ECJ, Case T‑557/20: Rela­ti­ve approach con­firm­ed, dis­clo­sure of pseud­ony­mous data the­r­e­fo­re not dis­clo­sure of per­so­nal data

The Court of Justi­ce of the Euro­pean Uni­on (CFI), the for­mer Court of First Instance, on April 26, 2023, issued a wel­co­me and cer­tain­ly sub­stan­tively cor­rect Decis­i­on rela­ted to the con­cept of per­so­nal data pleases

The back­ground to this is the reso­lu­ti­on of Ban­co Popu­lar Espa­ñol. In the cor­re­spon­ding pro­ce­e­dings, affec­ted share­hol­ders and cre­di­tors were able to sub­mit claims to the “Sin­gle Reso­lu­ti­on Board SRB”; the SRB is the aut­ho­ri­ty of the Euro­pean Ban­king Uni­on respon­si­ble for reso­lu­ti­on. The claims sub­mit­ted were sent to Deloit­te for assess­ment, with per­so­nal data pseudonymized.

In respon­se to com­plaints from a num­ber of Gläu­ber, the Euro­pean Data Pro­tec­tion Super­vi­sor (EDPS), the data pro­tec­tion aut­ho­ri­ty respon­si­ble for the EU insti­tu­ti­ons, had found a breach of the obli­ga­ti­on to inform under the GDPR becau­se no infor­ma­ti­on had been pro­vi­ded about the dis­clo­sure to Deloitte.

The ECJ takes a dif­fe­rent view. It refers to the well-known Brey­er case and sub­se­quent­ly sta­tes that Deloitte’s per­spec­ti­ve had to be taken as a basis for deter­mi­ning the refe­rence to persons:

What had to be exami­ned, accor­ding to the Court, […] was whe­ther the pos­si­bi­li­ty of lin­king a dyna­mic IP address to the addi­tio­nal infor­ma­ti­on held by the Inter­net access pro­vi­der con­sti­tu­ted a means which could rea­son­ab­ly be used to iden­ti­fy the per­son con­cer­ned […]. […] But it is also clear from the [Brey­er] judgment that, for the pur­po­ses of deter­mi­ning whe­ther the infor­ma­ti­on pro­vi­ded to Deloit­te was per­so­nal data, The under­stan­ding that Deloit­te has of the in deter­mi­ning the que­sti­on hadwhe­ther the infor­ma­ti­on pro­vi­ded to it rela­tes to “iden­ti­fia­ble individuals”.

With this The ECJ con­firms the rela­ti­ve approach. This is not sur­pri­sing, becau­se this approach in Brey­er (even if this does not neces­s­a­ri­ly mean that much is gai­ned, becau­se the stan­dard for the iden­ti­fi­ca­ti­on effort was set very low the­re, i.e. even a quite theo­re­ti­cal iden­ti­fi­ca­ti­on pos­si­bi­li­ty can be suf­fi­ci­ent for a refe­rence to a person).

Fur­ther, the ECJ is of the opi­ni­on that the situa­ti­on here is that of Brey­er is com­pa­ra­ble:

Second, on the one hand, Deloitte’s situa­ti­on can be com­pared to that of the online media ser­vice pro­vi­der […] to the ext­ent that it had infor­ma­ti­on […] that was not infor­ma­ti­on rela­ting to an “iden­ti­fi­ed natu­ral per­son”, sin­ce it was not pos­si­ble to direct­ly iden­ti­fy the natu­ral per­son from the alpha­nu­me­ric code noted on each respon­sewho had fil­led in the questionnaire.

Accor­din­gly, the dis­clo­sure of pseud­ony­mous data to Deloit­te did not con­sti­tu­te dis­clo­sure of per­so­nal data:

But how from [Brey­erThe EDPS had to deter­mi­ne whe­ther the pos­si­bi­li­ty to com­bi­ne the infor­ma­ti­on pro­vi­ded to Deloit­te with the addi­tio­nal infor­ma­ti­on available to the SRB was a means that could rea­son­ab­ly be used by Deloit­te to iden­ti­fy the aut­hors of the comm­ents. […] Thus, the EDPS […] could not con­clude that the infor­ma­ti­on pro­vi­ded to Deloit­te rela­tes to an “iden­ti­fia­ble natu­ral person” […].

Accor­din­gly, the ECJ over­tur­ned the EDPS’s decis­i­on. – The con­side­ra­ti­ons of the ECJ go bey­ond this case – not only becau­se they con­firm the rela­ti­ve approach, but also becau­se they deri­ve con­se­quen­ces from it. If the dis­clo­sure of pseud­ony­mi­zed data – for which the reci­pi­ent can­not estab­lish a per­so­nal refe­rence – is not a dis­clo­sure of per­so­nal data, then not only does the Duty to inform. Also the rest­ric­tions on the For­eign announce­ment can­not then be applied. Accor­din­gly, a phy­si­ci­an who sends a blood sam­ple with a bar­code to a U.S. labo­ra­to­ry does not have to clo­se the stan­dard clau­ses or per­form a trans­fer impact assess­ment. Also, a ser­vice pro­vi­der who pro­ce­s­ses pseud­ony­mi­zed data, not an order pro­ces­sor, and no ADV needs to be con­clu­ded with him (even if pur­po­se limi­ta­ti­on and con­fi­den­tia­li­ty should of cour­se be agreed).

Under Swiss law, the ana­ly­sis is no dif­fe­rent. This fol­lows on the one hand from the Logi­step ruling of the Fede­ral Supre­me Courtwhich is cor­rect in this respect, and on the other hand from a Judgment of the Com­mer­cial Court of Zurich.




Rela­ted articles