A new face for pseudonymization

The case originated in a procedure initiated by the Single Resolution Council (CRU) against the Spanish bank Banco Popular Español. As part of this procedure, the CRU forwarded to a third party, Deloitte, comments written by shareholders, in pseudonymized form. When the matter was referred to the European Data Protection Supervisor (EDPS), he considered that Deloitte should have been mentioned as the recipient of the data, taking the view that pseudonymization did not cause the information to lose its personal character.

It should be remembered that the European Personal Data Protection Regulation[2] (RGPD) defines personal data as any information that makes it possible to identify, directly or indirectly, a natural person. Pseudonymization consists in transforming this data so that it can no longer be attributed to a natural person without additional information. Unlike anonymization, which removes any possibility of identification, pseudonymization merely attenuates the identifying character of the data, without totally erasing it.

What remained to be determined in this case was whether the existence of a re-identification key, even when it remains exclusively in the hands of the initial data controller, entails maintaining the qualification of personal data for all players in the same processing chain.

Until then, legal doctrine, data protection authorities and the EDPS had adopted an absolute approach: all pseudonymized data remained personal data, regardless of the context and the means available to the recipient. The CRU and the European Commission, on the other hand, advocated a relative approach: classification should depend on the means actually available to the recipient. If the recipient has no realistic means of re-identification, pseudonymized data should not be considered personal.

In this decision, the CJEU adopted an intermediate solution and affirmed that, for the controller who retains the re-identification key, pseudonymized data remains fully personal data. On the other hand, for a recipient who does not have means reasonably likely to be used in order to re-identify the data subjects, the same information ceases to qualify as personal data within the meaning of the GDPR.

In other words, the CJEU held that pseudonymized data must not be considered as constituting, in any event and for any actor in a processing chain, personal data within the meaning of the GDPR.

In addition, the CJEU clarified that the assessment of identifiability must be made at the time of collection and from the point of view of the controller, taking into account a set of concrete circumstances, such as the cost of identification and the time required for it, taking into account the technologies available at the time of processing.

This clarification has significant practical consequences. The initial data controller is still obliged to inform the data subjects of the recipients of the data as soon as it is collected, even if, for these recipients, the information does not enable them to be re-identified. This requirement confirms that the main burden of compliance thus falls on the person who holds the key to re-identification and retains the ability to link pseudonymized data to identifiable individuals. On the other hand, a recipient who cannot materially or legally re-identify an individual is not subject to the same obligations, notably that of directly informing the individuals concerned.

Particular care must therefore be taken in determining the roles of each of the players in a processing chain, and their ability to re-identify data subjects in the case of pseudonymized data. In any case, if such data is transmitted to third parties, contractual and technical guarantees must be provided to ensure that the third-party recipients are unable to re-identify the data subjects.

Ultimately, this decision marks a turning point in the European approach to pseudonymization. Pseudonymization is no longer seen solely as a security measure, but as a mechanism which, depending on the context, can transform personal data into non-personal data for certain actors in the same processing chain. This contextual reading enshrines an evolution towards a more pragmatic law, which refocuses responsibility on those actors actually able to re-identify data subjects, while offering new prospects to data recipients who do not have a re-identification key and are thus likely to carry out further processing (analytical processing, statistics, etc.) without being subject to the GDPR.

---

[1]https://curia.europa.eu/juris/document/document.jsf?text=&docid=303863&pageIndex=0&doclang=fr&mode=req&dir=&occ=first&part=1&cid=17325908

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).