pdpEcho

The CJEU gave two consequential judgments on the definition of “personal data” and its relationship with de-identification, one in first instance by the General Court (Case T-557/20, SRB I, 26 April 2023) and the other one in appeal to the first one, by the Court of Justice (Case C-413/23, SRB II, 4 September 2025). The case opposed an EU body with a role in the banking union – the Single Resolution Board (SRB), and the European Data Protection Supervisor (EDPS). The SRB challenged a decision of the EDPS against it for non-compliance with the Data Protection Regulation of EU institutions (EUDPR) in relation to a dataset of pseudonymized individual comments sent to a third party, Deloitte. 

The General Court annulled the EDPS decision in first instance, finding that the EDPS did not perform the full test to ascertain the data at issue were personal. In appeal, the Court of Justice set aside the first judgment and maintained the EDPS decision sanctioning SRB.The Courtconfirmed that SRB indeed had transparency obligations in relation to the pseudonymized data it shared with Deloitte, and that the EDPS did not have to assess whether that data was personal or not in the hands of Deloitte. Remarkably, neither of the Courts made any findings about the nature of the data from Deloitte’s point of view (this is to say that the pseudonymized data in this case was never cataloged as being personal or not being personal in the hands of the third party, throughout the lengthy proceedings).  

In the process, however, the Court of Justice in appeal: 

• created jurisprudence for the first time on the meaning and application of “pseudonymization”; 
• clarified that pseudonymized data are not always personal data, as opposed to what was the generally-accepted doctrine by regulators; 
• possibly created a new type of data – “impersonal data”, sitting somewhere in between pseudonymized and anonymous data (unless it did this accidentally); and 
• clarified that the same dataset can be personal for an entity while at the same time can be prevented from being identifiable in the hands of a third party, depending on the technical and organisational measures put in place. 

The SRB case may push for significantly redrawing the borders of data protection law in the EU, with the European Commission aiming to update the legal definition of personal data under the GDPR with language that in its opinion reflects the findings of the Court of Justice. This turn of events is all the more interesting, considering that the European Commission intervened in appeal to support SRB’s claim that it was not a controller and it was not processing personal data subject to the transparency obligations in the context of sharing them to Deloitte, only to lose the case. 

It is therefore important to do a minutious examination of the findings of the Court in order to understand precisely what is the CJEU’s most recent interpretation of the legal definition of personal data and its relationship with de-deidentification (used here as an umbrella term for pseudonymization and anonymization). Reading and analyzing the two judgments together is paramount, given that the Court of Justice in appeal neutralizes the findings of the General Court in first instance. 

This post is a long read (34 minutes), be it a necessary long read – but you can easily take a shortcut and jump to the conclusion. Section 1 first summarizes the facts of the case. Section 2 analyzes the judgment of the General Court in first instance, while Section 3, split in six parts, slowly and patiently analyzes the recent judgment of the Court of Justice in appeal, with all its twists and turns. Section 4 includes a few concluding remarks, noting that a new chapter – far more nuanced than in the past, even if not at all clear, has opened for de-identifiability under the GDPR. 

1. Facts of the case, step-by-step

The SRB is an EU body with a role in the banking union, ensuring the orderly resolution of failing banks. In the context of the resolution of a Spanish bank in 2018, the SRB called for the bank’s creditors and shareholders to express their interest in exercising their right to be heard, in order for the SRB to take its final decision on whether these persons should be granted compensation under the relevant EU law. Creditors and shareholders had to first register online their intention to comment and submit identification information and proof they are creditors or shareholders to the SRB. Once vetted, those approved were invited to submit comments via an online form with seven questions, through a unique personal link shared by the SRB.  

There were 2,855 participants in this process, which submitted a total of 23,822 comments, each of them being allocated a unique alphanumeric number (the unique number was linked to each comment, not to the participant submitting them; however, based on the facts of the case, each participant also had a unique link attributed to them in the initial collection phase). After filtering the comments, categorizing them on themes, and identifying many duplicates, the SRB identified 3,730 individual comments, of which 1,104 – all relevant for a certain procedure following the resolution of the bank, were transferred to Deloitte for analysis, “filtered, categorised and aggregated” (SRB I, para 23), together with their alphanumeric codes. However, only the SRB could link the comments to the individuals signing up in the registration phase. 

