Pseudonymization and anonymization of data: Recent developments from European case-law

On April 26, 2023, the General Court of the European Union issued its decision in case T-557-20, focusing on the difference between pseudonymous and anonymous data. More specifically, the decision was issued in relation to the notion of personal data as defined by Regulation (EU) 2018/1725 on the processing of personal data by the institutions, bodies, offices, and agencies of the European Union, which is identical to the content of the GDPR on the subject.

The case involved the Single Resolution Committee (“SRC”) and the European Data Protection Supervisor (“EDPS”) and concerned the difference between treatment of shareholders and treatment of creditors and the latter’s right to receive compensation upon implementation of a resolution scheme by a Spanish credit institution.

The dispute stemmed from five complaints submitted to the EDPS by a group of shareholders and creditors who complained that they had not been adequately informed by the SRC that the observations they had made and submitted via forms would be shared with third-party independent auditors to verify the accuracy of preliminary decisions made by the SRC in part in light of observations submitted by shareholders.

The data at the center of the case were shareholder and creditor observations received by the SRC in the consultation stage that had been assigned alphanumeric codes. These codes, generated for the purpose of handling any future disputes, allowed the SRC to link each observation to its registration data, thus identifying the subject who made each.

Only the observations and the corresponding alphanumeric codes were communicated to third parties; only the SRC could access the additional data.

According to the EDPS, the data transmitted to third parties qualified as pseudonymous data, and therefore as personal data, because shareholders could be reidentified using personal data possessed by the SRC only. Furthermore, the EDPS’ position was that if the SRC could identify the shareholders, that meant the shared observations and alphanumeric codes were personal data, and this was true even if only the SRC had access to the data allowing identification of the shareholders.

In supporting its argument, the EDPS pointed out the following:

  • In line with the GDPR, in defining personal data, Article 3, no. 1, Regulation (EU) 2018/1725 cites the possibility of identifying an individual “indirectly,” and therefore it is not necessary that a single piece of information be capable of identifying the subject;
  • When considering when an individual may be identified, the means that can be used by the data controller, and by any other person, should be taken into account. Therefore, it is irrelevant whether the additional information is in possession of one or more persons;
  • Even without the additional data, an alphanumeric code could be considered “additional information” under the definition of pseudonymization provided under Article 3 Regulation (EU) 2018/1725, since it allowed the data subject who made the observation to be identified.

In response, the SRC argued that the data transmitted were anonymous data, since the additional data allowing reidentification were not shared and only SRC personnel could access them.

In its decision, the General Court of the European Union first cited the principles expressed by the Court of Justice of the European Union (“CJEU”) in the Breyer judgment (C-582/14). In that case, not all information suitable for identification was held by one person, but instead it was held by several parties. In fact, in the Breyer judgment the CJEU found that the fact that more than one party had access to additional information allowing reidentification was per se insufficient to exclude the possibility of reidentification.

However, according to the General Court, the mere potential for reidentification does not automatically imply that data qualify as personal data. Instead, the possibility of such identification occurring in practice in light of the circumstances of the case should be taken into account.

Applying this principle to the case at hand, the General Court stated that, since the third-party recipient did not have access to the additional information capable of identifying the data subjects, nor could it in any way have acquired such access, the transmitted data should be considered anonymous data and not pseudonymous data.

The decision is particularly interesting because it seems to override Art. 29 Working Party (“Art. 29 WP”) in Opinion 05/2014[1] on anonymization techniques, which says that potential identifiability should be assessed by taking into account means that can reasonably be used by any other party (not just the data controller). In the General Court’s opinion, on the contrary, the identifiability of the data subject should be assessed taking into account the concrete possibilities of the third-party recipient to identify data subjects. As such, when sharing pseudonymous data, the same must be considered anonymous if the recipient has no means to re-identify data subjects: in the case at hand, the EDPS should have verified whether the recipient had those means. From a practical standpoint, this could allow controllers sharing pseudonymous data to demonstrate that the recipient has no means to re-identify data and, as such, to argue that, if this is the case, they are sharing anonymous data instead.

Application of the new criteria established by the EU General Court in case T-557-20 should be further investigated in the near future. Indeed, they could significantly affect (and ultimately disrupt) fields where pseudonymous data is usually used, such as medical and scientific research.

 

[1] https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.

Back
Follow us on