- The EGC confirms the relative approach: Whether transmitted pseudonymized data is personal depends on the understanding of the specific recipient (here Deloitte).
- Consequence: If the recipient does not have a reasonable means of identification, the obligation to provide information and many data protection restrictions (e.g. international transfers, obligation to process data) no longer apply.
The Court of Justice of the European Union (CFI), the former Court of First Instance, on April 26, 2023, issued a welcome and certainly substantively correct Decision related to the concept of personal data pleases
The background to this is the resolution of Banco Popular Español. In the corresponding proceedings, affected shareholders and creditors were able to submit claims to the “Single Resolution Board SRB”; the SRB is the authority of the European Banking Union responsible for resolution. The claims submitted were sent to Deloitte for assessment, with personal data pseudonymized.
In response to complaints from a number of Gläuber, the European Data Protection Supervisor (EDPS), the data protection authority responsible for the EU institutions, had found a breach of the obligation to inform under the GDPR because no information had been provided about the disclosure to Deloitte.
The ECJ takes a different view. It refers to the well-known Breyer case and subsequently states that Deloitte’s perspective had to be taken as a basis for determining the reference to persons:
What had to be examined, according to the Court, […] was whether the possibility of linking a dynamic IP address to the additional information held by the Internet access provider constituted a means which could reasonably be used to identify the person concerned […]. […] But it is also clear from the [Breyer] judgment that, for the purposes of determining whether the information provided to Deloitte was personal data, The understanding that Deloitte has of the in determining the question hadwhether the information provided to it relates to “identifiable individuals”.
With this The ECJ confirms the relative approach. This is not surprising, because this approach in Breyer (even if this does not necessarily mean that much is gained, because the standard for the identification effort was set very low there, i.e. even a quite theoretical identification possibility can be sufficient for a reference to a person).
Further, the ECJ is of the opinion that the situation here is that of Breyer is comparable:
Second, on the one hand, Deloitte’s situation can be compared to that of the online media service provider […] to the extent that it had information […] that was not information relating to an “identified natural person”, since it was not possible to directly identify the natural person from the alphanumeric code noted on each responsewho had filled in the questionnaire.
Accordingly, the disclosure of pseudonymous data to Deloitte did not constitute disclosure of personal data:
But how from [BreyerThe EDPS had to determine whether the possibility to combine the information provided to Deloitte with the additional information available to the SRB was a means that could reasonably be used by Deloitte to identify the authors of the comments. […] Thus, the EDPS […] could not conclude that the information provided to Deloitte relates to an “identifiable natural person” […].
Accordingly, the ECJ overturned the EDPS’s decision. – The considerations of the ECJ go beyond this case – not only because they confirm the relative approach, but also because they derive consequences from it. If the disclosure of pseudonymized data – for which the recipient cannot establish a personal reference – is not a disclosure of personal data, then not only does the Duty to inform. Also the restrictions on the Foreign announcement cannot then be applied. Accordingly, a physician who sends a blood sample with a barcode to a U.S. laboratory does not have to close the standard clauses or perform a transfer impact assessment. Also, a service provider who processes pseudonymized data, not an order processor, and no ADV needs to be concluded with him (even if purpose limitation and confidentiality should of course be agreed).
Under Swiss law, the analysis is no different. This follows on the one hand from the Logistep ruling of the Federal Supreme Courtwhich is correct in this respect, and on the other hand from a Judgment of the Commercial Court of Zurich.