CJEU - C-413/23 - EDPS v SRB
| CJEU - C-413/23 EDPS v SRB | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 15(1)(d) GDPR |
| Decided: | 06.02.2025 |
| Parties: | EDPB Single Resolution Board (SRB) |
| Case Number/Name: | C-413/23 EDPS v SRB |
| European Case Law Identifier: | ECLI:EU:C:2025:59 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion |
| Initial Contributor: | tjk |
The AG held, that the EDPS must determine whether “the pseudonymisation of the data at issue was sufficiently robust to conclude that [the data subjects] were not reasonably identifiable.”
English Summary
Facts
On 7 June 2017, the Single Resolution Board (SRB) adopted a resolution scheme in respect of Banco Popular on the basis of Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010, (3) approved on the same day by decision of the European Commission, (4) which means in practice that the bank’s capital instruments were written down or converted and disposed of by way of a transfer of shares.
9. In accordance with Article 20(16) to (18) of Regulation No 806/2014, the SRB entrusted Deloitte, as an ‘independent person’, (5) with the task of carrying out a valuation of difference in treatment in order to determine whether the shareholders and creditors, thus affected by the resolution action, would have received better treatment if that institution had entered into normal insolvency proceedings.
10. On 14 June 2018, Deloitte sent that valuation of difference in treatment (‘Valuation 3’) to the SRB. By a preliminary decision, the SRB stated that, in order for it to be able to take its final decision on whether the shareholders and creditors affected by the resolution of Banco Popular should be granted compensation under Article 76(1)(e) of Regulation No 806/2014, it was launching the right to be heard process, including an initial registration phase, in order to verify the eligibility of the parties expressing an interest, and a subsequent consultation phase, in the context of which the affected shareholders and creditors submitted their comments on the SRB’s preliminary decision, to which Valuation 3 was annexed.
11. The data collected during the registration phase, that is to say, proof of the participants’ identity and of the ownership of capital instruments of Banco Popular that were written down or converted and transferred, were accessible to a limited number of SRB staff tasked with processing those data in order to determine the participants’ eligibility. Those data were not visible to the SRB staff tasked with processing the comments received in the consultation phase, during which those staff members only received comments identified by reference to an alphanumeric code (6) allocated to each individual comment submitted using the form.
12. Following the aggregation, automatic filtering and categorisation of the comments, the SRB sent to Deloitte (7) the filtered, categorised and aggregated comments relating to Valuation 3. The comments transferred to Deloitte were solely those that were received during the consultation phase and that bore an alphanumeric code, developed for audit purposes to enable the SRB to verify, and if necessary to demonstrate subsequently, that each comment had been handled and duly considered. On account of that code, only the SRB could link the comments to the data received in the registration phase. Deloitte had, and still has, no access to the database of data collected during the registration phase.
13. Affected shareholders and creditors (‘the complainants’) submitted five complaints under Regulation 2018/1725 to the EDPS on the ground that the privacy statement published by the SRB concerning the processing of personal data did not mention the transmission to Deloitte of the data collected using the form. They alleged that the SRB had infringed its obligation to provide information relating to the processing of personal data under that regulation, laid down in Article 15(1)(d) thereof.
14. The EDPS adopted an initial decision on 24 June 2020, which was annulled following a request for review from the SRB and replaced, on 24 November 2020, by the decision at issue, which is worded as follows:
‘1. The EDPS finds that the data the SRB shared with Deloitte were pseudonymous data, both because the comments in [the consultation phase] were personal data and because the SRB shared the alphanumeric code that allows linking the replies given in [the registration phase] with the ones given in [the consultation phase] – notwithstanding the fact that the data provided by the participants to identify themselves in [the registration phase] were not disclosed to Deloitte.
2. The EDPS finds that Deloitte was a recipient of the complainants’ personal data under Article 3(13) of [Regulation 2018/1725]. The fact that Deloitte was not mentioned in SRB’s [privacy statement] as a potential recipient of the personal data collected and processed by the SRB as the controller in the context of the [right to be heard] process constitutes an infringement of the information obligations laid down in Article 15(1)(d) [of Regulation 2018/1725].
