Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
All privacy eyes turned to Luxembourg courts this week with two noteworthy cases on the agenda: one on the EU-U.S. Data Privacy Framework before the European General Court and the other on the concept of personal data before the Court of Justice of the European Union.
It could have turned into a hell of a week for privacy pros, but in the end both decisions took a pragmatic turn.
First on data transfers. At stake was the potential invalidation of the EU-U.S. Data Privacy Framework, the trans-Atlantic negotiated arrangement that supports the transfer of EU personal data to the U.S in a manner compliant with EU law. Such a negative outcome would have immediately created uncertainty for thousands of (mostly) companies that rely directly or indirectly on the framework to operate across the Atlantic.
The General Court's press release in the "Latombe v Commission" case at hand provided instant relief to thousands of privacy practitioners in the EU and U.S. Indeed, it read that "on the date of adoption of the (Commission's decision), the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country." It was a noteworthy and first of its kind positive statement from the European court apparatus about trans-Atlantic adequacy.
The judgment provides welcome legal certainty about the nature of the DPF, but it does not fully close the door to future challenges. The key factor here is that the court was bound to look at the validity of the Commission's decision implementing the DPF when it was adopted, in 2023.
Whether it is a potential appeal from Latombe, an expected complaint from NOYB's Max Schrems as he already indicated, or a review of the framework by the European Commission in light of the current situation in the U.S., it is likely not the end of the story. For now, privacy pros can enjoy the reprise.
The CJEU's judgment in the European Data Protection Supervisor v. Single Resolution Boardappeal case on the definition of personal data was also notable. The EU's highest court concluded that pseudonymized data does not constitute personal data in all cases. The categorization of pseudonymized data as personal or not depends on the context.
The court disagreed with the EDPS' argument that pseudonymized data is personal data whenever and, in every case, where additional information allowing for the data subject's identification exists. It clarified that the existence of such information is not sufficient, and that such data may not be considered personal data if additional information is not available to parties other than the controller.
The opinion of CJEU Advocate-General Dean Spielmann was issued in February. The judgment confirms a pragmatic approach to pseudonymization and anonymization. It nuances that pseudonymized data must not be regarded as constituting, in all cases and for every person, personal data. It also adds that case-by-case circumstances of the data processing matters to assess the identifiable nature of the data subject. The case looked at Regulation 2018/1725, the sister legislation of the EU General Data Protection Regulation for EU bodies, but the court's thinking would logically extend to the GDPR application.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
Laura Pliauškaitė contributed to this report.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
