On 4 September, the ECJ handed down a major and eagerly awaited decision on the scope of personal data, accepting the point that pseudonymised data may be anonymised in the hands of a third party.
The ECJ’s approach is consistent with the approach of the UK data protection authority guidance, which we summarised earlier this year in an article, ‘What ICO guidance on anonymisation means for health and life sciences companies’.
The decision will be widely welcomed as good news and a victory for common sense, particularly in the life sciences sector.
Background
The background to the case was the sharing of a dataset by the Single Resolution Board (SRB) with Deloitte, which had been tasked by SRB with carrying out a valuation of the effects of a resolution procedure on shareholders and creditors.
SRB took a series of steps to protect the dataset shared with Deloitte, including applying pseudonymisation measures to the dataset. Deloitte had no access to the original database, and SRB retained a code which allowed it to reidentify the dataset. The dataset sent to Deloitte included an alphanumeric code but not the reidentification code. SRB did not include information in its privacy notice that Deloitte was a potential recipient of the personal data.
Following this sharing, the European Data Protection Supervisor (EDPS) received five complaints from data subjects and found that the data was personal data (pseudonymised) because SRB retained the reidentification code.
SRB did not look at the data from Deloitte’s perspective (i.e., in Deloitte’s hands). The view of the EDPS was that it was enough for the data to be personal data because SRB had the reidentification code.
At the heart of the dispute was whether anonymisation should be an absolute or relative test. The EDPS adopted an absolute approach, and if the court had accepted EDPS’s view, this would mean it would never be possible for data to be anonymous if any person retained the code.
The key legal question reviewed by the ECJ was whether the data relates to identified or identifiable persons. It was accepted that the persons were not identified, so the key point is whether the persons were identifiable.
The court rejected the EDPS position here.
Instead, the ECJ confirmed that, contrary to the opinion of the EDPS and EDPB, pseudonymised data may, depending on the circumstances of the case, ensure that persons are no longer identifiable. More importantly, the ECJ found that the fact that SRB held the reidentification code did not necessarily mean the data was personal data.
Instead, it was possible to put oneself in Deloitte’s position to decide whether the data was identifiable. Here, the EDPS had not properly looked (as it should have done based on the Breyer case) at whether Deloitte had legal means available to it which could, in practice, enable it to access the additional information necessary to re-identify the persons.
As the EDPS had not looked at Deloitte’s perspective, the court held that it was not possible for EDPS to conclude that the data was personal data.
However, it is important to note that the court did agree with EDPS in one respect – and that is that SRB, as data controller, had breached its transparency obligations because it did not tell data subjects that the data was being transmitted to Deloitte, regardless of whether such data was personal data from Deloitte’s perspective.
What next?
First, this ruling confirms that pseudonymisation may be recognised as an anonymisation technique in certain cases, which has always been challenged by several EU Data Protection Authorities.
Second, it is very helpful to have a decision that says that an absolute approach to anonymisation is not always required – the court affirms the relative approach and says that the perspective of the recipient is the one to be considered, i.e., in assessing anonymisation, a “whose hands” test is relevant.
However, it was accepted by the parties that the data was personal data in SRB’s hands. Hence, SRB needed to tell data subjects about who it was sending their data to. This raises interesting questions about the scope and nature of transparency and would indicate to an expansive transparency notice.
Finally, given that the decision goes against the approach that had been advocated by data protection authorities, including in recent draft guidance, it is likely that the debate to shift to how to assess the re-identification risks in the hands of the recipient, and what is meant by “reasonable means” to re-identify. Interestingly, the ECJ included a reminder in the decision that the re-identification risk must be reasonably likely, noting that the court had previously decided that this risk is insignificant where identification of a data subject would be prohibited by law or impossible in practice, because it would involve a disproportionate effort in terms of time, cost and labour (ECJ, 7 March 2024, OC v European Commission, C 479/22). It will be interesting to review the next steps and guidance issued by authorities.
[View source.]
