The advocate general's opinion in EDPS v SRB: Changing the GDPR and facilitating European innovation?

In early February, Court of Justice of the European Union Advocate General Dean Spielmann published an opinion in a case that could clarify when General Data Protection Regulation requirements do not apply to personal data that has undergone pseudonymization.

Given the high level of accountability required by the GDPR when processing personal data, a blueprint for when those requirements do not apply would be much welcomed.

Until now, the Court of Justice of the European Union has provided rulings in which information constitutes personal data due to the possibility of combining it with information held by third parties — thus, setting a very low threshold for what constitutes personal data.

Now, the CJEU has the chance to deliver a decision in a case where the opposite is true, where information held by one party is not considered to be personal data even though it would be personal data if combined with other information held by another party.

This potential has made it a keenly followed case.

A highly condensed recap

According to the case, European Data Protection Supervisor v. the EU Single Resolution Board, the SRB shared pseudonymized data with a contractor, Deloitte, but did not mention the company as a recipient in its notice of processing. This led to complaints lodged with the SRB's supervisory authority, the EDPS, which found the SRB infringed its obligation to inform data subjects about the recipients of personal data.