The CJEU eases compliance burden - Pseudonymized data is not necessarily subject to the GDPR.

The Court of Justice of the European Union (“CJEU”) recently addressed this question in a significant ruling on April 26, 2023, in the case of Single Resolution Board (“SRB”), T 557/20, ECLI:EU:T:2023:219, thereby providing further clarification. The aspect that we find particularly intriguing is the CJEU’s assessment of under what circumstances a natural person should be considered “identifiable”.

To better understand this legal issue, it is important to first keep recital 26 of the GDPR in mind. It reads as follows:

” […]
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly […].”

The relevant facts of the case can be summarised as follows: SRB, a data controller, had requested several individuals to take part in a survey. After receiving the responses, SRB removed the personal identifiers of the participants by replacing them with a unique alphanumeric code. This code, composed of a 33-digit globally unique identifier, was generated randomly at the time the survey responses were received. The de-identified responses were subsequently shared with a third party for an unbiased evaluation. However, SRB maintained a database that contained the necessary information to re-establish the identity of each participant based on their alphanumeric code. Neither the third-party evaluator, nor anyone else, had access to SRB’s identification database.

SRB argued that data are rendered anonymous for a third party even if the information allowing re-identification is not irrevocably eliminated and resides with the original processor. As long as the form in which the data are shared with that third party does not allow re-identification by that party or where re-identification is not reasonably likely by that party, the data should be considered anonymous.

The opposing party, a supervisory authority (“SA”), contested that “pseudonymized” data remains personal data even when transferred to a third party that does not have access to the additional information necessary to identify the natural persons it relates to. In effect, it argued that unless such necessary additional information is irrevocably eliminated, it is not necessary to determine whether re-identification is reasonably likely by a third party.

The CJEU noted that the SA had merely examined whether it was possible to re-identify the authors of the survey responses from SRB’s perspective, and not from third-party evaluator’s perspective. Ultimately, it found that the SA could not conclude that the transferred survey responses constituted personal data, without investigating whether the third-party evaluator had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the survey responses.

In our view, the opinion of the CJEU provides clarity regarding how pseudonymized data should be regarded under the GDPR. In contrast to the wording of recital 26 mentioned above, the CJEU highlights the importance of assessing the likelihood of re-identification by third parties who receive pseudonymized data but lack immediate access to the additional information required for re-identification. As a result, the CJEU’s opinion offers a more relaxed regulatory compliance burden for organisations involved in processing pseudonymized data. It promotes a balanced approach to data protection, finding a middle ground that respects individuals’ privacy rights while enabling data processing activities within the EU.