Introduction
The application of the General Data Protection Regulation (GDPR) to pseudonymized data is a controversial topic that generates much debate in the legal and data protection community. Pseudonymized data is data where identifiers have been removed or replaced to prevent or make it significantly more difficult to identify the data subjects. However, the question of whether this data qualifies as personal data within the meaning of the GDPR is controversial.
Recently, the Court of Justice of the European Union (CFI) issued a surprising ruling that calls into question previous legal practice and is causing a stir. In a decision that many consider unexpected, the court ruled that the GDPR does not apply when it comes to pseudonymized data that has a relative personal reference. This means that the data has been processed in such a way that it can no longer be directly assigned to a specific person without additional information.
The court went further and found that the GDPR does not apply even if the data recipient has no means of re-identification. In other words, if the recipient of the data is not able to attribute the pseudonymized data to a specific person, this data is not covered by the GDPR. This ruling represents a significant change in the interpretation and application of the GDPR and could have far-reaching effects on the data protection practices of companies and organizations.
What is pseudonymization?
Pseudonymization is a process in which personal data are processed in such a way that they can no longer be assigned to a specific data subject without additional information. This is often achieved by replacing identifying elements in the data with artificial identifiers or pseudonyms. This additional information needed for identification must be kept separately and be subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
A good example of such a practice is the use of truncated IP addresses in tools such as Google Analytics. In this case, the IP address that could provide a direct link to a specific user is shortened or “masked” to prevent the identification of the user. While this protects the user’s privacy, it also presents a challenge for the application of the GDPR.
The question is whether such pseudonymized data, such as truncated IP addresses, should be considered personal data in the sense of the GDPR. The recent ECJ ruling suggests that this is not the case if the recipient of the data has no possibility of re-identification. This could mean that companies using techniques such as IP masking may not have to comply with the full requirements of the GDPR.
However, it is important to emphasize that this is a complex and rapidly evolving area of law. Companies should therefore ensure that they regularly keep abreast of the latest developments and rulings and adapt their data protection practices accordingly.
Key points of the ruling
The court found that the data shared by the SRB with Deloitte could be considered pseudonymized data because the consultation phase responses were personal data and the SRB shared the alphanumeric code that allowed the responses received during the registration phase to be linked to those received during the consultation phase.
It was also found that Deloitte was a recipient of personal data of the complainants within the meaning of Article 3 No. 13 of Regulation 2018/1725. The fact that Deloitte is not mentioned in the SRB’s privacy statement as a potential addressee of the personal data collected and processed by the SRB as a controller in the context of the consultation procedure constitutes a violation of the data protection principles set forth in Art. 15 para. 1(d) of Regulation 2018/1725 constitutes a duty to provide information.
Impacts and recommendations
Despite the identified breach, the EDPS decided not to make use of his remedial powers under Article 58(2). 2 of Regulation 2018/1725, as the SRB had put in place technical and organizational measures to mitigate risks to the right of individuals to the protection of their data in the context of the procedure concerning the right to be heard.
However, the EDPS recommended the SRB to ensure in future procedures concerning the right to be consulted that its privacy statements cover the processing of personal data during both the registration and consultation phases and that they include all potential recipients of the data collected in order to comply with the information obligation towards data subjects pursuant to Article 15 of Regulation 2018/1725.
Conclusion and outlook: Data protection and pseudonymization in practice
This ruling by the ECJ underscores the importance of data protection in all aspects of data processing, including sensitive areas such as bank processing. It emphasizes the need for all parties involved, including external consultants, to comply with data protection rules and ensure transparency to data subjects regarding the processing of their personal data and the identity of the recipients of that data.
The ruling also shows that the EDPS is willing to take pragmatic decisions when organizations take measures to mitigate risks, even if they have violated data protection rules. However, it is clear that such breaches should be taken seriously and avoided to ensure public confidence in compliance with data protection rules.
It remains to be seen how this ruling will affect the future application of the GDPR. However, it emphasizes the need to comply with data protection regulations in all aspects of data processing and to respect the rights of data subjects.
Overall, this case shows that the topic of data protection, and in particular the application of the GDPR to pseudonymized data, continues to be a dynamic and complex field that requires constant attention and adaptation. It is an important notice for all organizations that process personal data and emphasizes the need to comply with data protection regulations in all aspects of data processing and to respect the rights of data subjects.
