Every day, more and more companies face the problem of personal data protection. As companies are increasingly scrutinised for proper data protection, it’s worth paying close attention to the latest best practices to avoid dealing with the potential negative consequences of a data breach. Therefore, the need for reliable data protection always remains relevant, considering that information about new record fines due to data protection violations is increasingly appearing.
In this article, we will explain the features of anonymisation and pseudonymisation of data, the impact and significance of their application in real life, as well as analyse the latest landmark cases, including the case of the Court of Justice of the European Union T-557/20, which will shed light on the legal subtleties surrounding anonymisation and data pseudonymisation.
Pseudo- and anonymisation of data: key features
Anonymising data means processing data in a way that makes it impossible to identify a person. The General Data Protection Regulation (GDPR) does not specify which data anonymisation methods should be used within the framework of EU legislation. The main goal is the result of the anonymised data must be such that it does not allow the data subject to be identified by “all”, “likely”, and “reasonable” means.
Recital 26 of the GDPR states:
“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or another person, to identify the natural person directly or indirectly”.
Therefore, anonymised data are excluded from the scope of data protection legislation:
“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”.
Also, the concept of anonymised data is found not only in the GDPR but also in the e-Privacy Directive (Directive 2002/58/EC, Directive on privacy and electronic communications), in particular in Article 6(1):
“Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication […]”,
and in Article 9(1):
“Where location data other than traffic data, relating to users or subscribers of public communications networks or publicly available electronic communications services, can be processed, such data may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service […]”.
In other words, if the data controller wishes to retain such personal data after the purposes of initial or further processing have been achieved, such personal data must remain anonymous “by default” (subject to various legal requirements such as those mentioned in the e-Privacy Directive).
That is the key points are:
- The processing to anonymise the personal data is still processing and requires a legal basis according to Article 6 of the GDPR;
- Data anonymisation is the result of personal data processing to make it impossible further identify the data subject (irreversible process);
- The GDPR does not establish proper ways to anonymise data;
- It is necessary to pay attention to “all” means that can “likely” and “reasonably” be used by the controller and third parties to identify the person.
- In any case, there will still be a risk factor, and it needs to be assessed appropriately to justify the method of anonymisation that will be used.
There are various practices and methods of anonymisation with varying degrees of reliability: randomisation, generalisation, permutation (shuffling), etc. Working Party 29 (WP 29) describes the usage practices in Opinion 05/2014 on Anonymisation Techniques (noting common mistakes in using each method).
Concerning pseudonymisation, this process is characterised by changing the characteristics by which the data subject can be identified to a pseudonym (in other words, a value that does not allow the data subject to be directly identified).
In Recital 26 of the GDPR, it is stated about the data, with the use of pseudonyms:
“Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person“.
In contrast to anonymised data, this type of data still qualifies as personal data under the provisions of the GDPR.
The most common pseudonymisation methods are encryption, hash function, tokenisation, etc. Pseudonymisation provides limited data protection in many cases, as it still allows identification of the individual by indirect means (e.g. it is possible to identify the data subject by analysing the primary and related data).
The value of the case T-557/20
At the end of April 2023, the General Court of the EU (hereinafter – Court) ruled in case T-557/20, where data using pseudonyms may not be considered personal data.
Parties: Single Resolution Board (SRB) is the central body within the Banking Union and the European Data Protection Supervisor (EDPS).
Background: On June 7, 2017, the SRB, in its executive session, adopted a Decision on the resolution scheme for Banco Popular Español, SA. The essence of the decision is to put Banco Popular Español, SA, under reorganisation (on the same day, the European Commission adopted Decision (EU) 2017/1246 on approving the resolution scheme).
On August 6, 2018, the SRB published a Notice on its website regarding its preliminary decision on whether to compensate the shareholders and creditors subject to remedial action against Banco Popular. In a previous decision, the SRB invited shareholders and creditors to express their interest in exercising their right to be heard under Article 41(2)(a) of the Charter of Fundamental Rights of the European Union (to decide whether shareholders and creditors should receive compensation). Interested shareholders and creditors were first required to complete an online registration form, and then interested shareholders and creditors whose status was verified by the SRB could submit their comments on the preliminary decision. SRB automatically filtered comments, and each was assigned a unique alphanumeric code. The SRB staff responsible for analysing the comments did not have access to the data collected at the registration stage nor to the data key or information that could be used to track the identity of participants using a unique alphanumeric code.
After completing the registration and receiving comments, the SRB asked Deloitte (as an independent body) to evaluate the relevant comments. Selected comments were transmitted using a secure virtual data server. The SRB uploaded the files to a virtual server and provided access to these files to a limited number of Deloitte employees directly involved in the project. All comments had an alphanumeric code, and only the SRB could link the comments to the data received during the registration phase.
Already in 2019, shareholders and creditors who filled out the form submitted five complaints to the EDPS about protecting individuals regarding the processing of personal data. The applicants indicated that the SRB did not inform them that the data collected through the responses to the forms would be transferred to third parties in violation of Article 15(1)(d) of the GDPR, which states that “the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information about the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.”
After receiving explanations from the SRB, the EDPS found that the SRB had breached Article 15 of the GDPR because the SRB had failed to inform the applicants that their personal data could be disclosed to Deloitte. However, the SRB argued that the information provided by Deloitte was not personal data within the meaning of Article 3(1) of the GDPR. The EDPS further revised its previous decision and stated that the data provided by Deloitte was pseudonymous because the comments in the [consultation phase] were personal data and because the SRB provided an alphanumeric code that allows the responses to be linked, provided in the [registration phase], from the data provided in the [consultation phase] – even though the data provided by participants for identification in the [registration phase] has not been disclosed to Deloitte.
The EDPS also considered that Deloitte was a recipient of the applicants’ personal data under Article 3(13) of the GDPR. The fact that Deloitte was not mentioned in SRB’s privacy statement as a potential recipient of personal data collected and processed by SRB as a controller violated the obligations defined in Article 15(1)(d) GDPR.
In this case, it was not disputed that the alphanumeric code contained in the information provided to Deloitte did not allow the authors of the comments to be identified. It was also not disputed that Deloitte did not have access to the identification data at the registration stage that would have allowed participants to be linked to their comments by alphanumeric code. The only challenge was whether the data, including the comments and alphanumeric code, provided to Deloitte constituted personal data.
What the Court decided: The Court indicated that pseudonymous data transferred to a data recipient is not considered personal data unless the data recipient can re-identify the data subjects. But the Court points to the need to assess each case. The Court also explained that an individual’s opinion could not be considered personal data by presumption, and the decision to define an individual’s opinion as personal data must be based on an examination of whether such an opinion is related in its content, purpose or effect to a specific person:
“Admittedly, it cannot be ruled out that personal views or opinions may constitute personal data […] such a conclusion cannot be based on a presumption […], but must be based on the examination of whether, by its content, purpose or effect, a view is linked to a particular person”.
In light of this, the Court of General Jurisdiction ruled in favour of the SRB. However, this decision can still be appealed to the EU Court.
We can summarise that the decision in case T-557/20 is essential:
- The fact that the data controller (the person transferring the data) can re-identify data subjects does not automatically mean that the transmitted data will also be identified as personal data for the recipient.
- The data recipient’s perspective must be considered to determine whether pseudonymised data is personal data. Suppose the data recipient has no additional information that would allow him or her to re-identify the data subjects and has no legal means to access such information. In that case, the transferred data may be considered anonymous to the recipient. Therefore, in this case, it is not personal data.
3. Whether an opinion is related to a specific person by content, purpose or effect or whether such an opinion will be considered personal data must be clarified case by case.