The advocate general's opinion in EDPS v SRB: Changing the GDPR and facilitating European innovation?

In early February, Court of Justice of the European Union Advocate General Dean Spielmann published an opinion in a case that could clarify when General Data Protection Regulation requirements do notapply to personal data that has undergone pseudonymization.

Given the high level of accountability required by the GDPR when processing personal data, a blueprint for when those requirements do not apply would be much welcomed.

Until now, the Court of Justice of the European Union has provided rulings in which information constitutes personal data due to the possibility of combining it with information held by third parties — thus, setting a very low threshold for what constitutes personal data.

Now, the CJEU has the chance to deliver a decision in a case where the opposite is true, where information held by one party is notconsidered to be personal data even though it would be personal data if combined with other information held by another party.

This potential has made it a keenly followed case.

A highly condensed recap

According to the case, European Data Protection Supervisor v. the EU Single Resolution Board, the SRB shared pseudonymized data with a contractor, Deloitte, but did not mention the company as a recipient in its notice of processing. This led to complaints lodged with the SRB's supervisory authority, the EDPS, which found the SRB infringed its obligation to inform data subjects about the recipients of personal data.

The SRB appealed this decision to the European General Court, which found the EDPS had not assessed from Deloitte's perspective if personal data had been received, and annulled the EDPS's decision.

The EDPS appealed the General Court's decision to the CJEU.

What is the advocate general's opinion?

The question that now has the global data protection community holding its breath is whether the CJEU will make a vector-shifting contribution to its string of decisions concerning the definition of personal data — encompassing classics like Scarlet and Breyer, and newer cases including "the VIN-case" and IAB Europe — by delivering a decision confirming in which circumstances information is notpersonal data.

The advocate general's analysis finds it is compatible with the abovementioned cases to conclude that the pseudonymized data received by Deloitte does not trigger additional obligations for the company under the GDPR, as having processed personal data would have done.

The advocate general builds this analysis upon the definition of personal data, that it should be information that relates to an identified or identifiable individual.

Regarding the information received by Deloitte relatingto individuals, the methodology set out in the Nowak case suggests this is the case.

With regard to individuals being identified or identifiable, the advocate general analyzes two grounds submitted by the EDPS in the appeal. The first directly relates to the question of in whose hands the information constitutes personal data. Here, the advocate general relies on a close reading of recital 16 of Regulation 2018/1725 to find that personal data having undergone pseudonymization may under certain conditions fall outside the definition of personal data.

However, these certain conditions make for a limited space in the shadow of Breyer, as the risk of identification would need to be somewhere between nonexistent or insignificant.

The second ground of the appeal is closely connected to the question that triggered the whole process: should the SRB not have informed about the recipient regardless of the outcome of the previous question? Here, questions of timing and perspective become relevant, and the advocate general finds that the right time for assessing the obligation to provide information is — in the present case — prior to the transfer, and that the right perspective is that of the SRB.

This means that by the advocate general's measure, the SRB won the question of principle regarding pseudonymization, but lost in practical terms as the advocate general found the EDPS was right to affirm the complainants' view that the SRB should have informed them of the transfer of personal data.

A funny sidenote in this regard is that, other than issuing a recommendation, the EDPS did not exercise any corrective actions against the SRB in the decision it appealed, seemingly indicating the parties simply wanted this interesting question to be tried.

A less funny sidenote, however, is that the SRB has made a second plea arguing the EDPS did not exercise good administrative practice when arriving at its decision against it. As a consequence of the advocate general's determination the EDPS was in the right regarding the question of providing information, the advocate general finds that the SRB's second plea should move forward.

As the second appeal was not assessed by the General Court and entails factual assessments — which the CJEU does not carry out — the advocate general recommends the CJEU send the case back to the General Court.

However, given how the EDPS has structured its appeal, it seems unlikely the CJEU will circumvent the question of pseudonymized information and send the case back to the General Court without examining it.

Taking a wider view

Moving closer to the CJEU's decision, the stakes are high due to a number of factors.

First, several authoritative voices have come forward arguing the EU is overregulating its market to its own detriment. Most eminent of these voices would be Mario Draghi in his recent report on EU competitiveness. While it certainly can be held that the EDPS v. SRB case has the potential to alleviate some compliance burdens, we must remember Draghi's conclusions regarding the GDPR mainly focus on the fragmented implementation and enforcement of the regulation across the EU's member states, not the relative workload of complying with the regulation as such.

Second, a few weeks before the advocate general's opinion, the EDPB published its draft guidelines on pseudonymization, siding with the EDPS's view that personal data that has undergone pseudonymization is personal data also in the hands of the recipient.

With the consultation period ending mid-March, it seems as if no arguments submitted will be able to leverage any findings of the CJEU. As the relevant dates for the EDPS v. SRB case have not been published, one must not read too much into the timing of the EDPB publication — other than the sporty tempo of adopting its 2024-2025 Work Programme in October 2024 and publishing the draft guidelines only three months later, in January.

Third, the EDPB has been allowed to intervene in support of the EDPS, while the European Commission is allowed to intervene in support of the SRB. Though there may be nothing strange about this — the EDPB and EDPS work closely together, as do the SRB and the Commission — it is not out of the question to read into it. For instance, the Commission's 2024-29 priorities include "a new plan for Europe's sustainable prosperity and competitiveness," where a reduced administrative burden for SMEs is one objective.

So where does the case fit in and what are its implications?

Despite the above, one would most likely be mistaken if trying to position this case as an important piece in a puzzle of EU economics, not only from the vague — if not farfetched — connections between the political agenda of increased competitiveness and the Commission's stake as an intervening party, but also because of its limited practical applicability.

If the CJEU were to adopt the advocate general's proposal as-is, it would definitely give actors a limited reprieve when it comes to data sharing. But remember the stringency encoded in the threshold of "non-existent or insignificant" risk of identification. To leverage these effects of pseudonymization a data controller would need to implement a rigorous program of technical and organizational measures ensuring that the risk of reidentification by the recipient can be held to be negligible. 

In which cases and for whom would it be easier and less burdensome to implement a rigid program for pseudonymization, than simply treating the shared information as personal data?

For certain sectors, this case may prove a welcome blueprint of how to construct a safe harbor, and clarity on the concept of pseudonymization may be a critical facilitator of the European Data Spaces, but for the average small- to medium-sized company it is not so easy to understand how much difference the case would make in practice. If anything, there could be a risk of poorly implemented pseudonymization programs instilling a false sense of security in data controllers.

In the end, the case is interesting from a theoretical perspective, but when it comes to ensuring safe and responsible personal data processing with the lowest possible risks to the interests and freedoms of the data subjects, the CJEU has a delicate balancing act in front of it.

Hampus Stålholm is a privacy lawyer at Capgemini.