Share This Article
Pseudnomized data might lead to anonymity, according to a recent ruling of the European General Court that can potentially have a massive impact on data protection compliance and sharing of (originally) personal data in the life sciences, banking, and any other sector.
In the decision of April 26, 2023, T-557/20, the European General Court (CGE) establishes a crucial concept: to determine whether information constitutes personal data, it is essential to consider whether the recipient can identify the individual to whom the information refers.
But let’s start from an analysis of the case:
📌 In the matter at hand, the appellant, SRB, gathered feedback from stakeholders. Each comment received a unique alphanumeric code, which was then passed to Deloitte for an audit to ensure every comment was appropriately addressed. Only SRB had the capability to link comments to the respective authors, as they had gathered identifying information during the survey registration. However, some stakeholders raised concerns about not being informed that third parties could access their data. The EDPS upheld their complaint, noting that while SRB had pseudonymized the data, Deloitte was provided with the code that, theoretically, could allow SRB to trace back to the original stakeholder.
➡️ SRB appealed to the CGE, seeking to overturn the decision. They contended that the information passed to Deloitte was not pseudonymized but entirely anonymous, meaning it wasn’t personal data. SRB emphasized they hadn’t given Deloitte the means to re-identify anyone and that Deloitte couldn’t legally access further information. In contrast, the EDPS maintained that stakeholder comments were indeed personal data, as they reflected individual viewpoints with potential repercussions. The EDPS clarified that the distinction between pseudonymized and anonymous data hinges on whether any additional details could potentially identify the person. The mere fact that Deloitte couldn’t use the alphanumeric code to pinpoint individuals didn’t change the data’s pseudonymized status to anonymous.
⚖️ The Court, referencing the Breyer case, emphasizes that to determine if information qualifies as personal data, one must consider Deloitte’s perspective and assess if they could trace back to identifiable individuals. Since the EDPS didn’t examine whether Deloitte had the legal tools to access extra information for re-identifying the comment authors, they couldn’t definitively state that the shared data pertained to an identifiable individual.
The decision raises concerns because it does not clarify whether Deloitte acted as a data controller or data processor. Since the SRB determined that no personal data were shared, I assume Deloitte was not appointed as a data processor. However, GDPR compliance relies on assessing factual circumstances. If Deloitte was a data processor, the court’s position could be weaker, as the data controller’s perspective should have been considered.
The main debate arises if Deloitte was an autonomous data controller. In such a case, based on the ruling, the SRB could have:
- Implemented privacy by design solutions, including contractual terms, preventing Deloitte from connecting codes to relevant individuals;
- Verified that Deloitte was entitled to connect disclosed information to the relevant individual and whether regulatory obligations were arising in this sense; and
- Performed a DPIA or, better yet, an internal report outlining why disclosed information did not qualify as personal data.
Given the above, I feel the decision could markedly influence business enhancement and marketing tactics, especially in fields like banking, insurance, and financial services that are increasingly leaning towards personalization. While modern AI systems mean data isn’t always tied to specific individuals, the ruling does set a higher standard for proving that re-identification isn’t possible.
The landscape is even more intricate for the life sciences sector. Regulatory requirements often necessitate linking data to specific individuals. Yet, there might be instances where this isn’t mandatory, and this ruling could pave the way for more data sharing. For instance, in clinical trials where sponsors receive only pseudonymized data and can’t trace it back to individuals, does this mean they aren’t handling personal data? Such an interpretation could be revolutionary, significantly lightening the load for pharmaceutical companies.
While each situation will demand its unique assessment, the ruling undeniably nudges us closer to a data protection framework that kicks in when genuine threats to individuals emerge. This decision is currently under appeal, and the final outcome is eagerly awaited.
On a similar topic, the following article may be of interest “What is anonymous data?“.