The Court of Justice of the European Union issued a decision 4 Sept. that provided clarity to the EU General Data Protection Regulation's definition of personal data when it is pseudonymized and where to delineate responsibility among controllers when pseudonymized data is transferred to a third party.
The appeal, raised by the European Data Protection Supervisor, touched on three legal issues involving whether a person's pseudonymized opinions constitute as personal data, the circumstances when pseudonymized data is considered personal data and data controllers’ notification obligations for reidentification risk during processing.
The EDPS was appealing a European General Court ruling that annulled a 2020 decision made by the EDPS where it found the EU Single Resolution Board violated the EU General Data Protection Regulation when it shared insolvent Spanish bank creditors' and shareholders' comments on the bankruptcy proceedings with an accounting firm.
The CJEU sided with the EDPS in finding that individuals' personal opinions constitute personal information and the General Court erred by not considering the stakeholders' opinions as personal information. It also sided with the EDPS that the reidentification risk of processing and transferring personal data must be evaluated on a case-by-case basis at the time of collection, and that the General Court erred in annulling the EDPS' original ruling, in part, because it had failed to determine if the contents of the pseudonymized comments, in fact, contained personal information.
The CJEU, however, sided with the SRB for the question of under what conditions pseudonymized data can also be personal data, writing in the decision that "pseudonymized data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application (of the GDPR) in so far as pseudonymization may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable."
"The CJEU provides a more nuanced approach in clarifying the terminology around 'personal data,'" IITR Datenschutz Data Protection Officer Sebastian Kraska said in an email to the IAPP. "I agree with the approach of the CJEU that personal data should be a relative — and not an absolute — term."
Background
The case originated in June 2017, when the SRB issued a preliminary decision regarding awarding compensation to Banco Popular Español's creditors and shareholders without obtaining their input. The SRB then created a mechanism for the stakeholders to provide comments on its ruling and transferred them in pseudonymized form to Deloitte, which was tasked with carrying out a valuation of the effects of the resolution procedure on shareholders and creditors.
In 2020, the EDPS initially ruled the SRB's sharing with Deloitte constituted personal information and stakeholders had not been notified their comments would be transferred to a third party, in violation of the GDPR.
Three years later, the SRB successfully petitioned the General Court to annul the EDPS' decision on the grounds that the pseudonymized data received by Deloitte was sufficiently deidentified so it could not be related to a natural person, as required by the GDPR, and that the EDPS had not considered the contents of the comments transferred to Deloitte to determine if their contents actually contained personal information.
Due to the fact that the CJEU's decision emanated from an appeal, the court issued its opinion for the purpose of remanding the SRB's case against the EDPS back to the General Court to be re-heard while accounting for the new CJEU clarity.
Norton Rose Fulbright Partner Marcus Evans told the IAPP that the CJEU ruling provides some clarity for unresolved issues like the contents of training data for artificial intelligence systems. He said pseudonymized data that is shared to a third party may fall outside the scope of EU data protection law, but that determination will be "context-specific."
"The judgment highlights that organizations collecting personal data will fall within the scope of EU data protection law, even where they go on to pseudonymize the data," Evans said in an email. "So, for collection and transmission of pseudonymized data, disclosing controllers should assume GDPR obligations apply. Receiving controllers will need to assess their obligations based on all the relevant facts."
Paving the way for new digital reforms?
The CJEU's decision may lay the groundwork for the digital transformations to come within the EU.
The ruling will likely carry a broader impact on how the EU implements impending digital regulations, such as the Data Governance Act, Data Act and European Health Data Space, according to Osborne Clarke Partner Benjamin Docquir.
"The judgment seems to me to give 'flesh' to the idea that GDPR, DGA, DA and sector-specifics like EHDS must and can work together," Docquir said in an email. "The court does not deviate from its high standards of data protection, but recognizes that there is a world in which organizations can extract value from data and information whist playing by the books and complying with data protection law."
Kraska said the new clarity surrounding personal data could produce a boon for privacy-enhancing technologies in the EU, which can help controllers anonymize and pseudonymize personal data.
"The decision is a big win for PETs and provides the long-awaited clarity for companies and data protection authorities on how to analyze data and safeguard the interests of the data subjects at the same time," Kraska said. "Controllers should be aware of the corresponding obligations regarding personal information of the data subjects."
Alex LaCasse is a staff writer at the IAPP.