The EU General Court has overruled the European Data Protection Supervisor and held that pseudonymised data will not be personal data for the purposes of EU data protection law when transferred to a recipient that is unable to link the pseudonyms to identifiable individuals1. This is a pragmatic approach that provides greater certainty for businesses that routinely use pseudonymisation, but risks undermining protections for individuals.
Pseudonymisation vs Anonymisation
EU data protection law regulates “personal data”. Under the GDPR “personal data” is defined as information that relates to an identified or identifiable natural person. If data about individuals is processed so that the individuals cannot be identified, the data can be used free from the restrictions imposed by the GDPR (e.g. enabling a pharmaceutical company to use patient data for R&D).
When data is described as “pseudonymised” it means that the data cannot be attributed to a specific individual without the use of additional information. At its most basic pseudonymisation involves replacing individuals’ names in a dataset with codes such that without additional information detailing which code designates which name, the data cannot be linked to a particular individual. However, with that additional information the data can be linked to a particular individual. Therefore, pseudonymised data generally constitutes “personal data” for the purposes of the GDPR because it allows for some form of reidentification. Pseudonymisation still plays an important role as a security measure because it can reduce the risk of harm to individuals in the event that pseudonymised data is disclosed.
“Anonymised” data is data that has been irreversibly scrubbed of any identifying information, so that it is not possible to link it back to the relevant individual. If information has been successfully anonymised, then it is no longer considered “personal data” for the purposes of the GDPR and the processing of the data will be outside the remit of the GDPR. Anonymisation techniques can, however, sometimes impact the statistical properties of the data – for instance, the specific ages of participants in a clinical trial may need to be translated into age ranges, in order for the data to be properly anonymised.
Background to the General Court Decision
In 2017, the Single Resolution Board (“SRB”) of the European Union placed Banco Popular Español, S.A. (“Banco Popular”), then the sixth largest banking group in Spain, under resolution and transferred ownership of Banco Popular to Santander. Deloitte were subsequently instructed to examine whether the shareholders and creditors of Banco Popular would have received better treatment if Banco Popular had entered into normal insolvency proceedings, as opposed to being placed under resolution.
As part of this process, the SRB invited submissions from affected shareholders and creditors. Their comments were then sent to Deloitte by the SRB for their independent assessment. Five complaints were made to the European Data Protection Supervisor by affected shareholders and creditors on the basis that the disclosure of comments to Deloitte was not properly explained in the SRB’s privacy notice.
One of the key questions for the General Court, was whether the information transmitted by the SRB to Deloitte constituted “personal data” (i.e. did it relate to an “identified or identifiable” natural person?).
Prior to disclosing the data, the SRB generated a random alphanumeric code to replace the name of the individual (i.e. the data was pseudonymised). The individuals could be re-identified by entering the alphanumeric code into the SRB’s identification database.
When the SRB passed the comments on to Deloitte, they did not remove the alphanumeric codes that linked the comments to the commenters in SRB’s database. The European Data Protection Supervisor held that because the SRB maintained the ability to link the codes to individuals, the data was merely pseudonymised and not anonymised – it was therefore “personal data”.
The General Court disagreed with this analysis. The court held that when considering whether shared information is “personal data” it is necessary to consider the position of the data recipient. If the recipient does not have the means to re-identify the individuals, the information should be considered anonymised and not “personal data” (even if the transferor is able to re-identify individuals).
The European Data Protection Supervisor had not examined whether Deloitte had the legal means to access the additional information necessary to re-identify the original authors of the comments and so the General Court found that the European Data Protection Supervisor could not therefore conclude that the comments related to identifiable individuals.
In a data sharing scenario, it is critical to look at the position of the recipient when considering whether the data being transferred relates to an identifiable individual. In many cases, where a data recipient is transferred pseudonymised data without the key that allows the pseudonyms to be mapped to individuals, that will be sufficient for the data to be considered anonymous and outside the scoped of the GDPR. However, it is important to also consider whether the recipient could identify individuals through other means (e.g. by combining the data with other data available to the recipient). The General Court affirmed previous case law holding that, even if identification is theoretically possible, data is not “personal data”, if the steps needed to identify the individual are “prohibited by law or practically impossible” or would involve “a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant”.
In deciding that an assessment of the means available to the recipient is critical, the General Court took a pragmatic approach for businesses. However, it risks undermining the purposes of the GDPR’s security and data breach requirements. After all, if a hacker or fraudster is able to re-identify individuals, in the event of a data breach it would be little solace for data subjects that the intended recipient was not able to.
It is important to note that this case considered a transfer from one data controller to another data controller. We would suggest that the position is different for transfers from a controller to their processor. Where pseudonymised data is transferred from a controller to their processor without a pseudonym key, the fact that only the controller has the pseudonym key is highly unlikely to take processing of the pseudonymised data outside scope of the GDPR.
Even if pseudonymisation does not bring data outside the scope of the GDPR (because legal means remain available to re-identify the data subject), pseudonymisation can still play an important role. The GDPR envisages pseudonymisation as a valuable security measure. For example, the GDPR expressly refers to pseudonymisation as an important security measure to support R&D using personal data. Of course, for pseudonymisation to be effective, the pseudonym key must be stored separately.