In its final decision following the complaints, the EDPS found that the data SRB shared with Deloitte was pseudonymous, so, therefore, it was personal. The fact that sharing the personal data with Deloitte as a recipient was not mentioned in the privacy notice was an omission to be sanctioned as unlawful under the transparency obligations of the EUDPR. The EDPS issued a reprimand and asked the SRB to update its privacy notice. 

The SRB asked for the annulment of the EDPS decision at the General Court of the CJEU, claiming that the data it shared with Deloitte was not personal, and, therefore, it did not have an obligation to disclose its sharing in the privacy notice. It also made a second plea, alleging the infringement of the right to good administration (Article 41 EU Charter of Fundamental Rights) by the EDPS.

2. SRB I: The General Court annulled the challenged decision because it considered the EDPS did not apply the full test for personal data in its investigation

The General Court spelled out a test for what data qualifies as personal under the definition in the EUDPR, which is identical to the one in the GDPR:

1. The data needs to “relate” to a natural person, and
2. That person must be “identified or identifiable”  (SRB I, para 59).

2.1. “Relate”: The EDPS did not assess the content, purpose and intent of the data shared with Deloitte

It then started analysing the first condition (“relate”) and recalled the Nowak case-law, which established that the condition is satisfied “where the information, by reason of its content, purpose or effect, is linked to a particular person” (Nowak, para 35; (SRB I, para 69). The General Court highlighted that the EDPS did not assess in its decision these three elements (content, purpose, effect), and that it merely stated that “the comments produced by the complainants during the consultation phase reflect their opinions or views”. This was the only ground for the EDPS to conclude that they must be classified as “personal data” (SRB I, paras. 70, 71). 

The General Court also noted that the EDPS maintained at the hearing that “any personal opinion constituted personal data” (SRB I, para. 72). However, the General Court decided that this cannot be the case in every situation, since an assessment of content, purpose and effect is required to ascertain personal data are at issue, and found that since the EDPS did not make this assessment, it “could not conclude that the information transmitted to Deloitte constituted information ‘relating’ to a natural person” (SRB I, para. 74).

This could have been enough for the General Court to annul the EDPS decision, since the two conditions are cumulative. However, it decided to further analyze the second condition related to “identifiability”. 

2.2. “Identifiability”: The EDPS did not apply the Breyer test for “means likely reasonably to be used” to the data shared with Deloitte

The EDPS invited the General Court to distinguish between anonymous and pseudonymous data, with the difference between them being that “in the case of anonymous data, there was no ‘additional information’ that could be used to attribute the data to a specific data subject, whereas, in the case of pseudonymous data, there is such additional information” (SRB I, para 81). 

This is why, according to the EDPS, “the data provided during the registration phase together with the unique identifier, namely the alphanumeric code attributed to each eligible participant, constituted a perfect example of ‘additional information’” within the meaning of the definition of pseudonymisation (SRB I, para 82). The EDPS further explained that the EUDPR “did not distinguish between those who kept pseudonymous data and those who held additional information and that the fact that they were different entities did not make pseudonymous data anonymous” (SRB I, para 83). 

The General Court did not agree with the view of the EDPS, and, in any case, did not rely in its assessment on the distinction between pseudonymous and anonymous data.

The Court first established as a matter of fact that the data in Deloitte’s hands (the comments and their unique alphanumeric number) did not relate to “identified” individuals (SRB I, para 84), so it went on to analyse whether it related to “identifiable” data subjects. 

In order to do so, it relied on the Breyer jurisprudence, recalling the Court of Justice found in that case that it is not required that all the information enabling the identification of the data subject must be in the hands of one person for that data to be considered identifiable. In fact, it cannot be excluded that data such as dynamic IP addresses are personal data just because the identification information was held by a different entity (the internet service provider) than the entity at issue in the case (an online media services provider).

