In the same week the European Court of Justice published three rulings on the interpretation of the EU General Data Protection Regulation, clarifying details around subject access requests, immaterial damages and accountability, another EU court handed down a landmark ruling on the concept of personal data, which has largely gone unnoticed. Although this ruling did not make it into the headlines, it will undoubtedly have a much bigger impact on the work of privacy professionals in Europe and beyond.
The question of what constitutes "personal data" touches on the foundation of data protection law, as it determines whether or not the GDPR and other data protection laws apply. Notwithstanding, the circumstances in which a natural person is "identifiable," and personal data can therefore be processed, are far from clear. In particular, the concept of anonymization remained clouded for decades, with EU data protection supervisory authorities and national courts holding anonymization is virtually impossible as long as someone, even a third party, can identify the respective person (referred to as the "absolute" concept of identifiability).
This is where the 26 April ruling of the European General Court brought much needed clarification .
So, what was this case about?
The case involved the EU Single Resolution Board, an EU institution within the Banking Union, and the European Data Protection Supervisor, the data protection supervisory authority responsible for EU institutions and bodies. The SRB engaged Deloitte as a contractor and transferred the company data sets containing feedback to questions the SRB posed to shareholders and creditors of a Spanish bank the SRB had under resolution. The data sets contained individual comments by shareholders and creditors but did not reveal their identities. Instead, the data sets contained a unique alphanumeric code assigned to each individual comment which had been randomly generated by the SRB at the time the feedback was received. With such code, only authorized personnel at the SRB could link the comments to the additional data received from the shareholders and creditors, and thus identify the authors of the comments. Deloitte had no access to the alphanumeric code or other information which would have allowed it to identify an individual shareholder or creditor as author of a comment.
The EDPS considered the data sets nevertheless to constitute personal data also for Deloitte and found that SRB had infringed EU Regulation 2018/1725 (which is largely identical to the GDPR and applies to EU institutions and bodies) by not informing shareholders and creditors that their personal data will be shared with Deloitte. SRB argued that the data sets which it had shared with Deloitte did not constitute personal data and asked the EGC to annul the EDPS decision.
In its ruling, the general court held that the EDPS failed to examine whether the authors of the comments were reidentifiable for Deloitte and whether such reidentification was reasonably possible. Therefore, the EGC annulled the EDPS decision.
Why does it matter?
In brief, the EGC threw out the interpretation of personal data EU supervisory authorities and courts have relied on since the GDPR entered into force.
To put the ruling into perspective, one has to go back a few years to 2016. That year, the ECJ issued a landmark ruling on the concept of personal data in the infamous Breyer case. When asked by the German Supreme Court whether dynamic IP addresses constitute personal data for a website operator, the ECJ answered in the affirmative. Since then, an overbroad concept of "identifiability," and thus of personal data, has prevailed in regulator decision making and case law.
This is exemplified by the EDPS' arguments in the case decided by the EGC. In line with the years-long practice of EU data protection supervisory authorities, the EDPS argued the qualification of personal data does not require the entity processing the data (Deloitte) to actually be able to identify the data subjects. Rather, the EDPS argued that an "indirect" identifiability for Deloitte would also be at hand if the identifying information (the alphanumeric code) was in the possession of another entity (the SRB). The EDPS, therefore, concluded personal (pseudonymized) data remain so even when transmitted to a third party, like Deloitte, that has neither the additional information necessary for reidentification nor the legal right to obtain it.
In its 26 April ruling, the EGC closely analyzed the Breyer judgement and sharply departed from the EDPS arguments as a result. In fact, a closer look at the ECJ Breyer ruling shows it is "spoiled" in various ways, in particular due to the unclear and ambiguous questions submitted to the ECJ. It is also much more nuanced than the regulator practice described would suggest. Most importantly, the ECJ held no personal data is at hand if, for the entity processing the data, it is practically impossible to identify an individual because it would require a disproportionate effort in terms of time, cost and manpower. Ultimately, the ECJ applied a risk-based approach and assumed data is anonymous if the risk of identification "appears in reality to be insignificant." Thus, the Breyer ruling has been widely misinterpreted in the past. It does not support an "absolute" view on identifiability but rather looks at the risk of identification in each individual scenario. Even if there is a residual risk of identifiability, data can be anonymous nevertheless.
Consequently, the EGC required the EDPS to show Deloitte itself was reasonably able to identify the data subjects whose information had been transmitted to it by the SRB. As the EDPS did not examine this key point in its decision against the SRB, the EGC annulled the EDPS decision.
What does it mean in practice?
The ruling opens up new options for anonymization and adds much-needed legal certainty.
Although the specifics of the case cannot be applied to each and every scenario, the EGC clearly followed a relative approach to identifiability. This means it is perfectly possible that a piece of information qualifies as personal data for someone who is able to identify the data subject, whereas the same piece of information is anonymous for someone without such ability. Although it sounds logical, this has not been accepted by EU regulators in most scenarios so far. But this will make it much easier going forward to achieve anonymization.
What the court did not elaborate on, though, is the threshold for "identifiability" and when it can be regarded as practically impossible — which will need to be determined in each individual case.
Equally important, should there be a valid argument that identifiability is practically impossible, from now on the supervisory authorities must substantiate that personal data is nevertheless at hand. This means the "burden of proof" that personal data is processed, and thus that the GDPR applies, lies with the supervisory authorities
The ruling can be appealed in front of the ECJ, which means it is not yet final. However, given that the EGC argues along the lines of the ECJ Breyer ruling, it seems unlikely the ECJ will come to a different conclusion.
Looking ahead, with a particular view on the EU data strategy and the various digital initiatives, anonymization will be a key tool for securely sharing and monetizing data. The ruling will help privacy pros use the full potential of anonymization.