The recent opinion of the Attorney General (AG) in the European Data Protection Supervisor (EDPS) v. Single Resolution Board (SRB) case sheds light on important considerations on the scope of personal data under the EU’s General Data Protection Regulation (GDPR). While it is important to note that this is an AG’s opinion and not a ruling by the EU Court of Justice (CJEU), historically the vast majority of AGs’ opinions have been reflected in the related CJEU’s decision. As a result,the opinion has already sparked discussions about the concepts of pseudonymised and anonymised data ahead of the CJEU’s awaited decision in this case.
Case overview
The SRB transferred consultation responses to Deloitte, where each response was linked to a unique alphanumeric code representing individual respondents. Deloitte did not have access to the database that could link those codes back to the individual respondents.
The EDPS, as the data protection regulator for the SRB, argued that the data could potentially be re-linked to individuals, which would make it personal data in the hands of Deloitte with all the resulting GDPR obligations attached. This follows the view of the European Data Protection Board (EDPB), including in its recent guidance on pseudonymisation (see our blog), which provides that data is personal data in the hands of the recipient of that data, if the provider has the ability to reidentify it. This is in line with interpretations in previous CJEU rulings such as Breyer, Scania and IAB Europe.
AG’s proposed risk-based approach
The AG has however taken a stance that challenges this interpretation, following a line of reasoning that is more akin to the interpretation of the UK Information Commissioner’s Office (ICO).
The AG stated that pseudonymised data would not amount to personal data if the risk of identifying individuals is “non-existent or insignificant”. The AG argues that it would be disproportionate to impose GDPR obligations on entities that cannot reasonably identify data subjects, emphasising that to do so would result in the need for them to attempt to identify the data subjects.
Transparency obligations
The AG reinforced the need to comply with GDPR transparency obligation if the data is not anonymised in the relevant controller’s hands. The AG therefore concludes that the SRB needed to notify data subjects of the transfer of their data to Deloitte given it was personal data in the SRB’s hands, even though he considered it anonymous in Deloitte’s hands.
The AG’s opinion does not however shed any light on whether controllers must name the individual organisations to which they might transfer personal data in their privacy notice, which is an open question following the Harrison v Cameron case (see our newsletter) and the Austrian Post case (see our newsletter). In these cases, the UK High Court and CJEU respectively ruled that a specific list of recipients must be provided if requested by the data subject in the context of a data subject access request. However, it was not clear if, by analogy, this should apply also to the requirements for privacy notices. Whilst some might hope that the CJEU decision in this EDPS v SRN case clarifies this question, we should be careful what we wish for. If the CJEU concludes that this is indeed required, the need to provide such a list would create practical issues for organisations. We may be better therefore hoping that they do not comment on this aspect so that we retain this uncertainty and, therefore, flexibility.
Alignment with UK approach
As noted, the AG’s opinion takes a similar line to the ICO in its anonymisation guidance. Updated guidance on anonymisation from the ICO has been promised this year, but we do not foresee a change from the ICO on this aspect, particularly given the UK growth agenda and promotion of innovation.
This more nuanced, context driven approach put forward by the AG also aligns with the First-tier Tribunal’s decision in DSG v Information Commissioner, which stated that the classification of data as personal data depends on the context in which it is held and processed. The Tribunal in that case ruled that a 16 digit-long payment card number (PAN) qualified as personal data in the hands of DSG, which has other data to link the PAN to an individual, but the ICO had not, and should have, considered the risk of re-identification in practice by unspecified third parties (given this was in the context of a data breach).
Outlook
If the Court follows the AG’s opinion, this will reduce the compliance burden on EU businesses receiving pseudonymised data and would be a positive step in de-regulation. However, those transferring the pseudonymised data will still need to comply with their GDPR obligations since it is personal data in their hands, and will need to keep a close eye on what, if anything, the CJEU says in this regard. The CJEU’s decision is expected before the summer.