Share This Article
Pseudnomized data might lead to anonymity, according to a recent ruling of the European General Court that can potentially have a massive impact on data protection compliance and sharing of (originally) personal data in the life sciences, banking, and any other sector.
In the decision of April 26, 2023, T-557/20, the European General Court (CGE) establishes a crucial concept:
‼️ To determine whether information constitutes personal data, it is essential to consider whether the recipient can identify the individual to whom the information refers.
📌 In the case at hand, the appellant (SRB) collected comments from stakeholders, assigned each comment a randomly generated alphanumeric code, and transferred them to Deloitte using this code to audit whether each comment was duly considered. Only SRB could connect the comments to their authors’ data (having collected identifying information during the survey registration). Some stakeholders complained they were not informed that their data would be accessible to third parties. The EDPS accepted their complaint, as the data transmitted by SRB were pseudonymized, and Deloitte received the alphanumeric code that allowed (only SRB) to connect the comment to the stakeholder.
➡️ SRB appealed to the CGE, requesting the decision’s annulment, arguing that the data sent to Deloitte were not pseudonyms but anonymous (and as such, they were not personal data), as SRB did not share the necessary information with Deloitte to enable re-identification Deloitte had no legal means to access additional information. The EDPS argued that the comments made by stakeholders constituted personal data related to them, containing their personal viewpoints, which would have significant effects on them. According to the EDPS, the difference between pseudonymized and anonymous data is that, in the latter case, no additional pieces of information can be used to identify the individual. The fact that Deloitte, despite having the alphanumeric code, could not re-identify the subjects did not transform the data from pseudonymous to anonymous.
⚖️ The Court asserts (referring to the Breyer case) that to decide whether information constitutes personal data, one must put themselves in Deloitte’s position to determine if the data is traceable to identifiable individuals. As the EDPS did not evaluate whether Deloitte had legal means available to access the additional information necessary for the re-identification of the comment authors, the EDPS could not conclude that the transmitted information constituted data related to an identifiable person.
The decision raises concerns because it does not clarify whether Deloitte acted as a data controller or data processor. Since the SRB determined that no personal data were shared, I assume Deloitte was not appointed as a data processor. However, GDPR compliance relies on assessing factual circumstances. If Deloitte was a data processor, the court’s position could be weaker, as the data controller’s perspective should have been considered.
The main debate arises if Deloitte was an autonomous data controller. In such a case, based on the ruling, the SRB could have:
- Implemented privacy by design solutions, including contractual terms, preventing Deloitte from connecting codes to relevant individuals;
- Verified that Deloitte was entitled to connect disclosed information to the relevant individual and whether regulatory obligations were arising in this sense; and
- Performed a DPIA or, better yet, an internal report outlining why disclosed information did not qualify as personal data.
Considering the above, I believe the ruling could significantly impact business optimization or marketing strategies, particularly in sectors like banking, insurance, and financial services, which increasingly rely on customization. This practice does not always require connecting data to affected individuals, thanks in part to recent advancements in artificial intelligence systems. However, it does raise the threshold of evidence regarding the impossibility of re-identifying individuals.
The situation is more complex in the life sciences sector, where regulatory obligations to connect data to affected individuals are more likely to arise. However, apart from this scenario, there may be circumstances when this obligation does not apply, and the ruling could be leveraged to enable data sharing.
A case-by-case assessment will be necessary, but the ruling is undoubtedly a step forward toward a data protection regime that operates when real risks for individuals can arise.
On a similar topic, the following article may be of interest “What is anonymous data?“.
Photo by Jaroslav Devia on Unsplash
