GDPR and Pseudonymization: A Surprising Ruling by the ECJ

Introduction

Content Hide

5. Conclusion and outlook: Data protection and pseudonymization in practice

The application of the General Data Protection Regulation (GDPR) to pseudonymized data is a controversial topic that generates much debate in the legal and data protection community. Pseudonymized data is data where identifiers have been removed or replaced to prevent or make it significantly more difficult to identify the data subjects. However, the question of whether this data qualifies as personal data within the meaning of the GDPR is controversial.

Key Facts

The European Court ruled that the GDPR does not apply to pseudonymized data that has no direct personal reference.
It must no longer be possible to assign pseudonymized data to an identifiable person without additional information.
The ruling could have far-reaching consequences for companies and their data protection practices.
Technical and organizational risk mitigation measures are necessary to respond to data protection regulations.
The EDPS decided not to use remedial powers as the SRB had taken measures to ensure data protection.
Recommendation to the SRB: Data protection declarations should cover all potential data recipients and data processing.
The ruling emphasizes the need to ensure transparency with regard to data processing and the identity of recipients.

Recently, the Court of Justice of the European Union (CFI) issued a surprising ruling that calls into question previous legal practice and is causing a stir. In a decision that many consider unexpected, the court ruled that the GDPR does not apply when it comes to pseudonymized data that has a relative personal reference. This means that the data has been processed in such a way that it can no longer be directly assigned to a specific person without additional information.

The court went further and found that the GDPR does not apply even if the data recipient has no means of re-identification. In other words, if the recipient of the data is not able to attribute the pseudonymized data to a specific person, this data is not covered by the GDPR. This ruling represents a significant change in the interpretation and application of the GDPR and could have far-reaching effects on the data protection practices of companies and organizations.

What is pseudonymization?

Pseudonymization is a process in which personal data are processed in such a way that they can no longer be assigned to a specific data subject without additional information. This is often achieved by replacing identifying elements in the data with artificial identifiers or pseudonyms. This additional information needed for identification must be kept separately and be subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

A good example of such a practice is the use of truncated IP addresses in tools such as Google Analytics. In this case, the IP address that could provide a direct link to a specific user is shortened or “masked” to prevent the identification of the user. While this protects the user’s privacy, it also presents a challenge for the application of the GDPR.

The question is whether such pseudonymized data, such as truncated IP addresses, should be considered personal data in the sense of the GDPR. The recent ECJ ruling suggests that this is not the case if the recipient of the data has no possibility of re-identification. This could mean that companies using techniques such as IP masking may not have to comply with the full requirements of the GDPR.

However, it is important to emphasize that this is a complex and rapidly evolving area of law. Companies should therefore ensure that they regularly keep abreast of the latest developments and rulings and adapt their data protection practices accordingly.

Key points of the ruling

The court found that the data shared by the SRB with Deloitte could be considered pseudonymized data because the consultation phase responses were personal data and the SRB shared the alphanumeric code that allowed the responses received during the registration phase to be linked to those received during the consultation phase.

It was also found that Deloitte was a recipient of personal data of the complainants within the meaning of Article 3 No. 13 of Regulation 2018/1725. The fact that Deloitte is not mentioned in the SRB’s privacy statement as a potential addressee of the personal data collected and processed by the SRB as a controller in the context of the consultation procedure constitutes a violation of the data protection principles set forth in Art. 15 para. 1(d) of Regulation 2018/1725 constitutes a duty to provide information.

Impacts and recommendations

Despite the identified breach, the EDPS decided not to make use of his remedial powers under Article 58(2). 2 of Regulation 2018/1725, as the SRB had put in place technical and organizational measures to mitigate risks to the right of individuals to the protection of their data in the context of the procedure concerning the right to be heard.

However, the EDPS recommended the SRB to ensure in future procedures concerning the right to be consulted that its privacy statements cover the processing of personal data during both the registration and consultation phases and that they include all potential recipients of the data collected in order to comply with the information obligation towards data subjects pursuant to Article 15 of Regulation 2018/1725.

Conclusion and outlook: Data protection and pseudonymization in practice

This ruling by the ECJ underscores the importance of data protection in all aspects of data processing, including sensitive areas such as bank processing. It emphasizes the need for all parties involved, including external consultants, to comply with data protection rules and ensure transparency to data subjects regarding the processing of their personal data and the identity of the recipients of that data.

The ruling also shows that the EDPS is willing to take pragmatic decisions when organizations take measures to mitigate risks, even if they have violated data protection rules. However, it is clear that such breaches should be taken seriously and avoided to ensure public confidence in compliance with data protection rules.

It remains to be seen how this ruling will affect the future application of the GDPR. However, it emphasizes the need to comply with data protection regulations in all aspects of data processing and to respect the rights of data subjects.

Overall, this case shows that the topic of data protection, and in particular the application of the GDPR to pseudonymized data, continues to be a dynamic and complex field that requires constant attention and adaptation. It is an important notice for all organizations that process personal data and emphasizes the need to comply with data protection regulations in all aspects of data processing and to respect the rights of data subjects.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.