The essential point the General Court focused on was that, nonetheless, the Court of Justice established in Breyer that it must be ascertained the entity without the additional information has “means likely reasonably to be used” for identification before cataloging the data as personal (SRB I, paras 88 to 92). The General Court noted that, in order to find whether the data at issue are personal, the EDPS had “to examine whether the comments transmitted to Deloitte constituted personal data for Deloitte” (SRB I, para 100), “whereas it merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s” (SRB I, para 103).

Applying the Breyer jurisprudence to the case at hand, the General Court found that the EDPS could not have validly concluded that the information transmitted to Deloitte was information relating to an identifiable individual, “since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments” (para. 105). 

To be sure, the General Court itself did not specifically find that the data at issue were personal or not, nor did it make any suggestion about the direction in which such an investigation should go. It merely annulled the EDPS decision against the SRB on the account that the EDPS did not perform the test for “means likely reasonably to be used” laid out in Breyer to establish identifiability in relation to the data held by Deloitte, nor did it perform the “content, purpose or intent” test detailed in Nowak. 

The General Court also decided it is not necessary to pursue the second plea in law (alleging bad administration), since the decision was annulled. 

2.3. Intermediary conclusions

There are some necessary remarks after reading SRB I in detail:

• The General Court annulled the EDPS decision because the EDPS did not perform the specific assessments and tests for “relate” and “identifiability” in the definition of “personal data” that the Court of Justice laid out in its 2016 Breyer decision and 2017 Nowak decision for the data shared with Deloitte. 

• Notably, the Breyer judgment was given by the Court of Justice under the provisions and definitions of Directive 95/46, where pseudonymization was not legally defined (the definition and concept were introduced by the GDPR), and at a time where de-identification was more binary rather than on a spectrum involving technical and organizational measures. 

• The General Court did not make any findings or differentiation related to anonymization or pseudonymization, even as the EDPS specifically invited it to do so. 

• By focusing on the perspective of the recipient (Deloitte) in most of its findings, and even after it highlighted that the EDPS assessed the data as being personal only from the position of the SRB, the General Court ignored that the decision of the EDPS was addressed to SRB as controller of personal data in its hands before the data reached Deloitte. 

3. The appeal: The Court of Justice reinstated the EDPS decision, rejecting the claims of SRB and the European Commission

The EDPS appealed this judgment to the Court of Justice, and the journey suddenly became a quest, since each of the two parties was reinforced by an intervener along the way. The European Commission joined SRB, supporting its claims, and the European Data Protection Board (EDPB) joined the EDPS. 

Technically, the EDPS asked the Court of Justice to set aside the General Court judgment in SRB I and deliver the final judgment on the dispute, while the SRB asked the Court to first dismiss the appeal, or in the alternative, to annul the EDPS decision, or in the alternative, to refer the case back to the General Court.

The Court of Justice not only dismissed the appeal, rejecting the arguments of the SRB and the European Commission on substance, but also decided to maintain the EDPS decision as valid, without sending the case back to the General Court for that plea. However, in doing so, it made significant findings on substance about the data at issue in the main proceedings which add to the “identifiability” case-law of the Court.

3.1. Comments that express someone’s opinions or thoughts always relate to that person

The first part of the appeal targeted the Nowak “relate” test required by the General Court. The EDPS submitted that “data protection authorities cannot be required to carry out, in all cases, an examination of the content, purpose or effect of information in order to ascertain whether it relates to a natural person” (SRB II, para. 45). The EDPS argued that this is particularly the case for the comments in the main proceedings, which clearly relate to a natural person “in that they expressed the personal views of some creditors and shareholders” of the bank (SRB II, para. 45). 

The SRB, supported by the European Commission, asked the Court to reject this line of argumentation (SRB II, para. 48).

The Court of Justice started its analysis by asserting that the definition of “personal data” in the EUDPR is identical to that in the GDPR, and “has a scope that is essentially identical” to that in Directive 95/46 (SRB II, para. 52). The Court specified this probably to justify why it will rely on case-law under Directive 95/46, such as Breyer and Nowak later on in the judgment. The Court then recalled that the general wording of the definition (“any information”) “reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, not only objective, but also subjective, in the form of opinions and assessments” (my highlight) (SRB II, para. 54, citing a long list of cases).

