Padlock on laptop

Advocate General Spielmann opines that personal data can be pseudonymous in the hands of one party and anonymous in the hands of another.

By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth

Advocate General Spielmann (AG) has published his Opinion in the Court of Justice of the European Union (CJEU) case C-413/23 EDPS v. SRB (Opinion), considering various questions on the scope of personal data regulated by the EU institutions’ version of the GDPR (which is materially equivalent to the GDPR). In particular, the AG addressed the issue of personal data as a relative concept, opining that the categorisation of personal data as pseudonymous or anonymous should be assessed from the relative perspective of the recipient/holder of that data. Data could therefore be pseudonymous in the hands of one party (i.e., the discloser of that data, with access to relevant re-identification information) and anonymous in the hands of another (i.e., the recipient of that data, without reasonable access to the re-identification information). AG opinions are not binding on the CJEU, but are typically followed.

Background

In 2020, the European Data Protection Supervisor (EDPS) issued a decision that the Single Resolution Board (SRB) had breached its transparency obligations under the EU institutions’ GDPR by failing to include in its privacy notice information on its disclosure of personal data to a third-party professional services firm, in the context of a bank resolution procedure. The SRB argued that the relevant data was anonymous when received by the recipient firm, as the SRB shared the data in pseudonymised form and did not provide the firm with the re-identification information, therefore the firm could not reasonably identify the relevant individuals. On this basis, the SRB argued that the firm was not a recipient of regulated personal data from the SRB — since anonymous data falls outside the scope of personal data regulated by the EU institutions’ GDPR — and therefore the SRB was not required to include information on that disclosure in its privacy notice.

The EDPS rejected the SRB’s position on this point, and instead held that the SRB had shared pseudonymous data with the recipient firm, rather than anonymous data, as the relevant individuals could be re-identified with the information held by the SRB. The fact that the firm itself did not have that re-identification information was insufficient to render that data anonymous, in the EDPS’s view.

General Court Judgment

In 2023, the General Court of the European Union (General Court) annulled the EDPS’s decision. The court ruled that the EDPS had been wrong to conclude that personal data that was pseudonymous for the SRB, as the data discloser was automatically pseudonymous (rather than anonymous) for the firm as the data recipient. Instead, the court considered that the EDPS should have assessed whether the disclosed data was pseudonymous or anonymous for the firm from its perspective as recipient, rather than from the SRB’s perspective as discloser. As the EDPS had not carried out such an assessment, the General Court rejected the EDPS’s conclusion that the disclosed data was pseudonymous and therefore personal data regulated by the EU institutions’ GDPR.

AG Opinion

On appeal by the EDPS to the CJEU on a number of questions, the AG proposed that the CJEU set aside the General Court’s decision as a whole, but refer certain claims back to the General Court before delivering a final judgment.

On the specific issue of the assessment of personal data as pseudonymous or anonymous, the AG rejects the EDPS’s argument that pseudonymised data should automatically be considered pseudonymous (rather than anonymous) if the re-identification information remains in existence. The AG instead opines that the nature of personal data should be assessed from the perspective of the entity receiving/processing that data. If that entity has reasonable means to identify the relevant individuals from the pseudonymous data, it is deemed to be processing personal data as regulated by the EU institutions’ GDPR. If, on the other hand, that entity does not have reasonable means to identify the relevant individuals, it is processing anonymous data outside the scope of the EU institutions’ GDPR. Based on the AG’s reasoning, the same data could therefore be considered pseudonymous in the hands of one entity, but anonymous in the hands of another. In practice, pseudonymised data received by a processor from its controller could therefore be considered anonymous in the processor’s hands (provided that the processor did not also receive the re-identification information from the controller).

In the General Court, the parties raised several further arguments around the interpretation and application of the personal data test established in the CJEU’s Breyer judgment. The AG does not address these arguments in detail in the Opinion, on the basis that those arguments are not relevant to the core question of the SRB’s compliance with its transparency obligations. The AG concludes that the SRB was required to include information about its disclosures to the recipient firm in its privacy notice due to the nature of the applicable transparency obligations, irrespective of whether the data as disclosed to the firm was considered pseudonymous personal data or anonymous data.

The AG also considers a further aspect of the General Court decision: the requirement in the definition of personal data that the information relates to an identified or identifiable natural person. The General Court had found that the EDPS was wrong to presume that an opinion necessarily relates to the individual that authored it — and is therefore the personal data of that individual — and that the EDPS should instead have specifically assessed whether the opinion related to its author. In the Opinion, the AG disagrees with the General Court on this point, concluding that an opinion could be presumed to relate to, and be the personal data of, its author. The AG notes, in contrast, that an opinion cannot be presumed to relate to the subject of that opinion (rather than its author), and therefore an assessment would be required to determine whether such an opinion is the personal data of its individual subject.

Next Steps

The CJEU is expected to deliver its judgment later this year (subject to the progress of claims referred back to the General Court). The CJEU will likely follow the Opinion, though is not bound by it and the CJEU could potentially conduct a more detailed analysis than the AG of the various arguments around the scope of personal data raised in the General Court. The CJEU’s endorsement of the AG’s position on personal data as a relative concept — to be assessed from the perspective of the recipient — would be a welcome clarification for many organisations deploying pseudonymisation and anonymisation measures when sharing personal data with processors and others.