Introduction
On the 26th of April 2023, the General Court of the CJEU in Case T-557/20, SRB v EDPS confirmed that the information shared in pseudonymised format could be considered anonymised, therefore not personal data for the purposes of EU data protection law, if the recipient cannot access the additional information necessary to re-identify the data subjects. The same approach has been applied previously on the 19th of October 2016 in Breyer, C-582/14, EU: C:2016:779, although with a different outcome, and is also aligned with the ICO position.
In Breyer, the court recognized that a dynamic IP address registered by an online media service provider when a person accesses a website constitutes personal data within the meaning of Article 2(a) of Directive 95/46 to that provider, where the latter has the legal means to identify the data subject with additional data which the internet service provider has about that person.
Moreover, SRB v EDPS also illustrates the difference of interpretation between central authorities. This case opposes the Single Resolution Board (SRB), which is the central authority for the Banking Union, to the European Data Protection Supervisor (EDPS), which ensures that EU institutions comply with data protection laws. The EU General Court annulled the EDPS decision.
Background
The bank, Banco Popular, suffered a liquidity crisis, following which it was assessed by the European Central Bank. The group was found ‘failing or likely to fail’ and the SRB put it under a resolution scheme to prevent further instability in the financial system as it was a major bank in Spain.
The SRB also decided that no compensation was due to shareholders and creditors affected. As part of this decision process, the SRB collected the comments of shareholders (+2,800) and shared them with a valuer – Deloitte – to analyse them.
The case involves the information provided by the shareholders and creditors of Banco Popular to the SRB to launch the right to be heard process regarding the resolution actions concerning Banco Popular. To verify their eligibility, the parties had to register themselves by providing SRB with supporting documentation, including proof of identity and proof of ownership of one of the capital instruments. After confirming their eligibility, the parties submitted their comments on the preliminary decision; the SRB examined the relevant comments from affected shareholders and creditors and asked Deloitte, as a party to undertake an independent valuation, to analyse the relevant comments.
Before transferring the comments, the SRB followed various steps:
- Automatic filtering (more than 20k comments)
- Review to assess relevant and categorise (this is where the pseudonymisation process happened)
The analysis of the comments was conducted by a limited number of SRB staff who only received comments, separated from the shareholders’ personal information and identified by reference to an alphanumeric code.
- Transfer of 1k comments to the valuer
Deloitte only received the information from the consultation phase with an alphanumeric code, which means that the company had no access to the database of data collected during the registration phase, but only specific staff within the SRB could link the comments back to individual shareholders.
The Case
In October and December 2019, the affected shareholders and creditors who had responded to the consultation submitted five complaints to the European Data Protection Supervisor (EDPS) alleging that the SRB had failed to inform them that the data collected through their responses would be transmitted to third parties. The SRB shared data with Deloitte for the valuation process and Banco Santander that ultimately bought Banco Popular, in breach of the terms of the privacy statement, therefore infringing Article 15(1)(d) of Regulation 2018/1725.
EDPS found that SRB had infringed Article 15 of Regulation 2018/1725 because it had failed to inform the complainants in its privacy statement that their personal data might be disclosed to Deloitte. The EDPBS considered that SRB shared with Deloitte pseudonymous data.
SRB relies on two pleas in law in support of its action. For this article, we focus on the first one, which relates to the infringement of Article 3(1) of Regulation 2018/1725, and whether the information transmitted to Deloitte constitutes personal data.
According to Article 3(1), information only constitutes personal data if two cumulative conditions are met: first, that information ‘relates’ to a natural person and, second, that that person is ‘identified or identifiable’.
Regarding the first condition, the EDPS concluded that the information transmitted to Deloitte ‘related’ to a natural person within the meaning of the article mentioned above, considering that the responses received during the consultation phase constituted personal data of the complainants, as they contained their personal views and were thus information relating to them.
However, the General Court decided that, although it cannot be ruled out that personal views or opinions may constitute personal data, it is apparent from the judgment of the 20th of December 2017, Nowak (C-434/16, EU:C:207:994), that such a conclusion cannot be based on a presumption, but must be based on the examination of whether, by its content, purpose or effect, a view is linked to a particular person. Therefore, since the EDPS did not conduct such an examination, it could not conclude that the information transmitted to Deloitte constitutes information ‘relating’ to a natural person.
As for the second condition, according to EDPS, SRB had shared pseudonymous data with Deloitte both because the comments received during the consultation phase were personal data and because the SRB shared the alphanumeric code that allowed the responses given in the registration phase to be linked with the ones given in the consultation phase. Therefore, for the EDPS, the fact that the SRB held additional information enabling the authors of the comments to be re-identified was sufficient to conclude that the information transmitted to Deloitte was personal data, although the key to link back the pseudonym to the individual data subject had not been shared with Deloitte.
However, as recognised by the General Court, it is not disputed that the alphanumeric code transmitted to Deloitte did not in itself allow the authors of the comments to be identified and, second, that Deloitte did not have access to the identification data received during the registration phase that would have allowed the participants to be linked to their comments through the alphanumeric code.
Following the judgment of the 19th of October 2016 Breyer (C-582/14, EU:C:2016:779), to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position to determine whether the information shared with it relates to ‘identifiable persons’.
Accordingly, while Deloitte held the comments, which did not constitute information relating to an ‘identified natural person’, considering the alphanumeric code appearing on each response did not make it possible directly to reveal the identity of the natural person who filled in the form, SRB alone held additional information enabling the affected shareholders and creditors who responded on the form to be identified.
Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the data transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725. [2]
Although the EDPS can still appeal this ruling to the Court of Justice of the European Union, that decision clarifies the classification of personal opinions in the context of pseudonymised data and the identifiability of data when shared with a third party, in alignment with the ICO guidance on anonymisation and pseudonymisation published in 2021/2022, according to which the status of data can change depending on who holds the key to re-identification.
The ICO’s position
The ICO notes that “The same information can be personal data to one organisation, but anonymous data in the hands of another […] You need to take into account all the means reasonably likely to be used, by yourself or a third party, to identify an individual[…] This will determine whether the data is anonymous information. We refer to this as the ‘reasonably likely’ test.” [3]
In that regard, the ICO recognises that pseudonymous data might no longer be identifiable in the hands of a third party who does not have access to the key. Nevertheless, as observed in the addressed decision, that is not an automatic assumption, but it depends on several factors, such as the ability of the recipient to use other information to enable identification, the likelihood of identifiability, and the techniques and controls placed around the data once in the recipient’s hands.
References:
[1] Case T-557/20 SRB v EDPS [2023], ECLI:EU:T:2023:219 CURIA – Documents (europa.eu)
[2] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance.)
[3] Information Commissioner’s Office. Chapter 1: introduction to anonymisation [Draft anonymisation, pseudonymisation and privacy enhancing technologies guidance] [Internet]. 2021 [cited 02 June 2023]. Available from: https://ico.org.uk/media/aboutthe-ico/consultations/2619862/anonymisation-intro-and-first-chapter.pdf
[4] Information Commissioner’s Office. Chapter 3: pseudonymisation [Draft anonymisation, pseudonymisation and privacy enhancing technologies guidance] [Internet]. 2022 [cited 02 June 2023]. Available from: https://ico.org.uk/media/about-the-ico/consultations/4019579/chapter-3-anonymisation-guidance.pdf