While the Court maintains that “information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is linked to an identifiable person” (SRB II, para 55, citing many cases), it also highlights that the conjunction “or” in this enumeration indicates that not all three criteria must be assessed for the “relate” element to be identified (SRB II, para 56). Thus, it is sufficient just for one of them to be present. In the case at hand, the Court stated it is apparent that when EDPS found the comments reflected the opinions of creditors and shareholders, it necessarily examined, first, the content of those comments (SRB II, para 56).  

The Court of Justice further sanctioned the finding of the General Court that “the EDPS could not classify the information contained in the comments transmitted to Deloitte as personal data solely on the basis of the finding that they were personal opinions or views” (SRB II, para 57).

This is where one of the most important findings of the Court of Justice comes about the nature of personal data: “That assessment by the General Court misconstrues the particular nature of personal opinions or views which, as an expression of a person’s thinking, are necessarily closely linked to that person” (my highlight) (SRB II, para 58). The Court noted that this interpretation is supported by the fact that in Nowak, while the Court did assess the content, purpose and effect of the comments annotated on exam papers in order to find that they were the personal data of those who were examined, it additionally found that the same comments “also related to the examiner who was the author of them, since they expressed the opinion or assessment of that examiner” (SRB II, para 59). (NOTE: For a full summary and analysis of Nowak, where I specifically draw attention to the finding of the Court that the same data can be personal to two different data subjects, see my blog HERE).

The Court of Justice concluded the General Court “erred in law” when it decided the EDPS should have done the full “content, purpose or effects” test for the comments sent to Deloitte, “since it was common ground that they expressed the personal opinion or view of their authors” (SRB II, para 60). 

The emphasis of the Court that comments or opinions are inherently relating to the person who made them should be pinned and kept in mind, especially in the context of online platforms being controllers and outside the scope of intermediary liability rules when they process personal data, in the light of this week’s Russmedia judgment. 

Notably, though, this is only about the “relate” part of the test of what constitutes personal data. The identifiability test is also needed in order to find that data are personal or not.

3.2. The Court in appeal was, again, specifically invited to distinguish between pseudonymisation and anonymisation

The EDPS put forward the key argument at the core of the regulatory vision animating the introduction of “pseudonymization” in the GDPR, at least from the point of view of data protection authorities: “that pseudonymized data constitute personal data, and that that is the case simply because of the existence of additional information enabling them to be attributed to a particular person” (SRB II, para 63). It further argued that the General Court did not sufficiently take into account “the distinction between anonymisation and pseudonymisation” (SRB II, para 64). 

The EDPS further submitted that “by introducing the concept of pseudonymisation, the EU legislature clarified that, in order to exclude personal data from the scope of EU law on the protection of such data, it is not sufficient to separate those data from the additional information enabling the data subject to be identified” (SRB II, para 65). 

Both the EDPS and the EDPB further argued that treating pseudonymized data as “anonymous data”, and thus bringing them outside the scope of EU data protection law, would undermine the high level of protection pursued by the EU legislature and required by the EU Charter of fundamental rights. The EDPB was particularly concerned that the interpretation adopted by the General Court “entails the risk that pseudonymised data could be processed without restrictions under the GDPR (…), including the sharing, publication and transfer to third countries of those data” (SRB II, para 66, my highlight). The European Commission, in turn, disputed this whole line of arguments (SRB II, para 67). 

It is important to note all of these arguments brought by the EDPS and the EDPB in front of the Court of Justice, because this means that the Court at least heard them before reaching its conclusion. 

The Court clearly understood what it was asked to decide on: that pseudonymised data are in all cases personal data, “solely because of the existence of information enabling the data subject to be identified, without it being necessary to examine specifically whether, despite pseudonymisation, the person to whom those data relate is identifiable” (SRB II, para 68). It should be recalled here that, indeed, the General Court annulled the EDPS decision on the basis that it did not proceed to assess the means likely reasonably to be used to identify the creditors and shareholders in the case. 

To answer this question of law, the Court of Justice first established that the criteria in the definition of personal data are inescapable, as the definition requires that the data relate to an identified or identifiable person in order to be personal. Accordingly, “an examination of whether the data subject is identified or identifiable by the information in question” is necessary to determine that the GDPR is applicable to that data in all cases (SRB II, para 69).  

