. For many years , this has been the “playing field.”
What has changed?
On the basis of the definition of “personal data” laid down in Article 3(1) of Regulation 2018/1725 – the same provided for in art. 4(1) GDPR (i.e. “any information relating to an identified or identifiable natural person (‘data subject’)…”), the Court assesses whether certain information shared with a third party “relates” to an individual, and if the same relates to an “identified or identifiable” natural person. For the purposes at hand, the analysis of the condition of “identified and identifiable” is of particular interest.
In this case, SRB submitted that the data was rendered anonymous for a third party - even if the information allowing re-identification was not irrevocably eliminated and resided with the original processing entity - as long as the form in which the data were shared with that third party did not allow re-identification anymore or where re-identification was not reasonably likely. On the other hand, the EDPS stood for the traditional approach to pseudonymized data. In that regard, it stated that the difference between pseudonymous and anonymous data is that, in the case of anonymous data, there is no “additional information” that can be used to attribute the data to a specific data subject, whereas, in the case of pseudonymized data, there is such additional information.
This ruling has clarified is the relevant perspective to assess whether data is anonymous or only pseudonymous. The Court states that the determination of whether information constitutes personal data shall be carried out from the position and powers of each party. For one company some information can constitute personal data and for another it may not be. That is, when sharing data, it is important for one to carry out an assessment also from the shoes of the recipient. The Court rules that a supervisory authority shall assess on a case-by-case basis whether a “controller” has legal means available that in practice enables it to access the additional information necessary to re-identify.
The Court highlights that, in order to assess whether reidentification is reasonably possible or not, this test of feasibility and effort shall be carried out from the perspective of the recipient of the information, opening the door to consider that in some cases recipients of information that are not provided with the “key” to re-identify (and additional safeguards) may be out of the scope of the GDPR. In particular, this test shall take into account whether reidentification is possible both legally and factually. The authority shall carry out this test on a case-by-case basis taking into account the specific factors in order to ascertain whether information constitutes personal data or not.
It should be noted that the court has annulled European Data Protection Supervisor’s only as it relates to not carrying out the “re-identification” test. It has not expressly stated which are the conditions to consider whether data is anonymous or not.
We should be cautious because the judgment can be appealed and the court has not expressly stated the specific conditions for data to be considered anonymous.
However, this ruling can be used in sanctioning proceedings in the future as supervisory authorities need to carry out this test (or at least it serves as a good argument).
In addition, in some scenarios (with some risk), companies can carry out “reidentification tests” to prove that a database is anonymous. For this test the company can consider that the same data in different hands can qualify as anonymous or not depending on the factual and legal circumstances at hand. This can prove really useful in many contexts (e.g. clinical trials, algorithm training, etc.).