In April 2023 the CJEU issued an important ruling. In SRB v EDPS (Case T-557/20) which has bearing on one of the important questions DPOs face all the time: if data are pseudonymized, such that only the original controller can reidentify the data subjects; does the receiving party treat that data as anonymous or as pseudonymous? Is that personal data at all?
The applicant SRB accepted the case law that there are two conditions to be assessed concerning the risk of re-identification where the information required for reidentification is held by several parties. First: the holder of the pseudonymized data does not itself have the reidentification key; second, there is no lawful means for the holder of the pseudonymized data to obtain the re-identification key.
The court accepted this argument, and this ruling appears to accept the position of Mourby et al and other academics who’ve long argued that several regulators have misunderstood prior law (notably Breyer), and that if a party holds pseudonymized data but neither has the reidentification key nor has a lawful way of obtaining it, then in their possession that data is to be treated as anonymized.
So when holding pseudonymized data conduct an assessment as to whether it is pseudonymized to the extent that it cannot be reidentified without the key in question, and confirm that there is no lawful way to obtain that key. In those circumstances, it ought to be defensible to treat that as anonymized data. Note that that doesn’t mean that data protection laws don’t apply at all. There could be revelations made, for example, by the holder of pseudonymized data, that would be identifiable to the holder of the key, and would in fact be a revelation of personal data to them. For example, if party A has clinical data, and passes it on in pseudonymized form to party B. Party B has no way of identifying the data and no lawful way of obtaining the key; party B can treat that as anonymized. However, if party B would announce that serial number 1729 has a given disease, that may be a revelation to party A, though no-one else in the world would be able to identify who that is.
In short, continue to be cautious with pseudonymized data, but be aware that there are circumstances in which it need not be treated as personal data.
* * * * *
Reminder: this isn't legal advice. To subscribe, click here.
Photo credit: Mike Kononov on Unsplash.
Sources:
https://curia.europa.eu/juris/document/document.jsf;jsessionid=0FBB733D8DC846BDC344FA051037EDC8?text=&docid=272910&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=13922661
Miranda Mourby, Elaine Mackey, Mark Elliot, Heather Gowans, Susan E. Wallace, Jessica Bell, Hannah Smith, Stergios Aidinlis, Jane Kaye, ‘Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK’, Computer Law & Security Review, vol.34(2) (2018) pp. 222-233.
Groos, D., & van Veen, E. ‘Anonymised Data and the Rule of Law’, European Data Protection Law Review, Volume 6, Issue 4 (2020), pp. 498 – 50.