The Court then specifically addressed pseudonymised data and noted that “those data are not mentioned in the legislative definition of ‘personal data’”, but that their characteristics can be drawn from the definition of “pseudonymisation” in Article 3(6) GDPR (SRB II, para 71). The Court then transcribes that definition with all its elements, as: “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.  

3.3. The mere existence of “additional information” precludes pseudonymized data from being regarded, in all cases, anonymous

The Court went on to create its first jurisprudence on “pseudonymisation”, with detail, and rich argumentation. For the first time, the Court specifically differentiated between pseudonymized data and anonymous data.

First, it established that pseudonymisation is not part of the definition of “personal data” and highlighted the procedural nature of the concept, as well as the fact that it presupposes the existence of technical and organisational measures. It also recognized that pseudonymisation is linked to the idea of reducing the risk of identification of individuals in a certain data set. Specifically, the Court noted that pseudonymisation “refers to the establishment of technical and organisational measures to reduce the risk of a data set being correlated with the identity of data subjects” (SRB II, para 72, my highlight). It also recognized that the concept of pseudonymisation presupposes the existence of additional information which would enable the identification of the data subject.

Significantly, the Court noted that “the very existence of such information precludes data that have undergone pseudonymisation from being regarded, in all cases, as anonymous data, which is excluded from the scope” of the GDPR (SRB II, para 73, my highlight). With this finding, the Court turned the perspective that defined the DPAs’ approach so far to pseudonymized data from what can be described as “the existence of additional information means that pseudonymized data is personal in all cases” to “the existence of additional information prevents pseudonymized data from being anonymous data in all cases”.

One interpretation of this finding could be that anonymization itself, which would bring data outside the scope of the GDPR, is regarded as an absolute concept: the mere existence, somewhere, of additional information that could be correlated to de-identified data in order to identify a person annuls the notion that that data is anonymous “in all cases”. Does this mean that if the data is pseudonymized, it can never be considered as “anonymous” because there is additional information out there that could re-identify individuals depending on who holds the data, regardless of the means and risk of reidentification? Is anonymization recognized only where it exists in relation to every and all entities, with no risk whatsoever for reidentification? The answer is not clear one way or the other, the more one thinks about it, and it is possible the Court will be invited to provide further clarification in the future. 

3.4. A new category of “impersonal data”?

This interpretation is not that far-fetched, though. First, the Court does not use the notions of anonymized, anonymization or anonymous data for the remainder of the judgment after making that finding in para 73. It distinguishes only between personal data, pseudonymized data, and introduces a category of “impersonal data” (see paras 83 and 84). 

Second, the Court specifically rebukes the EDPS argument that, if the Court does not recognize pseudonymized data as always personal, this would unduly bring pseudonymized data outside the scope of the GDPR and its protection, lowering the level of protection afforded by EU law. The Court argues that the fact that pseudonymized data are not personal in the hands of a recipient “has no bearing on the assessment of the personal nature of those data in the context, inter alia, of a potential subsequent transfer of those data to third parties. Accordingly, in so far as it cannot be ruled out that those third parties have means reasonably allowing them to attribute pseudonymized data to the data subject, such as cross-checking with other data at their disposal, the data subject must be regarded as identifiable as regards both that transfer and any subsequent processing of those data by those third parties” (SRB II, para 85, my emphasis). 

There is a lot to unpack here, but it is not inconceivable, following this line of reasoning, that the Court conceptualizes multiple states of identifiability for data, possibly with anonymous data at the end of a spectrum where no additional information exists whatsoever to facilitate reidentification. At the same time, pseudonymized data – which presupposes the existence of additional information, is recognized sometimes as personal data and sometimes as “impersonal data” (which, in turn, seems to be a fluid state potentially penduling back to “personal” depending on the hands in which it finds itself and the additional information available to them). 

Unless, of course, the Court used “anonymous” and “impersonal” interchangeably after making that general finding in para 73 about “anonymous data”, and, therefore, accidentally creating a new category of data relevant in data protection law. Notably, a quick search of the Breyer, Nowak, IAB Europe, Scania judgments and the AG Opinion in SRB II shows that the court did not use the concept of “impersonal data” in any of them. 

