ECJ strengthens data protection: Pseudonymization alone is not always enough
The ECJ has clarified when pseudonymized data is considered personal data. It overturned a ruling that had restricted the supervisory authority's control powers
(Image: Zolnierek/Shutterstock.com)
In a ruling announced on Thursday, the European Court of Justice (ECJ) clarified that pseudonymized data can also be considered personal information if it is transferred to third parties. The ruling concerns a case between the Single Resolution Board (SRB), an EU agency for the orderly resolution of insolvent financial institutions, and the EU Data Protection Supervisor (EDPS), Wojciech WiewiĂłrowski. It is likely to have far-reaching consequences for the handling of data in the digital space.
Before the dispute, the SRB wanted to find out whether former shareholders and creditors were entitled to compensation following the liquidation of the Spanish financial institution Banco Popular Español. To this end, it obtained statements from those affected in a hearing procedure. The authority then forwarded these statements in pseudonymized form to the consulting firm Deloitte, which it had commissioned to carry out an assessment. Several data subjects then complained to the EDPS because they had not been informed about the disclosure of their data.
WiewiĂłrowski came to the conclusion that the SRB had breached its duty to provide information. He considered Deloitte to be a recipient of personal data and demanded that the data subjects be informed of the transfer. The SRB then took legal action against the EDPS's decision and was upheld before the General Court of the European Union (General Court). The Court found that the supervisory authority should have checked whether the data was also personal from Deloitte's perspective.
Duty to provide information on data transfer
WiewiĂłrowski appealed against this ruling, and the ECJ now sided with him in case C-413/23 P. It overturned the judgment of the lower court and referred the case back to it. The Court based its decision on three central points: It clarified that personal opinions and views expressed in the opinions are necessarily closely linked to the individual. The EGC had erred when it required the EDPS to examine the content and purpose of the opinions more closely to establish their personal nature.
Videos by heise
Furthermore, the appellate court confirmed that pseudonymized data is not automatically considered non-personal. According to the court, identifiability depends on the circumstances. It must be examined whether individuals apart from the data controller can actually subjectively identify the data subject. Business law expert Alexander Golland, on the other hand, interprets this as follows: if pseudonymized data is transmitted, it is basically anonymous information from the recipient's perspective.
The most important point of the ruling is that the relevant perspective for the assessment of identifiability is that of the data controller – here the SRB – at the time of data collection. The obligation to provide information arises before the data is passed on to third parties. It is therefore irrelevant whether the information was still personal for Deloitte after pseudonymization. The SRB should have informed the data subjects of the planned disclosure prior to the transfer, regardless of whether this data was still identifiable to the recipient or not.
Pseudonymization is not anonymization
The ruling strengthens the position of the EDPS and emphasizes that the responsibility for the protection of personal data lies primarily with the primary processor. Companies and authorities cannot claim that data can no longer be identified by third parties after pseudonymization to avoid their obligation to provide information. The ECJ thus underlines the importance of transparency when handling data. It indicates that pseudonymization is an important data protection measure. However, this technical tool alone is not sufficient to safeguard the rights of the data subjects.
Back in 2016, the ECJ ruled in response to a complaint by lawyer and activist Patrick Breyer: pseudonymized data – such as a dynamic IP address – are not automatically anonymous. As long as it is possible to restore the identity of the person through "additional information", the information remains personal. The crucial question is whether the data controller has the means to re-identify. This also includes the option of cooperating with third parties such as internet providers or authorities.
(nie)
