In judgment of 26 April 2023 (case T-557/20), the Court of Justice of the European Union (‘CJEU’) ruled that pseudonymised data transmitted to a recipient who does not have the means to identify the data subject is not personal data. This means that such information does not fall within the scope of the legislation on the protection of personal data.
Before entering into the merits of the judgment in comment, it seems appropriate to define what is meant by ‘pseudonymisation’. According to Article 4 of Regulation (EU) 2016/679 (better known by the acronym ‘GDPR’) pseudonymisation means ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.
The facts of the case
The case examined by the CJEU is examined below.
The case originates from several complaints received by the European Data Protection Supervisor (the ‘EDPS’) reporting specific conduct of the Single Resolution Board (‘SRB’).
Specifically, the SRB, after collecting through an electronic form some opinions of shareholders and creditors (the ‘data subjects’), had transferred the answers obtained to a consulting firm. Before forwarding it to the consulting firm, however, the SRB had pseudonymised this data by replacing the names of the data subjects with alphanumeric codes. However, the latter complained to the EDPS that the information notices on the processing of personal data provided by the SRB did not specify that their personal data would be shared with third parties.
The EDPS stated that, although the data thus disclosed did not allow the company to identify the authors of the survey, the data, although pseudonymised, should nevertheless be considered personal data, also in view of the fact that the outsourcer received the alphanumeric code that allowed it to link the replies received.
For these reasons, the EDPS held the consulting firm (the recipient of personal data) and the SRB liable for the breach referred to in Article 15 of the GDPR – governing the right of access of the data subject – for not having provided, among other things, information about the recipients or categories of recipients to whom the personal data would be disclosed.
The decision of the Court of Justice of the European Union
The judges of the CJEU overturned the EDPS’s decision. The CJEU, in fact, stated that the decision taken by the EDPS on the nature of the pseudonymised data was incorrect, as the EDPS had not verified whether or not the company to which the data had been disclosed was able to re-identify the data subjects. That verification should have taken place on the basis of the instruments it held, or did not hold, enabling it to identify natural persons.
To identify whether or not pseudonymised information disclosed to a recipient constitutes personal data, it is necessary to ‘consider the recipient’s perspective’. If the recipient does not have additional information enabling him/her to identify the data subjects or does not have legal means to access it, the disclosed data are considered to be anonymous data and therefore are not personal data. Therefore, they are excluded from the scope of application of the principles in force regarding data protection. On the contrary, the fact that the party disclosing the data has the means to identify the data subjects is irrelevant.
On these grounds, the Court of Justice annulled the EDPS’s decision and ordered it to pay the costs of the proceedings.
Other related insights:
GDPR: security measures to support data protection
Decree-Law no. 82/2021 (the “Decree“) was published in the Official Gazette on 14 June, containing “urgent provisions on cyber-security – definition of the national cyber-security architecture and establishment of the National Cyber-security Agency” .
The term “Cyber-security” means “activities necessary to protect networks, information systems, computer services and electronic communications from cyber threats, ensuring their availability, confidentiality, integrity and resilience” (Art. 1, paragraph 1, letter a).
The Decree, which consists of 19 articles, institutionalises the “Interministerial Committee for cyber-security” (“CIC“). CIC performs advisory, proposal and supervisory functions in the field of cyber-security policies, including the protection of national security in cyberspace. In addition, CIC has the following tasks:
Among the Decree’s main features is the establishment of the “National Cyber-security Agency” (“NCA” or “Agency“). The Decree specifies its functions by clarifying its composition and organisation. A special regulation, to be approved within 120 days from the entry into force of the Decree, shall define the Agency’s functioning, which is composed of eight general management level offices and thirty non-general management level offices within the available resources (art. 12 paragraph 1).
The Agency is the main body in the cyber-security field, acting as a national authority and centralising the various expertise hitherto attributed to other bodies, including those of the Ministry of Economic Development. Its tasks include:
The Agency is supported by the “Cyber-security unit“, which supports the Prime Minister, for aspects relating to the prevention and preparation for possible crises and the activation of warning procedures. The main tasks entrusted to this body include:
◊◊◊◊
By 30 April of each year, the Prime Minister must report to Parliament on the Agency’s activity in the previous year. As an Italian National Coordination Centre, the Agency will interface with the “European Cyber-security Industrial, Technology and Research Competence Centre“, contributing to increasing the European strategic autonomy in the sector.
