HGer ZH: Pseud­ony­miz­a­ti­on acts like anony­miz­a­ti­on for the recipient

The Com­mer­cial Court of Zurich has ruled in the Judgment HG190107‑O of May 4, 2021 ruled that pseud­ony­miz­a­ti­on acts like anony­miz­a­ti­on for tho­se who can­not assign the pseud­ony­mi­zed data to a spe­ci­fic person. 

The back­ground was a plan­ned trans­fer of per­so­nal data by the defen­dant, a Gene­va bank, to the US DOJ on the basis of a non-pro­se­cu­ti­on agree­ment. It con­cer­ned data in the “II.D.2” list (Lea­ver list; an explana­ti­on can be found, e.g., in the ruling 4A_365/2017). The main point of con­ten­ti­on was whe­ther the data to be pro­vi­ded had a per­so­nal refe­rence. The bank took the posi­ti­on that this data was anony­mi­zed or pseud­ony­mi­zed and the­re­fo­re not per­so­nal data.

The HGer initi­al­ly pro­ce­e­ded from the rela­ti­ve approach in the deter­mi­na­ti­on of the per­so­nal refe­rence: The decisi­ve fac­tor is the optics of the hol­der of a date, in the case of a dis­clo­sure of the reci­pi­ent. From this it dedu­ces, that the pseud­ony­miz­a­ti­on of data acts as anony­miz­a­ti­on for tho­se who can­not assign it to a spe­ci­fic per­son (E. 3.2.3):

For all tho­se who have access to the key, pseud­ony­mi­zed per­so­nal data con­ti­nues to be per­so­nal data wit­hin the mea­ning of the FADP. For per­sons who do not have access to the key and also do not have other know­ledge to be able to assign the data to a spe­ci­fic per­son again, pseud­ony­mi­zed per­so­nal data, on the other hand, no lon­ger con­sti­tu­tes per­so­nal data.

This is cor­rect, but not self-evi­dent, and it con­tra­dicts a con­si­de­ra­ti­on of the BGer in the Logi­step deci­si­on. The­re, the BGer had sta­ted that in the case of a dis­clo­sure of imper­so­nal data to a reci­pi­ent who can assign it to a per­son, not only the reci­pi­ent is sub­ject to the DPA (in the Logi­step case, the rights hol­der who obtai­ned IP addres­ses from P2P net­works from Logi­step), but also the sen­der (Logi­step):

3.4 Whe­ther infor­ma­ti­on can be lin­ked to a per­son on the basis of addi­tio­nal data, i.e. whe­ther the infor­ma­ti­on rela­tes to an iden­ti­fia­ble per­son (Art. 3 lit. a FADP), is asses­sed from the per­spec­ti­ve of the respec­ti­ve owner of the infor­ma­ti­on […]. In the case of dis­clo­sure of infor­ma­ti­on, it is suf­fi­ci­ent if the reci­pi­ent is able to iden­ti­fy the data sub­ject. […] If this is the case […], the Data Pro­tec­tion Act also app­lies to the respon­dent its­elf.. To deci­de other­wi­se would mean app­ly­ing the Data Pro­tec­tion Act only to the indi­vi­du­al reci­pi­ents, but not to the per­son who obtains the data in que­sti­on and dis­se­mi­na­tes them. This would run coun­ter to the pur­po­se of the law.

This con­si­de­ra­ti­on was obvious­ly result-ori­en­ted and wrong, becau­se it con­tra­dicts the rela­ti­ve approach of the con­cept of per­so­nal data. The HGer ZH has now con­tra­dic­ted this view; impli­ci­tly, but clear­ly. Becau­se when the HGer says that pseud­ony­mi­zed data are not per­so­nal data “for per­sons who do not have access to the key and also do not have other know­ledge to be able to assign the data to a spe­ci­fic per­son again”, this meant for the Logi­step deci­si­on that the IP addres­ses could not be per­so­nal data for Logi­step itself.

The fin­ding of the HGer ZH is of gre­at prac­ti­cal import­anceIf a doc­tor trans­mits a bar­code-coded blood sam­ple to a labo­ra­to­ry in the USA, this is not data dis­clo­sure abroad; if a bank trans­mits pseud­ony­mi­zed tran­sac­tion data to a ser­vice pro­vi­der for eva­lua­ti­on or enrich­ment, this is neit­her data dis­clo­sure nor order pro­ces­sing (which does not mean, of cour­se, that an ana­lo­gous con­tract should not be con­clu­ded, but an omis­si­on could not, for examp­le, lead to cri­mi­nal lia­bi­li­ty under Art. 61 lit. b revDSG). The HGer ZH also express­ly states,

If per­so­nal data is anony­mi­zed or pseud­ony­mi­zed befo­re it is dis­c­lo­sed abroad in such a way that its reci­pi­ent abroad can no lon­ger estab­lish a per­so­nal refe­rence, this also con­sti­tu­tes No cross-bor­der dis­clo­sure of per­so­nal data in the sen­se of Art. 6 DSG.

As noted, this is cor­rect becau­se it fol­lows com­pel­lin­g­ly from the rela­ti­ve approach to the con­cept of per­so­nal data, but it is bold – perhaps bol­der than one might expect from a for­eign data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, alt­hough the result under the GDPR must be the same.

The HGer fur­ther sta­tes that the Bur­den of pro­of for the pseud­ony­miz­a­ti­on of the data, which in princip­le had per­so­nal refe­rence, lies with the bank. The court here under­s­tood a cer­tain pro­blem of pro­of for the bank (how is it sup­po­sed to pro­ve that the DOJ has no way of allo­ca­ting the data?), but nevertheless did not take the pro­of away from it, espe­cial­ly sin­ce the bank did not suf­fi­ci­ent­ly address the plain­tif­fs’ sub­mis­si­ons on pos­si­ble iden­ti­fi­ca­ti­on, in par­ti­cu­lar the risk of iden­ti­fi­ca­ti­on via an admi­ni­stra­ti­ve or mutu­al legal assi­stance procedure.

In the end, the HGer the­re­fo­re pro­hi­bi­ted the bank from pro­vi­ding the data, alt­hough it found in favor of the bank on the core sub­stan­ti­ve point.