knowledge 14 February 2025 |

Advocate General’s Opinion Signals a Pragmatic Approach to Pseudonymisation

On 6 February 2025, Advocate General Spielmann delivered his opinion in European Data Protection Supervisor v. Single Resolution Board¹.  The opinion considers whether pseudonymised data is personal data in the hands of a third-party recipient who doesn’t have the additional information to re-identify the individuals, and does not have the legal means to access that additional information.  The opinion helpfully takes the view that such pseudonymised data should not automatically be considered personal data in the hands of the third-party recipient if the risk of re-identification is “non-existent or insignificant”.

Background

In 2017, the Single Resolution Board of the EU (“SRB”) put the Spanish bank, Banco Popular Español SA (“BP”), under resolution and it transferred BP’s shares and capital instruments to Santander as part of a rescue package. Deloitte was subsequently appointed to consider whether BP’s shareholders and creditors would have received better treatment if BP had entered into normal insolvency proceedings, rather than being placed in a resolution scheme.

SRB invited shareholders and creditors to express their interest in exercising their right to be heard, using an online registration form. As part of the registration phase, SRB had to verify whether those who had expressed their interest were in fact an affected shareholder or creditor and they were asked to provide proof of identify and supporting documentation showing that, on the resolution date, they owned capital instruments in BP. Those eligible to participate moved to the consultation phase and were sent an online form in which they could provide written comments and responses about the resolution scheme. Deloitte was subsequently sent some of the comments collected during the consultation phase and these bore an alphanumeric code to enable SRB to verify that each comment had been considered and addressed. On account of the alphanumeric code, only SRB could link the comments to the registration data. Importantly, Deloitte was not given access to the database of data collected during the registration phase.

Five complaints were made by shareholders and creditors to the European Data Protection Supervisor (“EDPS”) complaining that SRB’s Privacy Statement did not inform them that their comments and responses would be shared with Deloitte. Having considered the complaints, the EDPS issued a decision in June 2020 which found that the SRB had infringed its transparency obligations as its Privacy Statement failed to inform the complainants that their personal data would be disclosed to Deloitte. In July 2020, the SRB asked the EDPS to reexamine its decision as it disagreed that the data shared with Deloitte constituted personal data. In November 2020, the EDPS adopted a revised decision which found that the data shared with Deloitte constituted pseudonymous data as the comments collected during the consultation phase was personal data and Deloitte had also been given the alphanumeric code that could be used to link the comments to the registration data (albeit Deloitte did not have access to the registration data).

General Court

SRB requested that the General Court annul the EDPS’ revised decision on the basis that the data shared with Deloitte was not personal data, but anonymous data. The General Court found in favour of the SRB and annulled the EDPS’ decision².

Pseudonymous data in the hands of the data recipient

The General Court stated that, in accordance with the Breyer case³, the determination of whether pseudonymised data transmitted to Deloitte constituted personal data requires one to consider this from Deloitte’s perspective, as the data recipient. The General Court noted that the EDPS had merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from the perspective of Deloitte. The General Court stated that the EDPS did not investigate whether Deloitte had the legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors behind the comments. Without this investigation, the General Court held that the EDPS could not have concluded that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’.

AG’s Opinion

The EDPS, with the support of the European Data Protection Board (EDPB), appealed the General Court’s judgment to the Court of Justice of the European Union (CJEU) and sought to have it set aside. One of the grounds of appeal was that the General Court had erred on the concept of pseudonymisation. In particular, the EDPS (with the EDPB’s support) argued that the General Court allowed pseudonymised data to be regarded as anonymised data for the recipient (even though the data subjects remain identifiable since the information enabling them to be identified continues to exist), which poses a risk to the protection of data subjects and creates confusion between pseudonymisation and anonymisation.

On 6 February, Advocate General Spielmann delivered his opinion in which he considered whether pseudonymised data should be considered personal data automatically on the sole ground that the data subjects remain identifiable (regardless of the accessibility of the additional identification data to the recipient of the pseudonymised data) or should it only be considered personal data for those who can reasonably identify the data subjects.

The Advocate General opined that the interpretation of ‘identifiability’ in caselaw has focused on the risk of re-identification of the data subjects and that the court has consistently classified as ‘personal data’ data which, although disassociated from the identification data held by someone else, could in that situation give rise to a risk of re-identification. The AG stated that “it is only where the risk of identification is non-existent or insignificant that data can legally escape classification as ‘personal data’”. The AG disagreed with the EDPS’ conclusion that pseudonymised data transmitted to Deloitte was automatically personal data when processed by Deloitte. In this regard, he considered that it was necessary for the EDPS to have determined whether the pseudonymisation was sufficiently robust to conclude that the complainants, being the author of the comments transmitted to Deloitte, were not reasonably identifiable. It was only where Deloitte had reasonable means to identify those complainants, that it could be considered to be processing personal data.

Conclusion

Before delivering judgment in the appeal, the CJEU will consider the AG’s opinion. The AG’s opinion is not binding on the CJEU, but historically the CJEU has tended to follow it.  Should the CJEU follow the AG’s opinion, it will be welcomed as a pragmatic and commonsense interpretation of the effect of pseudonymisation when sharing data sets with third parties.

In those circumstances, the CJEU will effectively be finding that where the data recipient of pseudonymised data does not have the additional information to re-identify the individuals and does not have the legal means to access that additional information, the data will be effectively considered to be anonymous in their hands, regardless of the fact that the data transmitter may have the re-identification means.

Contact us

For more information, please get in touch with one of the key contacts below, or your usual contact at McCann FitzGerald.