On 6 February, the EU’s Advocate General Spielmann provided his opinion (the Opinion) in the case of EDPS v SRB (Case C‑413/23 P), advising that the previous judgment of the General Court be set aside and referred for judgment back to it. The Opinion offers some interesting views on how we should consider the effect of pseudonymising personal data. 

Key Takeaways

• The Opinion concerns the scope of “personal data” under Regulation 2018/1725 (which is the EU institutions’ equivalent to the GDPR and which mirrors much of the same language and principles as the GDPR). It proposes a broader conceptualisation of what information will constitute “personal data” than the previous decision of the General Court, which had been viewed as a rare judgment that narrowed the understanding of the concept of personal data, reducing the obligations owed in respect of certain forms of pseudonumised information.  

• The Opinion argues that, where pseudonymised information is transferred to a third party, such information may not, from that third party’s perspective, constitute “personal data”, if that third party does not have reasonable means to reverse the pseudonymisation process to re-identify the relevant data subjects.

• However, if the controller which transferred the pseudonymised information does have the capacity to re-identify the data subjects, such information is personal data from that controller’s perspective. Accordingly the controller must e.g. comply with its general obligation to inform data subjects of relevant third party transfers. 

• The Opinion offers an innovative attempt to apply the principles set out in Regulation 2018/1725 (and mirrored in the GDPR) to a complicated, but common fact pattern. However taking this approach to its ultimate conclusion could produce some confusing and potentially incoherent results. For example, under the conceptualisation proposed in the Opinion, a Controller “A” would be obliged to inform a data subject that their personal data had been transferred to Recipient “B”, but, simultaneously, Recipient B is not considered to holding that same personal data. Given these and related issues, it will be interesting to see the extent to which this Opinion ultimately influences the the final judgment of the CJEU.

Background

The Single Resolution Board (SRB) is an independent agency of the European Union which is primarily responsible for the resolution of failing banks within the EU. In June of 2017, the SRB was involved in the adoption of a resolution scheme for a failing Spanish bank. During the process of resolution, SRB collected certain comments from shareholders and creditors in order to assist in SRB’s assessment of who should receive compensation. 

In order to assess these comments, SRB developed a pseudonymisation process to categorise and aggregate these comments and assigned each comment an alphanumeric code. Certain pseudonymised comments were then forwarded to Deloitte, an independent valuer, to assist in completing the valuation assessment. The SRB maintained the capacity to link the pseudonymised comments to separate identifying data that SRB had received in the initial phase of collecting the comments (e.g. proof of the participants identity and ownership status), but this “identifying data set” was not provided to Deloitte.

Subsequently, five shareholders lodged a complaint with the European Data Protection Supervisor (EDPS), alleging that the transfer of the comments to Deloitte was a violation of their rights under Regulation 2018/1725, as they believed they had not been appropriately informed about such a transfer of their personal data to a third party. SRB claimed that data processed by Deloitte were not personal data and therefore the notification obligations under Regulation 2018/1725 did not apply.  Although the decision relates to that regulation, the views are relevant to equivalent concepts under the GDPR.

The EDPS initially found an infringement but decided not to exercise corrective powers, recommending instead that the SRB improve its data protection notices. The SRB challenged this decision before the EU’s General Court. 

Initial Decision of the General Court

The General Court found in favour of the SRB and annulled the EDPS’s decision. The key point at issue was whether the EDPS had been correct in regarding the comments submitted to Deloitte as constituting “personal data”. 

First the General Court found that the EDPS had erred in assessing the information transmitted to Deloitte as “related” to a natural person within the meaning the definition of “personal data” on the basis of a presumption that the information transmitted to Deloitte ‘related’ to a natural person without examining the content, the purpose or the effect of the information transmitted, as required by the judgment in Nowak (C‑434/16). 

Second, the General Court held that the EDPS had erred in its assessment of whether the transmitted information related to an ‘identified or identifiable’ natural person, as required under the definition of “personal data”. The General Court stated that the EDPS had only considered whether the authors of the comments could be re-identified from the SRB’s perspective, not from Deloitte’s. It said that EDPS should have investigated whether Deloitte had the legal means to access the additional information necessary to re-identify the authors of the comments. Without this investigation, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’.

