Pseudonymized Data Isn't Always Personal Info, EU High Court Says in Landmark Ruling
In what one data protection authority called a "milestone," the European Court of Justice (ECJ) held Thursday that pseudonymized data doesn't always have to be considered personal data under rules governing personal data protection.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Instead, the ECJ said, pseudonymization may, depending on the circumstances, "effectively prevent persons other than the data controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable."
The high court also held that, for purposes of complying with the requirement to provide information under the regulation, "the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller."
The "appropriate decision ... sets another milestone in a highly controversial legal issue," said the Hamburg Data Protection Authority.
The court "takes a pragmatic stance: narrower definition of personal data" under the General Data Protection Regulation, privacy and compliance expert Frank Schemmel posted. The "significant ruling" emphasizes that data should only be classed as personal when the controller or processor can reasonably identify an individual, he said.
This "relative approach" focuses on obligations where risks are real and tangible, he added.
In practice, the decision means reduced compliance burdens, a stronger emphasis on context and proportionality, and more flexibility for innovation, analytics and data-driven projects, he said.
The case (C-413/23 P, EDPS v SRB) involved the definition of personal data in the context of the transfer of pseudonymized data to third parties.
The Single Resolution Board (SRB) of Banco Popular Espanol in 2017 made a preliminary decision on whether it was necessary to grant compensation to former shareholders and creditors, the EU court noted. Since the resolution was adopted without hearing from those people, the SRB organized a process to allow them to submit comments.
It then transferred some of the comments, in the form of pseudonymized data, to professional services firm Deloitte, which the board tasked with assessing the effects of the resolution procedure on shareholders and creditors.
Several affected shareholders and creditors complained to the European Data Protection Supervisor (EDPS) that the SRB had failed to tell them that data relating to them would be shared with Deloitte, a third party.
The EDPS found that the SRB had breached its obligation to provide information required by the EU regulation governing data protection by EU bodies (Regulation 2018/1725). The EU General Court annulled the EDPS' decision.
The EDPS appealed, and the ECJ set aside the General Court's judgment and sent the case back to it.