Pseudonymisation or anonymisation?

European General Court rules on personal reference in encrypted data

Personal data is often processed pseudonymously by replacing “raw” data (e.g. names) with certain identifiers or codes. However, the entity performing the pseudonymisation usually re-tains the means to re-identify the individuals behind these pseudonymous identifiers. Therfore, data protection law and the GDPR therefore remain directly applicable to this data.
However, is there a differency if this encrypted data is then transferred to another business? This is exactly the question that the EU General Court (“EUGC”) recently had to answer (judgment of 26 April 2023, case no. T-557/20). (Note: The EUGC is a lower court of the Eu-ropean Court of Justice (“ECJ”) and should not be confused with the latter!)

The facts

The Single Resolution Board (“SRB”), which as an EU institution oversees the resolution of insolvency in the financial sector, collected personal statements through an online form and passed on this data to a consulting firm without informing the data subjects. Before doing so, however, the SRB replaced all names with codes.

The European Data Protection Supervisor (“EDPS”), who became involved following a com-plaint, saw this as a transfer of pseudonymised – and thus personal – data of the data sub-jects to a third party. Accordingly, the SRB should have informed the data subjects about the data transfer.

In its defence, the SRB argued that the data shared is anonymised data: The SRB had not shared the data necessary for the re-identification of the data subjects with the consulting firm. In addition, the latter had no right to access the information held by the SRB to identify the data subjects behind the codes.

The perspective of the data recipient must be taken into account

In its decision, the EUGC stated that the question of whether pseudonymised data transmitted to another business must be classified as personal data under the GDPR depends on the perspective of the data recipient. In this respect, it must be examined whether the data recipi-ent has (lawful) means that it can reasonably use to identify the data subjects. However, the EDPS had omitted this test in the proceedings against SRB and had found it sufficient that the SRB, in any case, could carry out a re-identification.

Practical significance

With this ruling, the EUGC builds on the ECJ’s well-known “Breyer” case from 2016. It held: If (and only if) a data recipient does not have additional information that enables it to re-identify the data subjects and if it has no legal means to access this information, the (pseudonymised) data transmitted to it does not constitute personal data. Consequently, the GDPR does not apply to the processing of such data while in the hands of the recipient.

At first glance, these are good news especially for businesses in the advertising industry that store and use pseudonymised data to display ads, such as data management platforms.

However, the findings in the judgement only apply subject to the condition that other identifiers are not present in these data sets. In practice, however, such fully encrypted and thus anonymised data sets are rarely being used, since the combination of different data categories usually does allow for conclusions to be drawn about the data subjects. The practical impact of the ruling will therefore be minor.

Finally, an appeal to the ECJ is possible and not unlikely. It therefore remains to be seen whether the judgment of the EUGC will hold before the ECJ. 

(Dr. Frank Eickmeier, UNVERZAGT Rechtsanwälte)