Pseudonymisation and the GDPR: the Advocate General's ground-breaking opinion in EDPS v. SRB (C-413/23 P)

Author of the article: JUDr. Jakub Dohnal, Ph.D., LL.M., ARROWS advokátní kancelář (office@arws.cz, +420 245 007 740)

Advocate General (AG) Dean Spielman has issued a non-binding opinion in the case EDPS v. SRB (C-413/23 P) concerning pseudonymised data. He considered the question whether personal data shared by an EU agency (the Single Resolution Board - SRB) with Deloitte (the SRB's consultant) remains personal data for Deloitte even if it is pseudonymised.

GA Spielman stated in his opinion that the European Data Protection Supervisor (EDPS) should not automatically consider pseudonymised data as personal data, but should examine whether the recipient of the data has the means to identify the persons concerned. If the recipient does not have such means and at the same time the pseudonymisation is sufficiently robust and secure, the data should no longer be considered personal.

A possible shift in the understanding of pseudonymisation

This position represents a significant shift in the understanding of pseudonymisation as a means that could ensure that data is no longer personal to the recipient. If pseudonymisation is done sufficiently and re-identification of individuals is not possible, such data should not be protected by the GDPR.

Opposing position of the EDPS

However, the EDPS has long held a different view. According to him, pseudonymised data remain personal, because it is not decisive whether the recipient has the means to re-identify the persons. It argued similarly in case T-557/20 SRB/EDPS, where it stated that the GDPR does not distinguish between those who keep pseudonymised data and those who keep additional information for re-identification. Thus, in his view, it is always pseudonymised data, not anonymised data.

Implications for practice and future developments

The Court of Justice of the EU (CJEU) has not yet issued a final judgment, which is expected later this year. The Court is not bound by the Advocate General's opinion, so the outcome is still open.

This case will be particularly interesting to follow in the context of the recently published European Data Protection Board (EDPB) guidelines on pseudonymisation, which are currently open for public consultation. It is expected that the outcome of this case may have major implications for data sharing and processing practices in the EU, in particular with regard to the use of pseudonymisation techniques and security policies when handling data.

Conclusion

The Advocate General's opinion provides a new perspective on pseudonymisation as a possible tool to exclude the application of the GDPR to shared data. If the CJEU were to adopt this view, it could facilitate data sharing between organisations, but it could also weaken data protection. We will only know what the final verdict will be in the CJEU's decision, which will have a significant impact on data protection law practice.

Frequently asked questions (FAQ)

1. What is pseudonymisation?
2. Pseudonymisation is a process whereby personal data are modified in such a way that the data subject cannot be directly identified without the use of additional information held separately.
3. What is the difference between anonymisation and pseudonymisation?
4. Pseudonymisation allows the data subject to be retrospectively identified using additional data, while anonymisation is an irreversible process whereby the data subject cannot be re-identified.
5. What are the implications of the CJEU decision for companies?
6. If the CJEU upholds the Advocate General's opinion, it may mean that some pseudonymised data will not be considered personal and will not be subject to GDPR regulation, which could make it easier to share.
7. Why does the EDPS consider pseudonymised data to be personal?
8. The EDPS argues that even if the recipient has no means of re-identification, there is still the possibility of reverse identification, which means that the data should still be protected under the GDPR.
9. When can we expect a decision from the CJEU?
10. A ruling is expected during 2025, with the exact date not yet set.