TL;DR
This newsletter is about a pseudonymisation and personal data. It looks at a recent AG opinion on the matter and the implications this has for on-device processing and encryption.
Here are the key takeaways:
Pseudonymisation refers to techniques that reduce the identifiability of personal data. It consists of taking original data, applying a pseudonymisation technique to that data with the output consisting of pseudonymised data.
There are different ways to pseudonymise data. For example, if you have a database containing the dates of birth of customers, this can be pseudonymised by replacing the dates with age ranges.
Under the GDPR, pseudonymised data is still considered personal data. However, a recent case (EDPS v SRB) brought before the Court of Justice (CJEU) of the European Union tests this presumption.
The verdict of the Court is still forthcoming. In the meantime, the opinion of the Advocate General (AG) Spielmann was published on 6 February, providing his view on the matter in question:
As per Recital (16) of Regulation 2018/1725, the identifiability of a data subject from pseudonymised data could be achieved by a data controller 'or by another person.' The reasonable likelihood of identifiability needs to be considered, taking into account the cost and time required to do so and the technology available to achieve identifiability.
CJEU caselaw has previously set out the parameters for such identifiability. In particular, the Court has held that, in certain circumstances, information could still considered personal data even if "dissociated from the identification data held by someone else."
Pseudonymised data may not be considered personal data if "the risk of identification is non-existent or insignificant."
So according to the AG, for the pseudonymising controller, the data remains personal data. But for any recipient of the pseudonymised data with no reasonable means to use the data to identify a data subject, the data are effectively anonymised and therefore not personal data.
If this view is adopted by the Court, then this could have interesting implications for a range of different processing contexts. This includes on-device processing and encryption.
What is pseudonymisation?
The GDPR provides a definition of pseudonymisation under Article 4.5:
...the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
In essence, pseudonymisation refers to techniques that reduce the identifiability of personal data. There are therefore different degrees of identifiability:
Identified individual. Identity is clear when we know exactly who the individual is, i.e., the data are linked to a single person.
Pseudonymity. Different data points can be linked to someone, but we do not know who that someone is.
Anonymity. We both do not know the identity of the individual that the data is about nor whether the data are about the same person
There also various ways that data can be pseudonymised. Some of these include the following:
Summarisation. This is about reducing the granularity or particularity of the data. For example, if you have a database containing the dates of birth of customers, this can be pseudonymised by replacing the dates with age ranges.
Perturbation. This is about obfuscating the data. For example, you can use a cryptographic hash function to transform personal data into a hash value.
Pseudonymisation techniques consist of three key elements:1
The original data
The pseudonymisation technique/transformation
The pseudonymised data (which itself consists of the output pseudonym and the additional information that can be used to elucidate the original data)
Let's say you have a dataset of customers and you wanted to pseudonymise their names using a cryptographic hash function. In this case:
The original data would be the customer name
The pseudonymisation technique/transformation would be the cryptographic hash function
The pseudonymised data would consist of the hash value outputted by the function as well as the cryptographic keys
Under the GDPR, pseudonymisation is mentioned as a security measure. Article 32 lists examples of organisational and technical measures that can be used to secure personal data, including "the pseudonymisation and encryption of personal data."
This technical measure is also mentioned in Article 25.1 in the context of data protection by design and by default:
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (Emphasis added)
Pseudonymised data has always been considered personal data under the GDPR. The output of a pseudonymisation technique may not easily be used to identify a data subject, but the data subject can still be identifiable if additional information is used.
Examples of such additional information can include cryptographic keys or tables of the original personal data matching pseudonyms that they have been replaced with.2 This additional information enables the pseudonymised data to be used to identify a data subject, hence the pseudonymised data ultimately remains personal data as it is still information relating to an identified or identifiable person.3
But a case currently before the CJEU, EDPS vs SRB, touches on when pseudonymised data is personal data.
EDPS vs SRB
Summary of the Facts
This case concerns a dispute between the European Data Protection Supervisor (EDPS) and the Single Resolution Board (SRB):
The EDPS is the data protection regulator of the EU institutions. It ensures that these institutions process personal data in accordance with Regulation (EU) 2018/1725, which can be thought of as the GDPR for EU institutions.
The SRB is the resolution authority for the European Bank union. Its role is to ensure the orderly resolution of failing banks and help maintain market stability and confidence of participating EU countries.
In June 2017, the SRB adopted a resolution under which Banco Popular Español S.A. transferred all its shares and capital instruments to Banco Santander S.A (Santander). As part of this process, the SRB procured the services of Deloitte to determine whether shareholders and creditors affected by the resolution would have received better treatment had normal insolvency proceedings been used.
Deloitte provided the SRB with a 'valuation of different in treatment' to help the SRB decide whether compensation should be granted to the affected shareholders and creditors. To further help with its decision, the SRB also launched a right to be heard process to verify the eligibility and interest of the relevant parties and receive comments from affected shareholders and creditors.
During the registration phase, a range of data was collected. This included proof of the participants' identity and ownership of capital instruments of Banco Popular. These data were accessible to a limited number of SRB staff responsible for processing the data to determine eligibility.
During the consultation phase, eligible participants submitted their comments to SRB staff responsible for processing these comments. These SRB staff did not have visibility of the data processed during the registration phase. Additionally, each individual comment was allocated an alphanumeric code.
