In judgment of 26 April 2023 (case T-557/20), the Court of Justice of the European Union (‘CJEU’) ruled that pseudonymised data transmitted to a recipient who does not have the means to identify the data subject is not personal data. This means that such information does not fall within the scope of the legislation on the protection of personal data.
Before entering into the merits of the judgment in comment, it seems appropriate to define what is meant by ‘pseudonymisation’. According to Article 4 of Regulation (EU) 2016/679 (better known by the acronym ‘GDPR’) pseudonymisation means ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.
The facts of the case
The case examined by the CJEU is examined below.
The case originates from several complaints received by the European Data Protection Supervisor (the ‘EDPS’) reporting specific conduct of the Single Resolution Board (‘SRB’).
Specifically, the SRB, after collecting through an electronic form some opinions of shareholders and creditors (the ‘data subjects’), had transferred the answers obtained to a consulting firm. Before forwarding it to the consulting firm, however, the SRB had pseudonymised this data by replacing the names of the data subjects with alphanumeric codes. However, the latter complained to the EDPS that the information notices on the processing of personal data provided by the SRB did not specify that their personal data would be shared with third parties.
The EDPS stated that, although the data thus disclosed did not allow the company to identify the authors of the survey, the data, although pseudonymised, should nevertheless be considered personal data, also in view of the fact that the outsourcer received the alphanumeric code that allowed it to link the replies received.
For these reasons, the EDPS held the consulting firm (the recipient of personal data) and the SRB liable for the breach referred to in Article 15 of the GDPR – governing the right of access of the data subject – for not having provided, among other things, information about the recipients or categories of recipients to whom the personal data would be disclosed.
The decision of the Court of Justice of the European Union
The judges of the CJEU overturned the EDPS’s decision. The CJEU, in fact, stated that the decision taken by the EDPS on the nature of the pseudonymised data was incorrect, as the EDPS had not verified whether or not the company to which the data had been disclosed was able to re-identify the data subjects. That verification should have taken place on the basis of the instruments it held, or did not hold, enabling it to identify natural persons.
To identify whether or not pseudonymised information disclosed to a recipient constitutes personal data, it is necessary to ‘consider the recipient’s perspective’. If the recipient does not have additional information enabling him/her to identify the data subjects or does not have legal means to access it, the disclosed data are considered to be anonymous data and therefore are not personal data. Therefore, they are excluded from the scope of application of the principles in force regarding data protection. On the contrary, the fact that the party disclosing the data has the means to identify the data subjects is irrelevant.
On these grounds, the Court of Justice annulled the EDPS’s decision and ordered it to pay the costs of the proceedings.
Other related insights:
GDPR: security measures to support data protection