Other related insights:
On 10 December 2020, the Italian Data Protection Authority (“Guarantor“) launched a public consultation on the “Guidelines on the use of cookies and other tracking tools“ (the “Guidelines“) drafted on 26 October.
The Guarantor follows indications provided by the European Data Protection Board (“EDPB“) in the “Guidelines 5/2020 on consent under Regulation (EU) 2016/679” of 4 May 2020.
Cookies are small strings of text that websites (publishers or “first parties”) visited by the user or different websites or web servers (“third parties”) place and store on the used device (e.g. Smartphone, PC or Tablet). Cookies allow to collect information and improve the user/data subject’s navigation.
Regulation (EU) 2016/679 on personal data protection (“GDPR“), while not directly modifying the rules on such tracking tools, regulates the personal data processing consent. It established that the consent must be provided by data subjects through a “free, specific, informed and unequivocal manifestation of will“ (see Article 4, GDPR).
Under the “accountability principle”, this focuses on implementing data protection principles by design and by default, making it necessary to analyse the correct way of issuing online privacy policies to users/data subjects and acquiring their consent, where required.
The Guidelines, implementing what was stated by the EDPB, clarify that:
The Guidelines clarify that each data controller must provide data subjects/users with timely information on the processing of their data. This information must be provided on two levels: (i) short information notice or banner containing a link (ii) to the extended privacy policy.
After the public consultation directed at entrepreneurs, consumers, users and operators in the sector, and the analysis, followed by the possible implementation, of the comments received, the Authority will issue the final measure.
Other insights related:
With a note of 16 October 2019, the Association of Supervisory Body Members as per Legislative Decree 231/2001 (the “Association”) asked the Italian Data Protection Authority (the “Authority”) for a meeting to discuss the issue of the subjective classification for privacy purposes of the Supervisory Body (the “OdV, Organismo di Vigilanza).
The Association’s arguments
The subjects defined by the Regulation (EU) 2016/679 concerning personal data protection (the “Regulation”) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 containing the provisions adapting national legislation to the Regulation (the “Privacy Law” and together with the Regulation the “Privacy Legislation”), include the (i) Data Controller, defined as “the natural person or legal entity (…) that, individually or together with others, determines the purposes and means of the processing”; (ii) Data processor, i.e. “the natural person or legal entity, public authority, service or other body that processes personal data on behalf of the data controller” and (iii) Party Authorised to process personal data, i.e. “(…) anyone acting under the authority” of the Data Controller or Processor.
The issue, discussed fully in case law starting from the first interpretations of the Regulation, witnessed a conflict between the argument whereby the Supervisory Body for correct application of the Privacy Legislation should be classified as the Data Controller and the argument that considered it as Data Processor, i.e. a third party in relation to the Controller but acting on its behalf.
The Association supported a third hypothesis where the OdV, “as part of the enterprise”, must not be defined as a Data Controller or a Data Processor but its subjective classification should be within the organisation of the Entity it is asked to supervise.
The Authority’s position
The Authority clarified that the OdV cannot be classified as an independent Data Controller since it does not have the right to determine its own duties. They, along with their operation, means and security measures as well as any attribution of resources, are defined by the enterprise’s management body based on the previously adopted organisational model.
Moreover, according to the Authority, the OdV is not even classified as an external Data Processor since the Regulation attributes to the latter a series of obligations and a consequent and direct liability if these obligations are not observed. Instead, should the OdV omit to perform controls on the compliance with the organisational models prepared by the Entity, the liability lies directly with the Entity and not the OdV.
With these explanations, the Authority upholds the argument sustained by the Association and clarifies that the OdV is not a separate body from the Entity but it is part of the same and the latter is assigned with defining the scope and procedures for exercising the duties to assign to it. Therefore, its members, as part of the Entity, as stated in articles 29 of the Regulation and 2-quaterdecies of the Legislative Decree 101/2018, must be designated as subjects authorised to process data that it learns of in exercising its function and must follow precise instructions provided to them by the Data Controller.
In light of the above, the Authority clarifies that such explanations, inferred based on the principles contained in the privacy legislation, do not exceed and are not in conflict with the provisions of decree 231 which attributes to the OdV autonomous powers of initiative and control for correct exercise of its functions.
Other related insights: