ECJ Ruling on Pseudonimized Data Could End Regulatory Confusion, Attorney Says

A balance hasn't yet been found at the EU level between when regulators will consider it impossible or possible for a third party to retrieve personal data from a piece of pseudonymized information using reasonable means, Drouard said. "The question of what is reasonable to anticipate is still dividing regulators."

Privacy watchdogs "punch the party they have in front of them" without considering the various data processing responsibilities along a data processing chain, Drouard said. "National regulators always forget to split responsibilities."

The case (C-413/23 P, EDPS v. SRB) dealt with the definition of personal data in the context of pseudonymized data being transferred to third parties (see 2509040029). Several shareholders and creditors of Banco Popular Espanol complained to the European Data Protection Supervisor (EDPS) when their pseudonymized data was shared with Deloitte.

The EDPS found that the bank, the primary collector of personal data, had breached its transparency obligations under the regulation that governs data protection by EU bodies. The ECJ reversed that decision Sept. 4.

However, the ECJ's decision clarified that the primary collector of personal data (the bank) that transfers it to a third party (Deloitte) is subject to a high transparency bar even if that third party can't reidentify people, Drouard said. Conversely, the level of obligation for parties receiving the personal data is quite low.

The impact of the judgment "is potentially broad" because businesses will now have to determine whether pseudonymized datasets constitute personal data for them, Potomac Law privacy attorney Axel Spies emailed us Monday.

The debate isn't new: The 2016 ECJ Breyer decision found that dynamic IP addresses can constitute personal data even if a website owner lacks the details to identify the website user. "There is now more urgency to the debate" thanks to the ECJ, Spies added.

The latest ECJ decision offers more clarity than the U.K. ICO's guidance on transparency of data transfers, Osborne Clarke attorney Marian Alexander Arning wrote in an Oct. 1 analysis.

The ICO guidance states that if the recipient doesn't have and isn't given the means to reidentify individuals, and it's not reasonably likely that they could obtain such means, the data may be considered effectively anonymized in the hands of the recipient. However, Arning added, that doesn't explicitly deal with whether transparency rules apply to the pseudonymized data.

The ruling gives more legal certainty for sharing and using pseudonymized datasets, Arning wrote. In practice, "this can unlock new use cases: recipients may aggregate, evaluate and analyze such data without triggering the GDPR obligations that apply to personal data."

Drouard noted other takeaways from the decision regarding data collectors versus data recipients. GDPR Article 14 states that when data is collected indirectly -- not from a data subject but from a third party -- the subject should be informed of that collection, unless doing so would be disproportionate, he said. That's a good analysis of the split of responsibilities between a primary data collector and those in the chain who receive the data, he said.

The decision removes some obligations on indirect collectors of personal data, Drouard said. Instead, it increases GDPR compliance pressure on the primary information collector, who's "almost in charge of knowing the future" about how other parties will use the data.

The ruling touches any sector where there's a chain of processing operations, and it clarifies what a chain means, said Drouard. "This is the end of regulators making confusion between primary collectors and secondary recipients."