In a previous blog, I wrote about the General Court of the European Union ruling clarifying the question of when a piece of data may be considered sufficiently anonymous and therefore no longer personal data. However, a recent ruling by the Court of Justice of the European Union ("CJEU") revises this General Court ruling. The ECJ EU is once again ruling in the debate surrounding pseudonymous and anonymous personal data.
In 2017, the bankruptcy of Banco Popular Español was wound up by the European Joint Resolution Council ("GAR"). To assess whether compensation should be granted to shareholders and creditors of the bank, the GAR organized a process in which they could submit comments and objections via an online form. These comments and objections were then shared with a consulting firm for an independent external opinion. However, this was done in pseudonymized form; the personal details of the shareholders and creditors were removed and only an alphanumeric code was attached to all comments.
The European Data Protection Supervisor ("EDPS") subsequently received complaints from several shareholders and creditors about the GAR's failure to inform them that their data would be shared with a consultancy firm. This led to a discussion that revolved not only around whether or not the GAR had violated its duty of information, but (precisely) also around the fundamental question of whether personal data had been provided to the external consulting firm at all, or whether the data had been pseudonymized to such an extent that the data were anonymous to the consulting firm.
According to the EDPS, it was irrelevant that the consulting firm did not have access to the additional information that allowed identification. The EDPS considered that pseudonymized data also remain pseudonymized when they are transmitted to a third party who does not have access to additional data. It therefore held that the GAR had breached its duty to inform by not informing the data subjects. However, the Court concluded that the EDPS should have examined whether the comments forwarded to the GAR constituted personal data for the GAR in order to conclude that there was a breach of the information duty. Since the EDPS had assessed this only from the point of view of the GAR that provided the data, but not (also) from the point of view of the consultancy that received the data, the General Court annulled the EDPS decision. The EDPS appealed this judgment.
The ECJ first emphasized that personal opinions or views are particular in nature, which, as an expression of a person's thought, are necessarily closely linked to that person and therefore always constitute personal data. The General Court previously ruled that the EDPS should have first examined the content, purpose or effects of the shareholders' and creditors' comments before it could conclude that the information contained in the comments sent to the consultancy was data "concerning" a natural person. According to the CJEU, this opinion was wrong, since it was already established that the comments reflected the personal opinion or position of their authors and thus constituted personal data.
Furthermore, the CJEU determines - contrary to what the EDPS stated, but in line with the earlier judgment of the General Court - that pseudonymized data may not be considered personal data in all cases and for everyone for the purposes of the AVG. Even the existence of additional data at another party, on the basis of which the data subject can still be identified, does not alter this. After all, pseudonymization can, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that this data subject is not (or no longer) identifiable for them. Because the GAR has additional data that can be used to link the comments to shareholders and creditors, the comments remain personal to the GAR, despite their pseudonymization. For the consulting firm, however, these comments may be anonymous data, provided that the pseudonymization has been effective and identification is reasonably impossible. The CJEU thus confirms that pseudonymization can result in data remaining personal data for the provider, while at the same time no longer being personal data for the receiving party.
Finally, the CJEU addresses the information obligation, emphasizing that it cannot be imposed on an entity that is not at all capable of identification. Therefore, for the application of the information obligation, the identifiability of the data subject must be assessed at the moment of collection of the data, and thus before any transfer of that information to a third party, and from the point of view of the controller. Indeed, the question of whether the controller has fulfilled its information obligation cannot depend on the possibilities available to a possible recipient for identifying the data subject after a subsequent transfer of the data. Thus, contrary to the Court's earlier opinion, in this case it should not have been viewed from the perspective of the consulting firm, but from the perspective of the GAR.
Ultimately, the CJEU overturns the General Court's ruling and the case is referred back for further review.
To assess whether the AVG applies, it is important to first know whether "personal data" is involved. Organizations should be aware of the fact that subjective data - such as personal opinions and viewpoints - as well as pseudonymized data, can qualify as personal data as soon as it is traceable to an individual.
The ECJ ruling is particularly interesting because of two points. First, the ruling shows that organizations cannot hide behind pseudonymization to avoid transparency and information obligations. Therefore, it does not matter to a party providing personal data whether the data can be classified as personal data by the receiving party. After all, the transmission of pseudonymous data is, from the point of view of the provider as a data controller, a processing of personal data that must comply with the AVG, including the information obligation incumbent on the provider. At the moment personal data is collected, the organization seeking to transmit it must already provide information about possible recipients to data subjects.
Second, it follows from the judgment that data that have been pseudonymized by another party and then transmitted for the receiving party need not always be considered personal data. There must be effective pseudonymization that actually results in identification by the recipient no longer being reasonably possible. In that case, the data is anonymous to the recipient and the AVG no longer applies to it. This can be particularly useful in practice in various cases, for example in collaborations with third parties, but also in international data transfers. If data is pseudonymized to such an extent that it no longer constitutes personal data for the recipient in a third country, then the "appropriate safeguards" that are normally required for the transfer of personal data outside the EEA can be omitted. This can make a huge difference to the data controller. Similarly, in the event that a hospital wants to share patient data, for example, with a university for research into the effectiveness of a new drug, it is highly desirable that the hospital redacts the data in such a way that the university can no longer trace the identity of a patient in any case. This allows this data to be shared more freely for scientific research, without the strict rules of the AVG applying.
