On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (Opinion). The Opinion takes the view that personal data which has been pseudonymised and shared with a third-party should not automatically be considered personal data in the hands of the third-party recipient if the risk of re-identification is “non-existent or insignificant”.
Background
The case was first brought to the General Court of the European Union by SRB, who sought to appeal a decision issued by the EDPS on 24 November 2020. In the context of a bank resolution scheme, SRB offered impacted shareholders and creditors the opportunity to express their opinions in an electronic form. The opinions were shared with the consulting firm, Deloitte, with the name of each respondent replaced with an alphanumeric code. As an EU institution, SRB is subject to Regulation 2018/1725 (EU DPR), which imposes similar obligations on EU institutions to the GDPR. On receipt of several complaints, the EDPS determined that SRB had breached its transparency obligations under the EU DPR by failing to inform the impacted respondents that it was sharing their pseudonymised data with Deloitte. SRB argued that it was under no requirement to inform the respondents as the transmission to Deloitte contained only anonymised data which no longer constituted personal data. On 26 April 2023, the General Court annulled the EBPS’s decision, finding that the EDPS was wrong to determine that the pseudonymised data was personal data in the hands of Deloitte. The General Court found that the EDPS had failed to consider the perspective of the data recipient. Deloitte possessed no information to re-identify the data subjects and no legal means to obtain the additional information required to do so from SRB. The EDPS appealed the General Court’s judgment to the CJEU.
Pseudonymised data may not be personal data in a party’s hands
In his Opinion, the Advocate General stated that the EDPS should have verified whether Deloitte had “reasonable means” to reidentify the impacted data subjects. Where risk of this is “non-existent or insignificant” the Advocate General stated that pseudonymised data can fall outside the definition of personal data. In the Advocate General’s view, the pseudonymisation had ensured that the data subjects were unidentifiable in Deloitte’s hands.
However, data protection obligations continue to apply to the disclosing party as ‘keyholder’
Notably, despite finding that the pseudonymised data in question did not constitute personal data in the hands of Deloitte, the Advocate General considered that SRB had not met its transparency obligations under Article 15(1)(d) EU DPR by failing to inform impacted data subjects, ‘at the time when personal data are obtained’ that Deloitte would be a recipient of such data. The Advocate General highlighted that the data would still have been personal data in the hands of SRB as it had the additional information necessary to reidentify the data subjects as ‘keyholder’ to the encoded data.
Next steps
The CJEU will now consider the Advocate General’s Opinion and give its binding judgement. Whilst the CJEU is not bound by the Opinion, it has commonly followed the Advocate General’s view.
Our take
The Opinion provides welcome confirmation for organisations receiving pseudonymised personal data. Provided that the data recipient is provided with no additional information which would allow it to reidentify data subjects and no “reasonable” technical, physical or legal means to obtain such additional information, pseudonymised data would not be personal data in the hands of that data recipient. This is in contrast with the European Data Protection Board’s recent draft guidelines on pseudonymisation, which suggested that pseudonymised data will always be personal (see paragraph 22).
This concept is the root of data protection applicability so its impact would be significant; for example, for:
- Service providers handling data encrypted with state of the art cryptography and without key access – these service providers will find it easier to maintain that that data is not personal data in their hands.
- Recipients of pseudonymised data might also be able to make wider use of that data, for example for training AI models, depending on how the key holders rights to access the pseudonymised data are framed.
- Controllers who have suffered a data breach affecting only pseudonymised data would also be able to take this into account in their analysis of the whether notification obligations applied.
In each of the above scenarios, analysis would be highly fact-specific, and would also need to take into account the risk of identification by “singling out”.
For disclosing controllers, however, pseudonymised data remains personal where they retain access to the key, so they must comply with Article 15(1)(d) EU DPR (or the corresponding Article 13(1)(e) General Data Protection Regulation). In the Advocate General’s view, information on possible recipients of such pseudonymised personal data must be provided when the data is collected, as the obligation applies “at the time when personal data are obtained.” This may affect the recipient’s ability to use such data for wider purposes.