The comments and their codes were then shared with Deloitte, and not the data collected during the registration phase. The consultation data were categorised, filtered and aggregated before being shared:
The comments transferred to Deloitte were solely those that were received during the consultation phase and that bore an alphanumeric code, developed for audit purposes to enable the SRB to verify, and if necessary to demonstrate subsequently, that each comment had been handled and duly considered. On account of that code, only the SRB could link the comments to the data received in the registration phase. Deloitte had, and still has, no access to the database of data collected during the registration phase.4
Upon learning of this data sharing with Deloitte, affected shareholders and creditors submitted complaints to the EDPS. They alleged that the SRB had failed to include in its privacy statement that data would be shared with Deloitte as per Article 15(1)(d) of Regulation (EU) 2018/1725.
The EDPS adopted its decision on the matter in which it stated that the data shared with Deloitee (the comments along with the codes) were personal data. It also stated that in the future the SRB should state in its data protection notices the entities with whom personal data may be shared.
The SRB brought proceedings against the EDPS before the General Court of the Court of Justice of the European Union (CJEU) in September 2020. In its claim, the SRB contended that the data transmitted to Deloitte did not constitute personal data.
The General Court sided with the SRB in its original judgment, holding that the data transferred to Deloitte was not personal data:
...with regard to the condition laid down in Article 3(1) of Regulation 2018/1725 that the information must relate to an ‘identified or identifiable’ natural person, the General Court held that, in the present case, it was for the EDPS to examine whether the comments transmitted to Deloitte constituted personal data for Deloitte. According to the judgment under appeal, the EDPS merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s. Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725.5 (Emphasis added)
The EDPS appealed against this decision in July 2023 on the grounds that the Court's interpretation of 'personal data' under Regulation 2018/1725 was incorrect. The appeal concerned two key matters:
The meaning personal data
The concept of pseudonymisation
These are the issues that the General Court will address in its decision on the appeal. In the meantime, the opinion of Advocate General Spielmann was published on 6 February, providing his view on the matter in question.
AG Opinion
The meaning of personal data
The view of the AG here is straightforward. The data collected during the consultation phase (namely the comments and their respective alphanumeric codes) did constitute personal data.
The AG reasoned that this was clear by looking at the context in which the information was collected and used:
...it is clear from the applicable legal framework that the purpose of the right to be heard process, in the context of which the comments at issue were submitted, was to enable the affected shareholders and creditors to contribute to the process, in particular to enable the SRB to have all the information necessary to take a final decision on whether the shareholders and creditors affected by the resolution of Banco Popular should be granted compensation in accordance with the principle that no creditor should be worse off than in the event of liquidation under normal insolvency proceedings. Furthermore, those comments, once taken into account by the SRB, were liable to have an effect on the complainants’ interests and rights regarding financial compensation.
I conclude on that basis that the comments at issue relate to the data subjects in the present case, including by reason of their purpose and effect.
I would add that it is true that the comments at issue, as transferred to Deloitte, were ‘filtered, categorised and aggregated’, with the result that, as is clear from the facts established by the General Court, individual comments could not be distinguished within a single theme; however, it may be accepted that, even when aggregated, those collective comments, in terms of their content, reflect personal views regarding Valuation 3. They constitute a sum of opinions which, as such, constitute information relating to the persons who expressed them. Their filtering, categorisation and aggregation do not alter that finding, otherwise it would be sufficient, in order to avoid the requirement of information ‘relating’ to a natural person, to aggregate several points of view. The fact that it is not possible, within that sum of comments, to distinguish the various individual opinions seems to me to fall more within the scope of the second cumulative condition, relating to the identifiability of the data subjects, examined in the context of the second part of the present ground of appeal, than within the scope of the condition requiring the comment to be ‘linked’ to a natural person.6
The concept of pseudonymisation
The argument put forward by the EDPS in this case is that pseudonymised data are still personal data because the data subject remains identifiable as the additional information that enables identification still exists. The AG disagrees with this argument.
The AG relies on the wording of Recital (16) of Regulation 2018/1725, which states the following:
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.7
It is argued by the AG that this Recital presents the possibility that pseudonymisation, in some circumstances, could result in data subjects not being identifiable from the pseudonymised data.8 This could be the case even if the additional data that could be used to make the data subject identifiable still exists but its access is sufficiently limited.9 Accordingly, there may be some forms of pseudonymised data that fall outside the scope of the concept of personal data.10
The exact reasoning of the AG is as follows:
As per Recital (16), the identifiability of a data subject could be achieved by a data controller 'or by another person.' The reasonable likelihood of identifiability needs to be considered, taking into account the cost and time required to do so and the technology available to achieve identifiability.11
CJEU caselaw has previously set out the paramaters for such identifiability. In particular, the Court has held that, in certain circumstances, information could still considered personal data even if "dissociated from the identification data held by someone else."12
Pseudonymised data may not be considered personal data if "the risk of identification is non-existent or insignificant."13
According to AG, this reasoning supports a relative, rather than a strict, approach to the concept of personal data and pseudonymisation. Taking a relative approach to the current case, the AG suggests that the key question for the Court to consider is whether "Deloitte had reasonable means to identify [the data subjects]."14 If Deloitte did have such means, only then should the comments and alphanumeric codes it received from the SRB should be considered personal data.
The AG states further:
...it seems to me disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from Regulation 2018/1725, obligations which that entity could not, in theory, comply with or which would specifically require it to attempt to identify the data subjects.15
Keep reading with a 7-day free trial
Subscribe to The Cyber Solicitor to keep reading this post and get 7 days of free access to the full post archives.