The Court of Justice of the European Union (CJEU) has delivered its judgment on case C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB). The CJEU has confirmed that pseudonymised data will not be personal data in all cases. This will be a welcome confirmation for innovative uses of data, including training AI models. The question on whether the data is actually personal will be context-specific, and require an assessment of all the means reasonably likely to be used to identify the individual.
However, where a controller collects personal data, pseudonymises it, and discloses it to the third party, EU data protection law will apply to the disclosing controller. The disclosing controller must comply with its obligations to provide information to individuals on how it will process their personal data.
Background
The SRB offered impacted shareholders and creditors the opportunity to express their opinions in the context of a bank resolution scheme. The opinions were shared with a consulting firm, Deloitte, with the name of each respondent replaced with an alphanumeric code. As an EU institution, SRB is subject to Regulation 2018/1725 (EU DPR), which imposes similar obligations on EU institutions to the GDPR. On receipt of several complaints, the EDPS determined that SRB had breached its obligations under the EU DPR by failing to inform the impacted respondents that it was sharing their pseudonymised data with Deloitte. SRB argued that it was under no requirement to inform the respondents as the transmission to Deloitte contained only anonymised data which no longer constituted personal data. See our previous post for further background and our thoughts on the Advocate General’s Opinion.
The CJEU’s judgment – pseudonymised data will not remain personal in all cases
The CJEU begins its findings by emphasising that the definition of the concept of ‘personal data’ at Article 3(1) EU DPR is essentially identical to the concept in Article 4(1) GDPR. Its findings will apply equally to the GDPR.
The CJEU found that “pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data… pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable”. I.e., such data does not always remain personal, and would not be personal where disclosed in circumstances where only the original controller could identify the data subject.
And indeed, it would be an impractical conclusion to draw. Some obligations under the EU DPR, such as Article 15 (corresponding the Article 13 GDPR), require the controller to be able to identify the data subject.
The CJEU considered Recital 16 EU DPR (corresponding to recital 26 EU DPR) “to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly.” The court concluded that those clarifications “would be deprived of any practical effect if pseudonymised data were to be regarded as constituting, in all cases and for every person, personal data” (paragraph 80).
Data could be personal in a recipient’s hands. In Deloitte’s case, the CJEU notes Deloitte would need to not be in a position to “lift” pseudonymisation for the conclusion that the data was not personal (paragraph 77). The pseudonymisation measures would also have to be such as to prevent Deloitte from attributing those comments to the data subject, including using other means, such as cross-checking with other factors. So, the data would be personal if Deloitte had access to the pseudonymisation key, or was able identify the data subject using other information.
The CJEU’s judgment – for the obligation to provide information to individuals, the assessment on whether the data is personal must take place at the time of collection and from the point of view of the disclosing controller
The CJEU also provides some firm clarifications on the application of the controller’s information obligation under Article 15(1)(d) EU DPR (corresponding to 13(1)(e) GDPR). The controller must provide the individual with information about recipients or categories of recipients of personal data at the time of collection.
The CJEU clarifies that, naturally, the obligation applies to the controller and the controller must assess at the time of collection whether the data is personal in their own hands. An assessment of whether the data is personal in the recipient’s hands is not needed for this obligation. The obligation to provide information at the time of collection is intrinsically linked to the relationship between the controller and data subject (paragraph 114). To consider whether the data is personal in the recipient’s hands – for that particular obligation – would disregard its purpose.
Our take
- Pseudonymised data will not always be personal: The confirmation that pseudonymised data will not always remain personal will be welcome in the context of various data-heavy projects. For example, where receiving a pseudonymised dataset from a third party to train an AI model, the conclusion that the data was not personal would be left open for the recipient. The judgment does make clear that whether the data is actually personal will depend on context. The recipient would need to assess “means reasonably likely” in the context of the data in their hands. In practice, the CJEU’s comments still set a high bar for concluding data is not personal.
- Transparency obligations: the CJEU has provided a clear and timely reminder that those wishing to disclose pseudonymised data must still inform individuals of the recipients or categories of recipients. Any organisations who may have data projects on the horizon that would lead them to do this should update their privacy notices ahead of making any such disclosures.
The CJEU’s comments on this point relate specifically to the obligation to provide information to the data subject on collection. In our view, any other conclusion in this context would have led to an unravelling of the logic of the provision.
However, there are obligations under the GDPR where it will be relevant to consider whether data is personal in the recipient’s hands – for example, where carrying out a legitimate interests assessment for the disclosure, or a data protection impact assessment. In that context, a “means reasonably likely” assessment will be an important part of carrying out the controller’s obligations.