With its ruling in the ‘SRB’ case, the European Court of Justice (ECJ) handed down an important decision for the GDPR-compliant handling of pseudonymised data, which is particularly significant for companies in the Ad Tech industry, but which also has significant relevance for the medical sector. The judgment discusses the question of when data sets need to be considered personal data. The starting point is well known: while personal data is defined as any information that can be directly or indirectly attributed to a natural person, anonymous data does not fall within the scope of privacy law. Pseudonymous data occupies an intermediate position: although it is not directly attributable to an individual, it is theoretically re-identifiable, especially for the data controller who carried out the pseudonymisation.
Until now, the so-called absolute approach has predominantly been followed in practice, meaning that data is generally considered personal as soon as any data controller can assign it to a person with reasonable effort. However, in the SRB ruling, the ECJ clarified that this depends on the perspective of the individual controller. The case concerned the transfer of pseudonymised data: For the data recipient, this data was anonymous because they could not reverse the pseudonymization themselves. For the sender, on the other hand, the data remained personal, meaning that they were required to inform the data subjects about the transfer. The court thus emphasised that pseudonymised data can be classified differently depending on the perspective, and that compliance requirements must be assessed separately for each actor.
For the ad tech industry, this means that tracking data will probably continue to be generally regarded as personal data – even though it only contains pseudonymous identifiers. However, exceptions are possible in certain scenarios, for example in the case of providers of technical services or for the use of data clean rooms. The latter can be a privacy-friendly solution, when the pseudonymous tracking data can be considered anonymous for the operator of the data clean room, at least once the identifiers have been masked. However, for the businesses participating in such data exchanges, they remain personal data, so that the requirements for a sufficient legal basis, transparency, and the protection of data subjects’ rights continue to apply. The practical usefulness of such scenarios is therefore limited.
Overall, this means that the SRB ruling does not bring about any fundamental change in the applicable standard, but it does provide an important clarification: businesses must assess the personal reference in their data from their own perspective and derive their compliance obligations accordingly. Those who want to rely on the anonymity of their data should therefore document their arguments carefully.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)