Grounds for Appeal

The EDPS subsequently appealed the ruling of the General Court to the CJEU. The EDPS put forward three main grounds of appeal. 

1. First Ground: The first was that the General Court erred in its interpretation of the condition that the information transmitted to Deloitte must ‘relate’ to a natural person within the meaning of Article 3(1). Furthermore it challenged the General Court’s interpretation of the effect of pseudonymisation and the requirement that the data subjects must be ‘identified or identifiable’ in order for a data-set to be considered “personal data”. The EDPS argued that the General Court’s approach incorrectly allowed pseudonymised data to be regarded as anonymised data vis-à-vis the recipient, which could undermine data protection.

2. Second Ground: The second was that the General Court misinterpreted the judgment in Breyer (C‑582/14). The EDPS argued that the obligation to provide information to data subjects regarding the recipient of their data applied regardless of whether the data transferred were personal data from the recipient’s perspective. It was only relevant as to whether the information was personal data from the controller’s perspective (i.e. transferror, here). 

3. Third Ground: The third was that the General Court erred in holding that it was for the EDPS to demonstrate that the information transmitted to Deloitte was personal data. The EDPS argued that this breached the principle of accountability laid down in Article 4(2) and Article 26(1) of the regulation, which are equivalent to Articles 5(2) and 24(1) GDPR) – it was the responsibility of the SRB to demonstrate compliance with data protection principles.

Advocate General’s Opinion

1. First Ground and the Effect of Pseudonymisation: The Advocate General agreed with the EDPS that the General Court erred in its interpretation of the condition that the information must ‘relate’ to a natural person in order to constitute personal data. The opinion clarifies that the comments made by the complainants, even when pseudonymised, necessarily related to the complainants as they reflected their subjective opinions. The Advocate General noted that an opinion or assessment necessarily relates to its author, and thus, the comments at issue ‘related’ to the complainants by reason of their content, purpose, and effect. This interpretation aligns with the broad scope of ‘personal data’ as intended by the EU legislature.
   
   The Advocate General accepted the position that pseudonymised data transferred to a third party could still constitute personal data. However, the Opinion states that such pseudonymised data could also escape the classification of personal data and fall outside the scope of the GDPR. What was relevant to such classification was the risk of identification. Where the risk of identification is non-existent or insignificant, the pseudonymised data would fall outside the scope of the GDPR.
   
   Accordingly, the Opinion rejected the EDPS’ interpretation of the effect of pseudonymisation. In the given case, in order to determine if personal data had been transferred, it was necessary to determine whether the pseudonymisation of the data was sufficiently robust to ensure that the complainants were not reasonably identifiable by the recipients of the data here (Deloitte).
   
2. Second Ground and Notification Obligations in Respect of Pseudonymised Data: The Advocate General agreed with the EDPS’s submission that the General Court misinterpreted the judgment in Breyer. The opinion found that the obligation to provide information to data subjects regarding the recipient of their data applies regardless of whether the data transferred are personal data from the recipient’s perspective. Importantly, the Advocate General concluded that the SRB’s obligation to inform data subjects about the data transfer to Deloitte existed irrespective of Deloitte’s ability to identify the data subjects.

3. Third Ground and the Principle of Accountability: The Advocate General briefly addressed this ground of appeal, noting that it was not necessary to examine it in detail given the conclusions reached on the other grounds. The Advocate General acknowledged that the principle of accountability, as laid down in Article 4(2) and Article 26(1) of the Regulation  requires the controller (in this case, the SRB) to demonstrate compliance with data protection principles. The Opinion noted that, in the present case, SRB did initially outline several factual elements to prove that, in accordance with the principle of accountability incumbent on it, it was impossible for Deloitte to identify the data subjects. The Opinion agreed with the General Court’s finding that it was then for the EDPS to demonstrate why the pseudonymisation process implemented by the SRB in the present case was not sufficient. 

The Advocate General Opinion is, of course, not binding on the Court of Justice and it remains to be seen if the Court will follow the Advocate General’s approach.