European decision on the boundary between pseudonymisation and anonymization

A recent decision by the EU General Court has held that where a data controller discloses data which it has pseudonymised, this will not count as a disclosure of personal data where the individuals concerned are not identifiable by the recipient of the data.

It is very helpful to have some judicial authority supporting the idea of ‘relative’ identifiability, although the European General Court sits beneath the CJEU in terms of its authority, and tends to take a more conservative approach on data protection issues than the CJEU. 

The case involved a challenge by an EU body, the Single Resolution Board (“SRB”), to a finding by the European Data Protection Supervisor (“EDPS”) that the SRB had failed to meet its transparency obligations.  Its privacy notice had not stated that it would be disclosing personal data to Deloitte  as part of its conduct of a resolution scheme.  The SRB had shared information with Deloitte; at issue was whether that information was personal data. As an EU body the SRB is governed by Regulation (EU) 2018/1725 rather than the GDPR, but the definitions of personal data and pseudonymisation are the same under both.

The SRB had shared with Deloitte certain comments submitted by affected shareholders and creditors. Prior to this sharing, the comments were allocated randomly generated 33-digit unique alphanumeric identifiers.  The SRB retained a database allowing it to link the identifiers back to the original commenters but neither Deloitte nor the SRB staff working with the comments had access to that database (the “de-coding table”). 

It was common ground that the comments in the hands of the SRB were pseudonymised data, that the alphanumeric code did not on its own allow the authors of the comments to be identified, and that Deloitte did not have access to the de-coding table.  Nevertheless the EDPS argued that the comments were also pseudonymised data in Deloitte’s hands, since additional information (the de-coding table) existed which would allow re-identification.  However the Court relied on Breyer (a CJEU decision from 2016 regarding IP addresses) to conclude that the EDPS should have considered whether Deloitte specifically had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments (readers may re-call that in Breyer the ISP could be legally compelled to provide the information enabling identification).

Perhaps somewhat surprisingly, this is the second time in a month that we can say a European decision is consistent with the ICO’s view: the ICO’s draft guidance on anonymization and pseudonymisation states that “pseudonymous data which you can still identify using a key or other separate identifiers might no longer be identifiable in the hands of a different organisation who does not have access to the key”.