Case T-557/20: clarification of when pseudonymised data is considered personal data

On April 26, the General Court of the European Union issued a decision that clarifies situations in which pseudonymised data is to be considered personal data.

The decision was issued in a case between the Single Resolution Board (SRB) and the European Data Protection Supervisor (EDPS). EDPS had previously decided that SRB shared pseudonymised personal data in the form of comments from shareholders and creditors, as well as the corresponding alphanumeric code attributed to each participant, to Deliotte, without first having provided proper information to the individuals whose data was being shared. EDPS regarded the alphanumeric code as “additional information” that makes it possible to attribute the data, i.e. the comments, to each individual participant. SRB argued, on the other hand, that the data transferred was anonymised, as Deloitte did not have the possibility of tracing the identity of any participating party by using the code and, therefore, did not constitute personal data.

Based on the Court of Justice of the European Union’s ruling in Breyer (C-582/14) the General Court found that the assessment of whether the data held by a party constitutes personal data is an assessment of whether the data in itself constitutes personal data and, if it does not, whether additional information combined with the data would enable the person to be identified. Such additional information might come from another entity and, if it were possible to combine such additional information, such data that did not constitute personal data should be regarded as personal data. However, the court stated that:

“that would not have been the case if the identification of the data subject had been prohibited by law or had been practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared in reality to be insignificant.”

Furthermore, our understanding of the General Court’s decision is that the assessment of whether the data constitutes personal data is a case-by-case assessment based on the data held by the recipient and the means, possibility and resources of the recipient to obtain the additional information. If the recipient does not have any possibility of obtaining such additional information or if this would require disproportionate effort in terms of time, cost and manpower, the data should not be regarded as pseudonymised personal data but rather as anonymised data.

The General Court stated that, since the EDPS only investigated whether SRB would be able to re-identify the personal data and did not investigate this from the perspective of Deloitte, the EDPS could not conclude that the information transmitted constituted personal data, i.e. information relating to an identifiable natural person (see Article 3(1) of the GDPR).

This judgment is, of course, of importance to a large variety of companies that transfer certain data to other companies. In cases where it was previously assessed that the data transferred constituted pseudonymised personal data, as the transferring company had the possibility to re-identify the data, such assessments should now be re-evaluated. What should be assessed is whether or not the company receiving the data is able to re-identify it. If the data is not regarded as personal data when being transferred outside the EU, there is, for example, no need to use Standard Contractual Clauses as a basis for the transfer.

In addition, the decision also shed light on the discussion on pseudonymisation and anonymisation. Previously, the threshold for when personal data should be regarded as anonymised was high. Essentially, it should have been anonymised to such a degree that no one could use it to identify a person. Based on the General Court’s decision, it is possible to argue that the threshold for anonymisation is lowered by the decision and that personal data may be regarded as anonymised if the entity processing the personal data cannot identify the individual to which the personal data relates.

The decision of the General Court can be appealed until 26 June 2023. Setterwalls will keep monitoring the matter and the relevant case.