In our previous article, EU Court Clarifies When Pseudonymized Data Does Not Remain Personal Data, we discussed the General Court’s judgment in Case T-557/20, where it ruled that pseudonymized data may not be considered personal data if the recipient cannot re-identify the data subjects. The case arose from the Single Resolution Board (“SRB”) transmitting data to Deloitte without informing affected data subjects, leading to complaints and an investigation by the European Data Protection Supervisor (“EDPS”).
Following the General Court’s ruling in favour of the SRB, the EDPS appealed the decision, leading to an Opinion by Advocate General Dean Spielmann (the “AG”) prior to the court’s decision being issued. This article thus aims to summarise Spielmann’s Opinion and its implications for the interpretation of data protection obligations.
As a starting point, Spielmann reaffirmed that pseudonymized data remains personal data if additional information exists that enables re-identification. He criticised the General Court’s approach, arguing that it erroneously focused on Deloitte’s ability to identify data subjects rather than considering the broader principles of data protection. On this front, he emphasised that:
Spielmann concluded that the SRB breached its duty of transparency under Article 15(1)(d) of Regulation 2018/1725 by failing to provide explicit notice to data subjects that their comments would be shared with Deloitte, thereby depriving them of the ability to exercise their data protection rights effectively. He emphasised that the obligation to provide information applies at the point of data collection, rather than being contingent on whether a recipient can re-identify data subjects.
“1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(d) the recipients or categories of recipients of the personal data, if any.”[1]
The AG emphasised that the obligation to provide information, as per Article 15(1)(d) applies at the point of data collection, rather than being contingent on whether a recipient can re-identify data subjects, as was both argued and concluded within T-557/20.
Recent EDPB guidelines re-affirm the concept of a "pseudonymisation domain" where controllers and processors define the parameters for preventing re-identification within a controlled environment. The guidelines emphasise that pseudonymized data remains personal data if additional identifying information could be ‘reasonably’ obtained by any party. However, the AG clarified that if re-identification by legal and technical means is practically impossible or prohibited by law, then the data may not be considered personal data in the hands of the recipient.
Accordingly however, Spielmann opined that if the SRB had not fulfilled its information obligation when the data were collected, the issue of whether Deloitte could identify the data subjects becomes immaterial.
If the Court of Justice follows his reasoning, the General Court’s judgment could be set aside. If not, the position adopted in the recently published EDPB guidelines on pseudonymization as well as long-time practice and interpretation within the EU may be subject to a complete overhaul.
--
This case highlights ongoing legal debates on pseudonymization. As the Court of Justice prepares to rule on the appeal in the coming weeks, its decision will undoubtedly have significant implications for data processing practices in the EU.
Author: Dr Terence Cassar and J.J. Galea.
For more information and assistance on Data Protection & Privacy Law, kindly contact us at info@gtg.com.mt
[1] Article 15(1)(d), Regulation (EU) 2018/1725