It's All Relative: Analysing The CJEU's Judgment On The Scope Of Pseudonymous Personal Data

Edward Machin, David Peloquin
Ropes & Gray LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ropes & Gray LLP

In a decision with significant legal and operational ramifications for organisations of all shapes and sizes, the Court of Justice of the European Union (CJEU) last week confirmed that pseudonymised data will not always and for all parties constitute personal data for the purposes of the General Data Protection Regulation (GDPR).

Such a conclusion is logical, practical and far-reaching, given that the question of whether information constitutes personal data, pseudonymous data or anonymous data applies to a wide range of scenarios in several industries. For their part, the authors of this post regularly encounter two scenarios in relation to which the CJEU’s decision in EDPS v SRB will be particularly relevant:

  • The transfer of pseudonymous, or “key-coded”, data for research purposes from institutions located in the EU and UK to US-based academic medical centres and sponsors of clinical research activities.
  • The receipt of pseudonymous data sets to train AI models.

Before turning to the CJEU’s decision (a link to which is here), let’s recap the three types of data to which the GDPR refers:

  • Personal Data: Information relating to a living individual who can be identified or who is identifiable directly from that information or who can be indirectly identified from that information in combination with other information. The GDPR applies to the processing of such data.
  • Pseudonymous Data: Processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that the additional information is kept separate and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. As a general rule, the GDPR applies to the processing of such data.
  • Anonymous Data: Information that does not relate to an identified or identifiable living individual or that is rendered anonymous in such a manner that the individual is not or is no longer identifiable. The GDPR does not apply to the processing of such data.

What Did the Court Decide?

Put simply, that the concept of personal data is — or at least can be — relative and context-specific.

While the CJEU decision dealt directly with Regulation (EU) 2018/1725, which is a separate regulation from the GDPR that applies to the processing of personal data by EU institutions, bodies, offices and agencies, the CJEU observed that because the definition of personal data in Regulation (EU) 2018/1725 is essentially identical to that found in the GDPR, the two regulations should be interpreted in the same way, meaning that the decision also applies to the interpretation of the GDPR.

Pseudonymised data, the CJEU held, “must not be regarded as constituting, in all cases and for every person, personal data for the purposes of [the GDPR], in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable”. Applying this conclusion in practice, the Court makes clear that:

  • For personal data to become pseudonymous in a manner that takes their processing outside the scope of the GDPR for the data recipient, the identifying information must be kept separately (i.e., by the disclosing party) and be subject to technical and organisational measures that prevent the personal data from being attributed to the individual.
  • The test is whether “all of the means reasonably likely to be used” by the disclosing party or a third party would identify the individual, either directly or indirectly. The means of identifying the individual is not reasonably likely to be used “where the risk of identification appears in reality to be insignificant”, whether because the identification is legally prohibited or impossible in practice, e.g., because it would “involve a disproportionate effort in terms of time, cost and labour”.
  • The existence of additional information enabling the individual to be identified does not necessarily mean that the pseudonymised data constitute in all cases, and for each entity that processes them, personal data for the purposes of the GDPR.

Importantly, the CJEU also held that an organisation that discloses pseudonymised data for which it maintains the ability to re-identify must comply with the transparency obligations of the applicable law with respect to such disclosure, i.e., Article 15(1)(d) of Regulation (EU) 2018/1725, which corresponds to Article 14(1)(e) GDPR. The CJEU states that “for the purposes of applying the obligation to provide information laid down in Article 15(1)(d) of Regulation 2018/1725, the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller” (emphasis added).

What is left unsaid by the CJEU is whether other obligations imposed by the GDPR on controllers — such as putting in place appropriate data processing agreements (DPA) with their processor, ensuring compliance with requirements for cross-border transfers and conducting data protection impact assessments — would continue to apply when pseudonymised data are provided to a party in whose hands they will not be considered personal data. In practical terms, a processor that cannot identify individuals in the pseudonymised data that it processes on behalf of its controller client will not be able to discharge some of the key obligations under the parties’ DPA, such as providing assistance with individual rights requests.

However, absent clear guidance on this point from the CJEU or EU data protection regulators, data disclosers will likely continue to push for the inclusion of these measures, in order to protect themselves in the event that pseudonymised data do, or reasonably could, become identifiable in the hands of the data recipient or other third parties. Organisations based outside the EU that receive pseudonymised data should therefore be prepared to be asked by some data disclosers to enter into standard contractual clauses (for controllers and processors) and DPAs (for processors) in order to govern the parties’ transfer and processing activities.

How Should Organisations Apply the Court’s Decision?

The extent to which the decision is relevant — and helpful — for your processing activities will turn on whether you disclose or receive personal data that are, or could be, pseudonymous.

You are a Discloser of Pseudonymised Data

  • The GDPR will apply to your processing of personal data, even where the data are sent to the recipient in a pseudonymised form and the recipient’s processing of such data thus falls outside the scope of the GDPR.
  • Determine and document the technical and organisational measures that prevent the recipient from re-identifying the data, including with the input of the recipient party as needed, and ensure that the recipient party cannot — or will not — “lift those measures” in a manner that would result in the data becoming identifiable for its purposes.
  • Assess, at the time of collection of the data, the identifiable nature of the individual. Accordingly, your Article 13 and 14 GDPR transparency information must disclose the recipients or categories of recipients of personal data — seemingly even if the GDPR does not apply to those recipients’ processing of the data.
  • As discussed above, consider whether you will ask a processor to which you disclose pseudonymised data to enter into an Article 28 GDPR-compliant DPA.
  • Similarly, where the recipient is located outside the EU, determine whether and how to ensure that the transfer of pseudonymised data to that party complies with Chapter V of the GDPR, i.e., through an adequacy decision, the use of standard contractual clauses or binding corporate rules, or reliance on an Art. 49 GDPR derogation.

You are a Recipient of Pseudonymised Data

  • The GDPR will not apply to your processing of personal data if (1) the disclosing party (or another party) holds information that would allow identification of the relevant individuals, and (2) the individuals are not identifiable to you by means reasonably likely to be used.
  • Contractually agree with the disclosing party that you do not want to receive identifiable personal data or the identifying key for pseudonymous data and document the measures that the parties have or will put in place to ensure that the data are not identifiable to the recipient.
  • Ensure care when sharing pseudonymous data with third parties that those parties are not reasonably likely to be able to identify the individuals that are the subject of the data. If the third party does possess information that allows it to identify the individuals, the data — to which the GDPR did not apply in respect of your processing — will likely become in-scope personal data for both you and the party(ies) with which you share the data.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Ropes & Gray LLP

Written by:

Ropes & Gray LLP
Ropes & Gray LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ropes & Gray LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide