Analysis: The art of staying anonymous — a game-changing decision for data anonymisation
William Fry partner Leo Moore and senior associate Rachel Hayes consider a recent European judgment with significance for data anonymisation.
A recent decision of the European General Court has shifted the goalposts for data anonymisation.
In Single Resolution Board (SRB) v European Data Protection Supervisor (EDPS) (Case T-557/20), the General Court held that:
- pseudonymised data will be considered anonymised data if the holder of such data has no means to (re-) identify the individuals about whom such data relates; and
- personal views or opinions cannot, by default, be presumed to constitute personal data.
The decision is under appeal to the Court of Justice of the EU (CJEU). If upheld, the decision’s impact will mean that the General Data Protection Regulation (GDPR) will not apply to any personal data transferred where the recipient has no legal means to identify individuals from the data.
The decision will be a game-changer for businesses sharing data by marking a departure from the high bar of data anonymisation established in previous CJEU case law (Case C-582/14 Breyer — see here). It also unlocks the potential for easier management of day-to-day data protection governance and sets the tone for the implementation of key pieces of legislation currently being introduced under the EU’s Digital Strategy. These include the AI Act, Data Act and Data Governance Act (each of which fosters the sharing of personal and non-personal data).
SRB v EDPS case background
SRB, as part of a resolution scheme, conducted a survey with its creditors and shareholders as part of a right-to-be-heard procedure. SRB subsequently pseudonymised a portion of the names and survey comments about these individuals for sharing with an external consultancy firm, Deloitte. SRB pseudonymised the data by replacing the name of each individual with an alphanumeric code. SRB maintained the original data set. At no stage could Deloitte identify any data subject (e.g. decode the names). Identification was only possible by SRB.
The data subjects made a complaint to the EDPS about the data sharing by SRB stating that they had not been informed about it. They alleged that SRB had infringed EU Regulation 2018/1725, which applies to EU institutions and bodies. This legislation is substantially like the GDPR. The EDPS ruled in favour of the data subjects finding that SRB had shared pseudonymised data and therefore personal data rather than anonymised data, with Deloitte, without informing the individuals.
SRB referred the case to the General Court requesting an annulment of the EDPS decision on the basis that the data shared with Deloitte were not personal data but anonymised data. It relied on the fact that Deloitte did not hold a decoding key to the alphanumeric codes, meaning it had no legal means to identify the data subjects from the data set provided to them by SRB.
General Court decision
Issue 1 – whether Deloitte, as data holder of the data set it received from SRB, processed pseudonymised or anonymised data
The General Court looked to the Breyer decision and stated:
it is…apparent… that, in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted relates to ‘identifiable persons’ [para. 97] (emphasis added).
The General Court focused on the fact that Deloitte only processed an alphanumeric code appearing on each response, which did not make it possible to identify each author who completed the survey. It held that the EDPS was “incorrect” to only assess the perspective of SRB in holding that the data were pseudonymised because they were re-identifiable to SRB. The General Court further held that the EDPS should have considered Deloitte’s perspective and whether it had the legal means to identify the individuals (as the authors of the survey comments).
The General Court ruled in favour of SRB on the ground that it was impossible for Deloitte to identify any individual from the data set, finding that the risk of re-identification was low (applying Breyer). The General Court did not set out any criteria for data to be considered anonymous.
Issue 2 – whether views or opinions are always personal data
The General Court looked at the Nowak decision (Case C-434/16) to determine if the information in the survey comments related to identified or identifiable individuals such that it constituted personal data. It reiterated that whether information constitutes personal data is based on a case-by-case “examination of whether, by its content, purpose or effect, a view is linked to a particular person”.
The General Court held that the EDPS failed to conduct such an examination. Therefore, it could not be concluded that the data shared by SRB with Deloitte could constitute personal data.
Business impact for processing personal data
This decision potentially shifts the goalposts for businesses in the context of data anonymisation. If upheld by the CJEU, the decision makes clear that if a data holder has no legal or technical means to identify individuals from a particular data set, then it will be considered anonymised data. Anonymised data is not considered personal data and GDPR will not apply to the data in question in that specific scenario.
Courts will need to consider the perspective of the data holder (as a data recipient) and not simply whether it is personal data from the perspective of the controller. This decision may encourage EU regulators to embrace a broader approach to data anonymisation (which, to date, has been a significantly high bar to meet). As noted above, the General Court did not provide any detail about the threshold for “identifiability”, so the definitions of anonymisation and pseudonymisation are open to further judicial or legislative interpretation. The decision is a welcome logical approach to the application of GDPR and what should be considered personal data, pseudonymised data and anonymised data.
The decision, if upheld, will have practical implications for day-to-day data protection governance. For example, in the context of due diligence, sharing data as part of product integration (e.g. APIs). It will also extend to data subject access requests. Simply because a document is labelled as a “personal view or opinion” does not automatically mean it contains personal data concerning an individual. An objective and subjective assessment of the document remains necessary.