“Impersonal data” is used in two paragraphs of the judgment, immediately after the Court makes a key finding: that the existence of additional information “does not, in itself, mean that pseudonymized data must be regarded as constituting, in all cases and for every person, personal data” (SRB II, para 82), rejecting thus the submission of the EDPS and the EDPB. 

To reinforce this conclusion, in the following paragraph the Court gives as example its Breyer and IAB Europe cases, concerning dynamic IP addresses and the TC string respectively, where it recalled it held that these “data that are inherently impersonal and have been collected and retained by the controller were nevertheless connected to an identifiable person, since the controller had legal means of obtaining additional information from another person making it possible to identify the data subject. In such circumstances, the fact that the information enabling the data subject to be identified was in the hands of other people did not actually prevent that subject from being identified in such a way that the subject was not identifiable for the controller” (SRB II, para 83). 

In the following paragraph, the Court refers again to impersonal data, describing how, “above all”, following the Scania case about VIN numbers, “data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified” (SRB II, para 84, my emphasis). The Court further stated that in this case “those data are personal both for those persons, and, indirectly, for the controller”. (SRB II, para 84). 

Therefore, it seems that the Court classifies as “impersonal data” strings of numbers that can be identified or re-identified down the data-sharing chain.

The Court then concludes that “contrary to what the EDPS maintains, pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data (…), in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable” (SRB II, para 86, my highlight). With this, indeed, the Court highlights that pseudonymous data may be effectively de-identified in the hands of some recipients, but that this is all circumstantial, depending on each case and on what technical and organisational measures are put in place.

3.5. Technical and organisational measures, depending on the case, are essential to assess effectiveness of preventing identification 

This point is made obvious by the Court when it calls out its findings “in paragraphs 75 to 77” of SRB II as the framework according to which “pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable” (SRB II, para 87). It is notable how in the concluding part of this section of the judgment the Court does not refer to the resulting pseudonymised data in the hands of the recipient as potentially being “anonymous” and prefers a long-winded phrasing related to preventing identifiability. 

According to the Court in para 75, pseudonymisation may have an impact on whether or not the resulting data is personal “provided that such technical and organisational measures are actually put in place and are such as to prevent the data in question from being attributed to the data subject in such a way that the the data subject is not or is no longer identifiable” (my emphasis). The Court then goes to the case at hand and finds  that SRB has additional information enabling the comments transmitted to Deloitte to be attributed to data subjects, with the result that “those comments are, in spite of pseudonymisation, still personal in nature” (SRB II, para 76). 

The question arises whether, with respect to Deloitte, the technical and organisational measures put in place may have the effect that those comments transmitted are not personal in nature. In order for this to happen, the Court lays out two conditions (SRB II, para 77):

1. That Deloitte “is not in a position to lift those measures during any processing of the comments which is carried out under its control”; and
2. “Those measures must in fact be such as to prevent Deloitte from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable” (my emphasis).

With this last condition, the Court indicates that access to any other information, not only to the key code held by SRB, must be taken into account to determine whether the pseudonymization is effective in preventing identification. The Court recalled, as an example, how in the case of OC v Commission which concerned a press release containing statements relating to a person without naming them, it did not confine itself to finding that the EU body which published the press release had all the information enabling that person to be identified, “but examined whether the statements contained in that press release reasonably enabled the public concerned to identify that person, in particular by combining those statements with information available on the internet” (SRB II, para 81). 

Notably, after laying out the relevant test, the Court did not make any assessments on whether Deloitte was or was not in the position to re-identify the data.

3.6. There was no need for the EDPS to assess whether the data were personal from Deloitte’s point of view (and the Court did not make such assessment either) 

In the last part of the judgment, the Court of Justice addressed the challenge submitted by the EDPS that the General Court erred when it required the EDPS to verify whether the data at issue were personal from the perspective of Deloitte. The Court of Justice noted that the definition of personal data “does not expressly specify the relevant perspective for assessing the identifiable nature of the data subject” (SRB II, para 99). 

