The Court of Justice of the European Union (CJEU) has delivered a significant judgment in the case European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB) (C-413/23 P), fundamentally clarifying the scope of the term “personal data” under EU law. The ruling confirms that the definition is relative and context-specific, depending on the recipient’s ability to re-identify the data subject, offering both clarity and complex new compliance requirements for organizations sharing pseudonymized data.
Read more: Personal Data is Relative: CJEU Confirms GDPR Definition Depends on the Recipient’s PerspectiveBackground: The Conflict Over Pseudonymized Data
The dispute stemmed from the resolution of the Spanish bank, Banco Popular Español, by the Single Resolution Board (SRB), an EU agency. The SRB collected numerous comments and personal opinions from affected former shareholders and creditors. The SRB then engaged the consulting firm Deloitte to evaluate over a thousand of these submissions.
To protect privacy, the SRB pseudonymised the comments by replacing direct identifiers with a unique alphanumeric code. Critically, the SRB retained the re-identification key, while Deloitte did not have access to it.
The conflict arose when individuals complained to the European Data Protection Supervisor (EDPS), arguing that the SRB had failed to inform them that their data would be transferred to a third party (Deloitte)—a breach of transparency obligations. The EDPS initially sided with the complainants, arguing the data was still personal because the SRB held the key. However, the case progressed based on the SRB’s core argument: since Deloitte could not reasonably re-identify the individuals, the data should be treated as anonymous in the consultant’s hands.
The New Standard: Relativity Over Absolutism
The CJEU ultimately rejected the “absolute” view that data remains personal data for everyone simply because one party (the original controller) holds a key.
The Court established that pseudonymised data “must not be regarded as constituting, in all cases and for every person, personal data.”
The key takeaway is the application of the “means reasonably likely to be used” test, assessed from the perspective of the recipient. If a third party receives pseudonymised data and lacks the legal or technical means, or if the effort required is disproportionate, to link the data back to an individual, the data may be considered anonymous in their hands. For that specific recipient, the full scope of the GDPR obligations would not apply.
Dual Responsibility: The Controller’s Absolute Burden
While the recipient benefits from the “relative” test, the judgment simultaneously reinforces a strict, absolute obligation on the original data controller (the disclosing party).
The CJEU confirmed that the SRB was in breach of its obligations, ruling that the controller’s duty to inform data subjects about the recipients or categories of recipients of their data (the right to be informed) must be assessed at the time of data collection and from the controller’s own perspective.
Since the SRB retained the key, the data remained personal data for the SRB. Consequently, the SRB was obliged to inform the individuals of the data sharing, even if the data was considered anonymous in Deloitte’s hands. Pseudonymisation is thus a risk mitigation tool, not a loophole to circumvent transparency.
Practical Implications for Businesses
- Risk Assessment is Essential: Organisations engaging in data sharing must perform a robust, case-by-case assessment of the recipient’s capabilities to re-identify the data. This analysis determines the data’s status for the recipient.
- Transparency First: Controllers cannot rely on the possibility of anonymity at the recipient level to skip transparency obligations. Privacy notices must clearly disclose all data recipients, even if the data shared is pseudonymised.
- Personal Opinions Confirmed: The CJEU also confirmed that an individual’s personal opinions or views are inherently linked to their author and automatically qualify as personal data.
In conclusion, the EDPS v SRB ruling provides both clarity and complexity. It empowers organizations to use pseudonymisation as a means of reducing regulatory overhead for recipients, but it places a clear, unwavering responsibility on the original data controller to maintain high standards of transparency and control over the identifying information.
Leave a Reply