The Commercial Court of Zurich has ruled in the Judgment HG190107‑O of May 4, 2021 ruled that pseudonymization acts like anonymization for those who cannot assign the pseudonymized data to a specific person.
The background was a planned transfer of personal data by the defendant, a Geneva bank, to the US DOJ on the basis of a non-prosecution agreement. It concerned data in the “II.D.2” list (Leaver list; an explanation can be found, e.g., in the ruling 4A_365/2017). The main point of contention was whether the data to be provided had a personal reference. The bank took the position that this data was anonymized or pseudonymized and therefore not personal data.
The HGer initially proceeded from the relative approach in the determination of the personal reference: The decisive factor is the optics of the holder of a date, in the case of a disclosure of the recipient. From this it deduces, that the pseudonymization of data acts as anonymization for those who cannot assign it to a specific person (E. 3.2.3):
For all those who have access to the key, pseudonymized personal data continues to be personal data within the meaning of the FADP. For persons who do not have access to the key and also do not have other knowledge to be able to assign the data to a specific person again, pseudonymized personal data, on the other hand, no longer constitutes personal data.
This is correct, but not self-evident, and it contradicts a consideration of the BGer in the Logistep decision. There, the BGer had stated that in the case of a disclosure of impersonal data to a recipient who can assign it to a person, not only the recipient is subject to the DPA (in the Logistep case, the rights holder who obtained IP addresses from P2P networks from Logistep), but also the sender (Logistep):
3.4 Whether information can be linked to a person on the basis of additional data, i.e. whether the information relates to an identifiable person (Art. 3 lit. a FADP), is assessed from the perspective of the respective owner of the information […]. In the case of disclosure of information, it is sufficient if the recipient is able to identify the data subject. […] If this is the case […], the Data Protection Act also applies to the respondent itself.. To decide otherwise would mean applying the Data Protection Act only to the individual recipients, but not to the person who obtains the data in question and disseminates them. This would run counter to the purpose of the law.
This consideration was obviously result-oriented and wrong, because it contradicts the relative approach of the concept of personal data. The HGer ZH has now contradicted this view; implicitly, but clearly. Because when the HGer says that pseudonymized data are not personal data “for persons who do not have access to the key and also do not have other knowledge to be able to assign the data to a specific person again”, this meant for the Logistep decision that the IP addresses could not be personal data for Logistep itself.
The finding of the HGer ZH is of great practical importanceIf a doctor transmits a barcode-coded blood sample to a laboratory in the USA, this is not data disclosure abroad; if a bank transmits pseudonymized transaction data to a service provider for evaluation or enrichment, this is neither data disclosure nor order processing (which does not mean, of course, that an analogous contract should not be concluded, but an omission could not, for example, lead to criminal liability under Art. 61 lit. b revDSG). The HGer ZH also expressly states,
If personal data is anonymized or pseudonymized before it is disclosed abroad in such a way that its recipient abroad can no longer establish a personal reference, this also constitutes No cross-border disclosure of personal data in the sense of Art. 6 DSG.
As noted, this is correct because it follows compellingly from the relative approach to the concept of personal data, but it is bold – perhaps bolder than one might expect from a foreign data protection supervisory authority, although the result under the GDPR must be the same.
The HGer further states that the Burden of proof for the pseudonymization of the data, which in principle had personal reference, lies with the bank. The court here understood a certain problem of proof for the bank (how is it supposed to prove that the DOJ has no way of allocating the data?), but nevertheless did not take the proof away from it, especially since the bank did not sufficiently address the plaintiffs’ submissions on possible identification, in particular the risk of identification via an administrative or mutual legal assistance procedure.
In the end, the HGer therefore prohibited the bank from providing the data, although it found in favor of the bank on the core substantive point.