In addition, it recalled that “for information to be treated as ‘personal data’, it is not required that all the information enabling the identification of the data subject must be in the hands of one person” (SRB II, para 99, referring to Breyer and OC v Commission). Moreover, the Court made it explicit that “the relevant perspective for assessing whether the data subject is identifiable depends, in essence, on the circumstance of the processing of the data in each individual case” (SRB II, para 100, my highlighting).

After recalling that in the case at hand the EDPS found SRB failed to comply with its transparency obligations by failing to mention Deloitte as a potential recipient of the comments in the privacy notice, the Court made a link between this failure and the rules for valid consent (apparently used as the lawful ground for processing in this case) which require that the consent must be “informed”. In particular, the Court found that the validity of the consent given by the data subject “depends, inter alia, on whether that data subject has previously obtained the information in the light of all the circumstances surrounding the processing of the data in question to which he or she was entitled (…) and which allows him or her to give consent in full knowledge of the facts” (SRB II, para 106). 

Crucially, the Court established that, in order to comply with notice requirements, “the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller” (SRB II, para 111). This means that in the case at hand the SRB’s obligation to provide information was applicable “prior to the transfer of the data at issue and irrespective of whether or not those data were personal data, from Deloitte’s point of view, after any potential pseudonymisation” (SRB II, para 112). 

The Court emphasized that information, especially in the case where personal data is obtained directly from data subjects, must be provided at the time when the data are collected (SRB II, para 113), rejecting thus the arguments of SRB. The Court of Justice concluded that the General Court erred in law in holding that in order to assess whether the SRB had complied with its obligation to provide information, the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data (SRB II, para 115). 

The Court thus decided there is no need to examine whether the data in the hands of Deloitte were personal or not (SRB II, para 116). It then upheld the appeal and set aside the first judgment (SRB II, para 117). Moreover, the Court decided that the state of proceedings permitted it to give final judgment in favor of the EPDS, with regard to the first plea (rejecting thus the annulment of the enforcement decision of the EDPS against the SRB). However, it sent back the case to the General Court in relation to the second plea in the original court action, related to SRB’s right to good administration.

4. Concluding remarks: A new chapter opens for de-identifiability under the GDPR

A close reading of the SRB judgements reveals that:

• Neither of the two Courts made an assessment on whether the pseudonymized data sent to Deloitte were personal or not from Deloitte’s perspective. Nonetheless, the Court in appeal created a two-pronged test that could be used in future cases to make such assessments. 

• The landscape of de-identification under the GDPR that the Court of Justice painted is incredibly complex, especially as the Court finally acknowledged and explored pseudonymized data and anonymous data as two different concepts. At least, from now on, the landscape will rely on some certainties, such as that pseudonymized data are not always personal data. But the same landscape is also painted with novel uncertainties, such as the (accidental or not?) introduction in the identifiability lexicon of the new concept of “impersonal data” (SRB II, para 82, 83), or a potential (even if following a far fetched interpretation) confirmation of the absolute view on anonymization, which would be excluded by the mere existence of “additional information” that could reidentify the data subject (SRB II, para 73), possibly with no need in this case for a “means reasonably likely” test. In this sense, it is notable how the Court never refers to the pseudonymized data which may not be personal in the hands of a recipient as “anonymous”.

• In order for pseudonymized data to not be considered personal in the hands of a third party, not only that technical and organisational measures must be put in place through the process of pseudonymisation, but 1) the third party claiming it does not hold personal data must not be in a position to lift those measures during any processing of that data carried out under its control and 2) those measures must be as such as to prevent the third party from attributing the pseudonymised data in its hands to a data subject including by recourse to other means of identification, such as cross-checking with other factors, in such a way that the person concerned is not identifiable (SRB II, para 77). 

• Pseudonymized data which are not personal in the hands of a recipient can become personal again in the context of a subsequent transfer of those data to third parties (SRB II, para 85), so even where all of the conditions are met for an initial recipient to receive pseudonymized data which are not personal, this does not shield subsequent third parties receiving the same data from assessing whether in their hands the data is personal or not, taking into account all possible information available to them.  

NOTE: This post is entirely written by a human (me).