Has pseudonymised personal data lost its data protection?
Has pseudonymised personal data lost its data protection?
What happened. On April 2023, the Case T-557/20, SRB v EDPS has shaken the general assumption that pseudonymised data remains personal data no matter in what party’s hands the identifying components are. Following the ruling of the court it is now possible that if a controller remains the identifying information and shares the de-identified data with a third party, the shared information can become anonymised information for the receiving third party, while the same information is still personal data for the controller who keeps the identifying components. This decision was appealed by the EDPS in Case C-413/23 P and is not yet ruled out.
In January 2025, the EDPB issued its guidelines on pseudonymisation.1 Disappointingly, these guidelines do not answer when and under what conditions pseudonymised data can become anonymised data in the hands of a third party.
Awaiting the final decision on the appealed ruling, this blog tells you whether the initial ruling strengthens or weakens the broad scope of personal data, and what it means for your organisation.
Understand the differences first. The main idea is that pseudonymised data is still personal data and the GDPR would apply. Conversely, anonymised data is no longer personal data, and the GDPR would not apply. This distinction sounds simple in theory but is not in practise.
What the GDPR says about pseudonymised data. Pursuant to the GDPR, pseudonymised data is data that “can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately”,2 and “Personal data which have undergone pseudonymisation […], which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”3
A simple example is a list with income ranges, where a controller replaces the names with random numbers, and where the random numbers link to the names on a separate list. If the controller keeps the separate list and only shares the list with random numbers, the shared list is pseudonymised and in theory still personal data (at least prior to Case T-557/20, SRB v EDPS).
What the WP29 says. The WP29, on the one hand, confirms the above reasoning by stating “that when a data controller does not delete the original (identifiable) data …, and … hands over part of this dataset (for example after removal or masking of identifiable data), the resulting dataset is still personal data.“4 However it adds the nuance that personal data is only pseudonymous if it is reasonably likely to identify an individual. If it is not reasonably likely, the data would be anonymised and no longer be personal data.
What case law says. In the Breyer case (C-582/14, at para.43) the court ruled that dynamic IP addresses were considered personal data, even if the identifying information was not in the hands of one person and would need to be combined to allow identification.
Turning point in recent case law? The EDPS followed this assumption in the Case T-557/20, SRB v EDPS, and argued that the Regulation does not distinguish between those who keep pseudonymous data and those who keep additional information to re-identify. It would still be pseudonymous and not anonymous data. As a result, it would concern personal data and the data protection regime would apply.
Ironically, the Court rejected the EDPS’ reasoning by referring to the Breyer case, which actually seemed to underline the viewpoint of the EDPS. The Court agrees to the fact from the Breyer case, that identifying information does not need to be in the hands of one person to constitute personal data. However, the Court points out the fact from the Breyer case, that combining information from different parties must constitute “a means likely reasonably to be used to identify the data subject” (Breyer, C-582/14, at para.45). That again would not be the case, if it is prohibited by law or practically impossible because it would require disproportionate effort of time, cost or manpower (SRB v EDPS at para 93, referring to Breyer at para.46).
What are the implications? First, having pseudonymised data in one person’s hand and additional identifying information in another person’s hand is not personal data per se. It needs to be assessed whether combining both data sets is reasonably possible. If it is not reasonably possible, it would not constitute personal data in the form of pseudonymised data.
This is actually not something new from the Case T-557/20, SRB v EDPS, but was already mentioned in the Breyer case. However, the Case T-557/20, SRB v EDPS made this point clearer.
Another implication is the question, for which party it needs to be impossible to combine both data sets. What Case T-557/20, SRB v EDPS adds to the Breyer case, is that it takes the view of the receiver into account. If it is impossible for the receiver to combine the data sets, it would be anonymised data for the receiver, and hence no personal data. If it is possible for the receiver to combine, it would be personal data for the receiver. It is worth noting that the Court has not made this assessment but stated that because the EDPS has not assessed this question, it is wrong for the EDPS to conclude that the receiver had processed personal data. The EDPS has simply not established this fact.
Reasons for appealing this ruling. In its appealing, the EDPS claims that it is wrong to consider the viewpoint of the receiver. Also, the EDPS claims that the accountability principle would require the receiver to demonstrate effective anonymisation and not that the EDPS would need to establish this for the receiver.
Conclusions
Uncertainties for data subjects. This outcome can lead to uncertainties for data subjects. First, it is difficult to know in what parties’ hands their data amounts to pseudonymised data (personal data) and where to anonymised (non-personal data). Second, they can only exercise their data subject rights against a controller to whom the data is not anonymised.
Uncertainties for controllers who share pseudonymised data. Further, controllers, who consider their shared data to be pseudonymised, will require from the party with whom they share these data sufficient data protection guarantees in the course of a data-sharing-agreement. The receiving party could claim that the received data is anonymised for the receiving party and circumvent requirements from a data-sharing-agreement that has only personal data in scope. This could lead to many uncertainties for controllers who share pseudonymised data.
Threshold for anonymisation remains high. The above uncertainties are still limited by the fact that demonstrating anonymisation sets a high threshold for the receiving party. Thus, Case T-557/20, SRB v EDPS allows for the theoretical option that shared pseudonymised data constitutes anonymised data for the receiver. However, it does not lower the high threshold that needs to be met to qualify as anonymised data.
1 EDPB Guidelines 01/2025 on Pseudonymisation, adopted on 16 January 2025 (still under consultation), https://www.edpb.europa.eu/system/files/2025-01/edpb_guidelines_202501_pseudonymisation_en.pdf, last viewed 22.January 2025.
2 Article 4 (5) GDPR.
3 Recital 26 GDPR.
4 Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques (10 April 2014), at p.9. Note: WP29 is replaced by the EDPB. The EDPB has not endorsed officially this opinion of the WP29.
