Clifford Chance

Building on existing case law from the Court of Justice of the European Union (CJEU), a recent judgment from the General Court provides useful guidance as regards the concept of 'personal data' and provides comfort to organizations disclosing pseudonymized data to third-party recipients.

Pseudonymized data (being personal data that can no longer be attributed to a specific data subject without the use of additional information which is separately and securely held) may be personal data should there be 'reasonable means' or 'legal means' that enable the reidentification of the underlying data subjects. If re-identification is not possible using 'reasonable legal means', the pseudonymized data shall not be considered as 'personal data' under the EU data protection legislation. Historically, it was not entirely clear from whose perspective the re-identification must be assessed (i.e., the discloser or the recipient). This judgment clarifies that the re-identification must be seen from the perspective of the recipient of the pseudonymized data. The disclosure of data that was effectively pseudonymized to the recipient and further processing of such data by the latter are thus not be subject to the GDPR.

In practice, where possible, controllers disclosing personal data should consider: (i) implementing effective pseudonymisation measures prior to sharing such data with third-party recipients; and (ii) ensuring that the recipients have no reasonable legal means (including for example, by way of legal requests or third-party data sources) to access additional information that would allow the recipient to re-identify the individuals to whom the pseudonymized data relate.

Case overview and key findings

In this case opposing two European Union bodies, the General Court analyzed the concept of 'personal data' as defined by Regulation (EU) 2018/1725, which sets the legal framework for the protection of personal data processed by European Union institutions, bodies, offices and agencies (EUI GDPR). The definition of personal data under Article 3(1) of the EUI GDPR is identical to that provided under Article 4(1) of Regulation 2016/679 (GDPR). As a result, the findings of the General Court in this regard apply across to the concept of personal data under the GDPR.

The background of the case can be summarized as follows:

• A data controller (the Single Resolution Board, or SRB) disclosed data to a third-party consulting firm. This data was pseudonymized by the SRB prior to the disclosure.
• Several complaints were filed before the European Data Protection Supervisor (EDPS) by individuals regarding the disclosure of their (pseudonymized) data by the SRB to the third-party consulting firm. The EDPS found, in one original and one revised decision, that the SRB disclosed such data in violation of the EUI GDPR, on the grounds that (i) the pseudonymized data shared by SRB was personal data, notwithstanding the fact that the data that would allow a recipient to identify the complainants were not disclosed to the third-party consulting firm and, as a result, (ii) the SRB failed to provide the complainants with mandatory information regarding the recipients of their personal data in its privacy statement.
• The SRB sought the annulment of the EDPS decision before the General Court, arguing that the data transferred to the third-party consulting firm was not personal data within the meaning of the EUI GDPR, due to the pseudonymization process it applied to such data prior to disclosing it.

The General Court agreed with the SRB, and in doing so provided useful guidance on the concept of 'personal data'.

Pseudonymized or anonymized data

Following the CJEU's interpretation developed in the Breyer case  (CJEU, Patrick Breyer v Bundesrepublik Deutschland, 19 October 2016 (C-582/14)), the General Court holds that it is necessary to consider the data recipient's perspective in order to assess whether pseudonymized data disclosed to that recipient relates to 'identifiable persons' and thus constitutes personal data (para. 97).

To that end, the General Court recalls that it must be determined whether the recipient had reasonable means to combine the information that has been disclosed to it and which does not in itself allow the recipient to identify the data subject (in this case, because it has been pseudonymized prior to disclosure), with additional information to identify the data subject. In the Breyer case, the CJEU had found that if available means require a disproportionate effort in terms of time, costs and manpower, or if the identification of the data subject is prohibited by law, the risk of identification is insignificant and the pseudonymized data shall not be considered 'personal data'. As a result of this decision, the GDPR does not apply to the disclosure and further processing of such pseudonymized data by the recipient.

In the case of SRB, the General Court decided that, since the EDPS failed to evaluate whether the recipient (third-party consulting company) of the information had such 'reasonable means' or 'legal means' to re-identify individuals, it could not reasonably conclude that the pseudonymized data that was transferred constituted information relating to an ‘identifiable natural person’ and thus 'personal data'.

Personal views and opinions cannot be presumed to be personal data

In line with the CJEU's decision in the Nowak case (CJEU, Peter Nowak v Data Protection Commissioner, 20 December 2017 (C‑434/16)), the General Court reiterates that a personal view or opinion may constitute 'personal data' under the EU data protection legislation. However, that qualification cannot result from a presumption.

A view or opinion can only qualify as personal data if it can be 'linked' to an identified or identifiable individual, following a case-by-case assessment of the content, purpose or effect of that view or opinion (para. 73).

Conclusion

Being a ruling of the General Court, an appeal is possible before the CJEU. Regardless, this decision of the General Court provides helpful clarification for companies as to two fundamental concepts relating to personal data itself.