TL;DR

This newsletter is about a decision by the Court of Justice of the European Union (CJEU) in EDPS v SRB. It looks at the Court's view on how the GDPR applies to pseudonymised data and the implications this has for certain data processing activities.

Here are the key takeaways:

• Pseudonymisation refers to techniques that reduce the identifiability of personal data. It consists of taking original data, applying a pseudonymisation technique to that data with the output consisting of pseudonymised data.

• EDPS v SRB is essentially a case about in what circumstances pseudonymised data may be regarded as personal data under the GDPR. It considers whether it is correct to apply a strict approach to this question, whereby pseudonymised data should always be considered personal data.

• The CJEU upheld a relative approach to this issue. This means that, under the GDPR, pseudonymised data is not always personal data.

• If an entity receives pseudonymised data from a controller without the additional information required to link the data to a data subject, and also does not have any other reasonable means to identify the data subject, then that entity has not received personal data. The position of the receiving entity in this case is therefore pertinent to the question of whether the information is indeed personal data.

• The CJEU's decision in EDPS v SRB could have interesting implications for certain types of data processing activities. This includes on-device processing and encryption, as well as the personal data potentially stored in deployed LLMs.

The issues at play

Back in February this year, I took a look at an Advocate General opinion in the case of EDPS v SRB before the Court of Justice of the European Union (CJEU). This case tests the presumption that pseudonymised data is always personal data under the GDPR.

Is pseudonymised data personal data?

Mahdi Assan

·

Feb 14

Read full story

Pseudonymisation refers to techniques that reduce the identifiability of personal data. It consists of taking original data, applying a pseudonymisation technique to that data with the output consisting of pseudonymised data. It therefore consists of three elements:

1. The original data

2. The pseudonymisation technique applied

3. The pseudonymised data (which itself consists of the output pseudonym and the additional information that can be used to elucidate the original data)

An example of a pseudonymisation technique is encryption:

• The original data is the plaintext that is being encrypted

• Applied to this plaintext is the cryptographic protocol

• The output of this application is the cipher text and the cryptographic keys to decrypt the cipher and turn it back to into the plaintext

A full summary of the facts of the case can be found in my previous post, but to quickly recap:

• The Single Resolution Board (SRB) is the resolution authority for the European Bank union.

• In June 2017, SRB hired Deloitte to carry out some analysis that involved comments that SRB had collected from shareholders of a bank.

• SRB therefore shared with Deloitte copies of the comments along with alphanumeric codes generated for each comment.

• SRB did not share with Deloitte any other data SRB had initially collected from the shareholders.

• Those shareholders complained to the European Data Protection Supervisor (EDPS) that SRB had not informed them that their personal data would be shared with Deloitte.

• SRB argued that the information it shared with Deloitte was not personal data since the comments and alphanumeric codes could not be used by Deloitte to identify individuals.

• The EDPS disagreed with SRB's view and found that the information shared with Deloitte constituted personal data.

• SRB brought proceedings against the EDPS before the General Court of the CJEU, which ended up ruling in SRB's favour holding that the information shared with Deloitte was not personal data.

• The EDPS appealed this verdict by the General Court, which is the subject of this latest case.

AG Spielmann's opinion on the matter was that the information shared with Deloitte was not personal data. The reasoning was threefold:

• As per Recital (16), the identifiability of a data subject could be achieved by a data controller 'or by another person.' The reasonable likelihood of identifiability needs to be considered, taking into account the cost and time required to do so and the technology available to achieve identifiability.1

• CJEU caselaw has previously set out the parameters for such identifiability. In particular, the Court has held that, in certain circumstances, information could still considered personal data even if "dissociated from the identification data held by someone else."2

• Pseudonymised data may not be considered personal data if "the risk of identification is non-existent or insignificant."3

Therefore:

According to AG, this reasoning supports a relative, rather than a strict, approach to the concept of personal data and pseudonymisation. Taking a relative approach to the current case, the AG suggests that the key question for the Court to consider is whether "Deloitte had reasonable means to identify [the data subjects]."4 If Deloitte did have such means, only then should the comments and alphanumeric codes it received from the SRB should be considered personal data.

The case is ultimately about the following question:
If entity A collects personal data, pseudonymises it and shares only the pseudonymised with entity B, with only entity A possessing the additional information required to use the pseudonymised data to identify specific individuals, is the pseudonymised data shared with entity B personal data under the GPDR?