CJEU tightens interpretation of pseudonymized personal data

When does personal data cease to be personal data? The Court of Justice of the European Union addressed this fundamental question in its recent EDPS v. SRB judgment (C-413/23 P). The case began when the Single Resolution Board (SRB) transferred 1104 written comments to the consulting firm Deloitte. These comments were from former shareholders and creditors of Banco Popular. They had submitted them during a hearing procedure concerning compensation matters.

The SRB had separated the comments from their authors' personal data by assigning each a 33-digit random code. Only the SRB had the key that could link the code to the person who submitted the comment. The SRB didn’t mention in its privacy statement that participants' comments would be transferred to Deloitte. Deloitte received the comments only with codes but without the data key. This meant that the company could not identify the people who wrote the comments (paras 23–29).

The issue was whether the SRB needed to notify data subjects about the transfer in advance. The SRB argued that since Deloitte could not link the comments to individuals, they were not personal data from Deloitte's perspective. The European Data Protection Supervisor (EDPS) took the opposite view, that the data were pseudonymized personal data because the SRB kept the key to identifying individuals. In this article, we review the key points of the court’s decision and examine how it affects controllers who use pseudonymization.

Definition of personal data and the impact of pseudonymization

Article 3(1) of the EU institutions' data protection regulation (2018/1725) defines personal data as any information relating to an identified or identifiable natural person. The definition is identical to Article 4(1) of the EU General Data Protection Regulation (2016/679, GDPR). According to recital 5 of Regulation 2018/1725, whenever the provisions of this Regulation follow the same principles as the provisions of GDPR, those two sets of provisions should be interpreted homogeneously. The EDPS v. SRB decision is directly applicable to the GDPR interpretation.

Recital 16 of Regulation 2018/1725 and recital 26 of the GDPR clarify that data protection principles apply to any information concerning an identified or identifiable natural person. When assessing identifiability, all means that are reasonably likely to be used by the controller or another person to identify the person directly or indirectly must be considered. This assessment shall take into account all objective factors, such as the costs of identification, the time required, and available technology.

Pseudonymization means, according to GDPR Article 4(5), the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and subject to technical and organizational measures. Pseudonymized data remain personal data because they can be linked to a person using additional information. Pseudonymization thus differs from anonymization, where the connection to the person is permanently severed. Data protection principles should not apply to anonymous information, namely information that does not relate to an identified or identifiable natural person.

When data qualifies as personal data and transparency obligations

Although the 1995 Data Protection Directive (95/46/EC) already contained the concept of personal data, its meaning under the GDPR is broader than it was during the directive era. The WP29 data protection group had examined the directive's definition in its opinion 4/2007 through four key elements (any information, relating to, identified or identifiable, and natural person) and proposed that information relates to a person when at least one of three alternative factors is present: content, purpose, or result. These factors are not cumulative, and the same information can relate to different persons through different factors.

The Court finally confirmed this approach, stating that information relates to an identified or identifiable person if it is linked to that person by its content, purpose, or effect (para 55). However, the Court applied these criteria categorically for opinions. It stated that personal opinions and views are necessarily closely linked to their author because they express human thinking (para 58). This guideline was based on the so-called Nowak decision (C-434/16), where an examiner's annotations were considered personal data (para 59).

The issue in the case concerned whether the comments' legal nature changed due to pseudonymization. The SRB argued that, since Deloitte could not identify the comment authors, the data were not personal data for the company, and therefore the company did not need to be mentioned as a recipient in the privacy statement. However, the EDPS considered pseudonymized data to be personal data because the SRB possessed the data key to identify individuals.

The Court ruled that pseudonymization can affect whether data are considered personal under Article 3(1) of Regulation 2018/1725, provided that technical and organizational measures prevent the data from being attributed to the data subject (para 75). The data key in the SRB's possession meant that the comments were still personal in nature from the SRB's perspective (para 76). For Deloitte, the situation might be different if the implemented measures prevented the company from identifying data subjects (para 77). The concept of personal data is not unlimited but requires identifiability (para 88).

However, the decision made clear that the possible effect of pseudonymization on the nature of personal data does not extend to information obligations. The controller's obligation to inform the data subject about the recipients of the personal data is determined at the time of data collection and from the point of view of the controller, not according to the nature in which the data are later transferred to the recipient (para 111). This obligation does not disappear because the controller intends to later pseudonymize the data before transferring them to the recipient. Thus, the SRB should have mentioned Deloitte as a recipient in the privacy statement regardless of the data being pseudonymized before transfer (para 113).

Finally

The EDPS v. SRB decision confirms that the concept of personal data is not unlimited, but leaves many practical questions open. According to the Court, personal opinions are always personal data because they express their author's thinking. If all expressions of thinking are personal data, does this also apply to creations in virtual worlds, digital art, or works generated by using algorithms? On the other hand, pseudonymization may weaken the data subject's position when the recipient cannot identify them, thus preventing the data subject from exercising their rights.

This decision particularly affects existing data processing agreements where personal data processors pseudonymize controllers' data for their own business purposes and transfer it onward to subcontractors, analytics partners, or internal units within the group. Controllers must practically know and document the entire processing chain because data subjects must be informed of all possible recipients at the time of data collection, even if the data will be pseudonymized later. Controllers now have a significant obligation to investigate their processors' subcontractor networks.

Additionally, the controller is responsible for proving that pseudonymization is effective. In principle, the processor's assurance that the subcontractor cannot identify data subjects is insufficient. The controller must assess whether technical and organizational measures prevent the recipient from linking data to data subjects, for example through cross-checking with other factors or other available data sources. Thus, responsibility for successful pseudonymization always remains with the controller, even if the processing activity itself is outsourced.

Our Associate Trainee Niko Hannolainen, CIPP/E took part in writing this article.