CJEU clarifies concept of personal data for a transfer of pseudonymised data to third parties

A brief recap

The EU Single Resolution Board (SRB) shared pseudonymised data with its contractor, Deloitte, but did not reference Deloitte as a recipient in its privacy notice. This led to complaints lodged with the SRB's supervisory authority, the European Data Protection Supervisor (EDPS), which found the SRB infringed its obligation to inform data subjects about the recipients of personal data.

The SRB appealed this decision to the European General Court, which found that the EDPS had not assessed from Deloitte's perspective if personal data had been received. The General Court annulled the EDPS's decision.

In this latest judgment, CJEU set aside the judgment of the General Court. However, the key elements of EDPS’s appeal did not succeed. The case must now be referred back to the General Court.

Key takeaways from the CJEU’s judgment 

• The CJEU found that the General Court erred in law when it held that the “EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte ‘related’, within the meaning of Regulation 2018/1725, to the persons who submitted those comments, should have examined the content, purpose or effects of those comments, whereas it was common ground that they expressed the personal opinion or point of view of their authors”.
• The CJEU rejects the absolute position taken by EDPS (and the European Data Protection Board) that pseudonymised data must always be considered personal data, even when the person receiving has no realistic means to re-identify anyone. This confirmed the approach of the General Court.
• The CJEU found that pseudonymised data is not personal data "in all cases and for every person". If a recipient does not have "access to the means reasonably likely to be used" to re-identify a data subject, then pseudonymisation may "effectively prevent" them "from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable".  This the first time the CJEU has explicitly made this statement, whereas previously some had implied from the judgment in the case of Breyer under the forerunner to GDPR, Directive 95/46/EC.
• The CJEU highlighted the limits of pseudonymisation: if a recipient of pseudonymised data disclosed it to someone else who is capable of reidentifying it, that can cause the data protection law to apply again.
• Controllers will need to mention their disclosures of pseudonymised data to third parties in their privacy notices. The CJEU found that the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller.

Unanswered questions

CJEU does not address whether other GDPR requirements applicable to controllers, such as agreeing data processing agreements, would continue to apply when pseudonymised data are provided to a third party in whose possession that data will not be considered personal data. A processor that cannot identify individuals in the pseudonymised data that it processes on behalf of its controller will not be able to discharge some of its obligations under an article 28 data processing agreement, such as assisting the controller with data subject rights requests.

Other implications 

The judgment will also need to be considered by the European Data Protection Board, as it had taken the position in line with EDPS’s appeal in various guidelines recently issued for consultation, most notably the guidelines on pseudonymisation. We now await the revised guidelines following the consultation and the outcome of the SRB case. Other national data protection authorities may also need to update guidance. The judgment may also have relevance for controllers who may be planning to share pseudonymised data in contexts such as AI model training. 

The judgment is available here.