European Court of Justice Clarifies Data Protection Standards: Pseudonymization Not Always Sufficient

The European Court of Justice (ECJ) has clarified the conditions under which pseudonymized data can still be classified as personal information. This ruling overturns a prior judgment that had limited the oversight authority of data protection regulators.

This landmark decision arises from a case involving the Single Resolution Board (SRB), an EU agency responsible for the orderly resolution of failing financial institutions, and Wojciech Wiewiórowski, the European Data Protection Supervisor (EDPS). The ruling is expected to have significant implications for data handling practices in the digital landscape.

Initially, the SRB sought to ascertain whether former shareholders and creditors of the Spanish bank Banco Popular Español were entitled to compensation following its resolution. To do this, the board collected statements from affected individuals and subsequently shared these pseudonymized responses with Deloitte, a consulting firm tasked with evaluating the claims. Several individuals lodged complaints with the EDPS, alleging they were not informed about the transfer of their data.

Wiewiórowski concluded that the SRB had failed to fulfill its obligation to inform the individuals concerned, determining that Deloitte was indeed a recipient of personal data and that the affected parties should have been notified about the data transfer. The SRB contested this ruling, initially succeeding in the General Court of the EU, which held that the EDPS should have examined whether the data were identifiable from Deloitte's perspective.

However, Wiewiórowski appealed this decision, and the ECJ sided with him in the case C-413/23 P, reversing the lower court's ruling and remanding the case back. The court emphasized three critical points: personal opinions and perspectives articulated in the statements are inherently linked to the individuals involved, and the previous ruling misinterpreted the need for the EDPS to scrutinize the content and purpose of the statements to determine their identifiability.

Furthermore, the appellate court made it clear that pseudonymized data should not automatically be classified as non-personal. The identification potential of such data hinges on the specific circumstances, necessitating an evaluation of whether third parties can indeed identify the individuals in question.

The court underscored that the perspective of the data controller--here, the SRB--at the time of data collection is pivotal in assessing identifiability. The obligation to inform individuals arises prior to the data being shared with third parties, making it irrelevant whether the information could be deemed personal post-pseudonymization. Thus, the SRB was mandated to inform the affected parties before transmitting the data, regardless of its identifiability status for Deloitte.

This ruling reinforces the authority of the EDPS and highlights that the primary responsibility for protecting personal data lies with the entity processing the data. Organizations cannot absolve themselves of their notification obligations by claiming that pseudonymized data is no longer identifiable to third parties. By doing so, the ECJ emphasizes the necessity for transparency in data management practices, indicating that while pseudonymization is a valuable tool for data protection, it does not alone safeguard the rights of individuals.

The ECJ has previously ruled, notably in 2016 following a case brought by legal activist Patrick Breyer, that pseudonymized data--such as dynamic IP addresses--are not inherently anonymous. As long as there remains a possibility of re-identifying individuals through 'additional information', such data retains its classification as personal. The essential factor is whether the data controller possesses the means to re-identify individuals, which may include possible collaboration with third parties, such as internet service providers or public authorities.