Update Data Protection No. 142
Judgment of the General Court on the distinction between pseudonymised and anonymised data
On 26 April 2023, the General Court of the European Union (EGC) issued its judgment in case T-557/20 (judgment of 26 April 2023, SRB v EDPS, T-557/20, EU:T:2023:219) and at the same time made a statement about the distinction between pseudonymised data and anonymous data. In essence, the court dealt with the question of whether pseudonymised data transferred to third parties should continue to be regarded as personal data, even if the recipient has no way of decrypting this data.
Pseudonymised data is personal data that can only be attributed to a specific person with the addition of further information. Such data therefore relate to an identifiable person and thus are personal. Therefore, these data are subject to German and European data protection law.
Anonymised data, on the other hand, are data that do not allow any attribution, even with the addition of further information. With such data, it is therefore not possible to draw conclusions about the identity of the person concerned. For this reason, they are not subject to data protection law.
The distinction between pseudonymised and anonymised data can be difficult to make in individual cases. It often happens that companies have information that makes it practically impossible to re-identify the person concerned. However, in such cases the authorities are often of the opinion that re-identification is possible with the addition of information from third parties, so that only pseudonymisation can be assumed. The judgment of the CJEU in case C-582/14 (judgment of 19 October 2016, Breyer, C-582/14, EU:C:2016:779) shows how difficult the differentiation can be in individual cases. According to this judgment, IP addresses stored by a provider of online media services are to be regarded as personal data if the provider of online media services can identify the data subject with the addition of further information from the internet access provider.
Facts of the case
In the context of winding-up proceedings against a well-known Spanish bank, the eligible shareholders and creditors were contacted by the Single Resolution Board (“SRB”) in order to send them questionnaires. The completed questionnaires were forwarded to a consulting company, with the respondents’ names previously replaced with an alphanumeric code by the SRB. In order to be able to re-attribute the questionnaires to the respective person, both knowledge of the alphanumeric code and access to the corresponding database were required. The consulting company only had the alphanumeric code – access to the relevant database was reserved exclusively for the SRB.
Since the respondents were not informed that the data collected using the questionnaire would be transferred to a third party, the question arose as to whether there was a violation of Article 15(1)(d) of Regulation (EU) 2018/1725. The European Data Protection Supervisor (“EDPS”) affirmed this, as the data had only been transferred in pseudonymised form and thus continued to represent personal data. However, the SRB considered that there was no such violation, as the data transferred were not personal data. Rather, the transferred data should be regarded as anonymised data.
Presentation of the case law
Based on the definition of the term “personal data” of Art. 3 Para. 1 Regulation (EU) 2018/1725, which can also be found in Art. 4 No. 1 GDPR, the court determined the question of whether information transferred to a third party is to be classified as personal data on the basis of whether there is still a corresponding personal reference. With reference to the case law of the ECJ (judgment of 19 October 2016, Breyer, C-582/14, ECLI:EU:C:2016:779), the court found that the question of whether pseudonymised – and thus personal – or anonymised data is available depends on whether the data recipient has a way of re-identifying the data. The test as to whether data are anonymised or merely pseudonymised must therefore be based on the position and powers of the respective party. While information may constitute personal data for one party, the same information may not constitute personal data for the other party because re-identification is not possible.
In the case of the transfer of pseudonymised data, it must therefore be examined whether the recipient of the data can also carry out re-identification. If the recipient of the data does not have additional information that enables re-identification, and if the recipient also has no other way of lawfully obtaining such information, the transferred data can be considered anonymous. Whether the transmitter of the data has the information and opportunities required for re-identification is irrelevant to the question of whether the transferred data is personal data for the recipient.
This test not only examines whether there is a factual and/or legal possibility of re-identification. Rather, it must also test whether re-identification can reasonably be expected in view of the associated effort.
Since the EDPS did not carry out such a comprehensive test from the point of view of the recipient consulting company, the court declared the EDPS’ decision a nullity.
Although the ruling on Regulation (EU) 2018/1725 does not relate directly to the GDPR, it can still be applied to the GDPR. The judgment should be welcomed, especially in view of the fact that the GDPR does not contain any regulations on the requirements for the anonymisation of data.
However, it should be noted that the judgment of the CJEU is not yet final and therefore a certain amount of caution is required. If and when this judgment becomes legally binding, it should in all cases be considered as guidance. It is noted that no fixed criteria for distinguishing between pseudonymised and anonymised data have been defined. However, it does show that the question of whether transferred pseudonymised data should continue to be classified as personal data must be examined from the perspective of the recipient as well as the transmitter.
In practice, this means that the purely theoretical possibility that cooperation between several parties can lead to re-identification does not necessarily rule out the assumption of anonymisation. It is not just the factual possibility of re-identification that needs to be taken into account. Rather, it must also be considered whether such a re-identification is legally permissible and whether the associated effort means that re-identification can be expected. Data do not relate to an identifiable individual – and are therefore not considered personal data – if identifying that individual is prohibited by law or impracticable, e. g. because it would have required a disproportionate amount of time, money and manpower and therefore the risk of identification can be regarded as de facto negligible.