3. In light of all the technical and organisational measures set up by the SRB to mitigate the risks for the individuals’ right to data protection in the context of the [right to be heard] process, the EDPS decides not to exercise any of his corrective powers laid down in Article 58(2) of [Regulation 2018/1725].
4. The EDPS nevertheless recommends the SRB to ensure that the data protection notice in future [right to be heard] processes covers the processing of personal data in both the registration phase and the consultation phase, and includes all potential recipients of the information collected, in order to fully comply with the obligation to inform data subjects in accordance with Article 15 [of Regulation 2018/1725].’
15. By application lodged at the Registry of the General Court on 1 September 2020 and by a statement of modification lodged on 29 January 2021, the SRB brought an action seeking, first, the annulment of the decision at issue and, second, a declaration that the original decision of the EDPS of 24 June 2020 is illegal.
16. The SRB relied on two pleas in law in support of the first head of claim. (8) The first plea alleged infringement of Article 3(1) of Regulation 2018/1725 in so far as the information transmitted to Deloitte did not constitute personal data and the second plea alleged infringement of the right to good administration enshrined in Article 41 of the Charter of Fundamental Rights of the European Union.
17. By the judgment under appeal, the General Court declared that head of claim admissible. As to the substance, it upheld the first plea of the action and annulled the decision at issue without examining the second plea in law.
18. As regards the first plea, the General Court held, first, that the EDPS had considered that the information transmitted to Deloitte ‘related’ to a natural person within the meaning of Article 3(1) of Regulation 2018/1725 on the basis of a presumption, without examining the content, the purpose or the effect of the information transmitted to Deloitte, (9) in breach of the judgment in Nowak. (10)
19. Second, with regard to the condition laid down in Article 3(1) of Regulation 2018/1725 that the information must relate to an ‘identified or identifiable’ natural person, the General Court held that, in the present case, it was for the EDPS to examine whether the comments transmitted to Deloitte constituted personal data for Deloitte. According to the judgment under appeal, the EDPS merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s. Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725. (11)
In support of its appeal, the EDPS, supported by the European Data Protection Board, puts forward two grounds of appeal. The first seeks to challenge the General Court’s interpretation of the concept of ‘personal data’ within the meaning of Article 3(1) and (6) of Regulation 2018/1725, as interpreted by the case-law of the Court of Justice. The second ground of appeal alleges breach of the principle of accountability laid down in Article 4(2) and Article 26(1) of that regulation.
A. The first ground of appeal
26. The first ground of appeal is divided into two parts. The first part concerns the condition that the information at issue must ‘relate’ to a natural person and the second concerns the condition that that person must be ‘identified or identifiable’.
1. The first part, concerning the question whether the information ‘relates’ to a natural person
(a) Arguments of the parties
27. The EDPS, supported by the European Data Protection Board, submits that the General Court erred in holding that the EDPS had relied on a presumption concerning the interpretation of the condition that the information transmitted to Deloitte related to a natural person, within the meaning of Article 3(1) of Regulation 2018/1725. In his submission, in the circumstances of the present case, further examination by him was not required.
28. The SRB contends, for its part, that, as the General Court held, the EDPS merely stated that the comments at issue, produced by the complainants during the consultation phase of the right to be heard process, reflected their opinions or views whereas he should have examined whether the information transmitted to Deloitte was linked to a particular person by its content, purpose or effect, as required by the judgment in Nowak.
Advocate General Opinion
(b) Assessment
29. It should be recalled that the Court has repeatedly held that the use of the expression ‘any information’ in the definition of the concept of ‘personal data’ reflects the aim of the EU legislature to assign a wide scope to that concept, which potentially encompasses all kinds of information, (13) not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.
30. In that regard, information relates to an identified or identifiable natural person where, by reason of its content, purpose or effect, it is ‘linked’ to a particular person. (14)
31. With regard to opinions or assessments, such as the complainants’ comments at issue in the present case, it seems to me that a distinction should be drawn according to whether consideration is given to whether those opinions or assessments ‘relate’ to a person or persons referred to in the text of the opinion or assessment, or whether, as in the present case, it is a matter of determining whether they relate to their author. In the first case, in order to conclude that there is information relating to the person who is the subject of the assessment, it is necessary to analyse whether the content, purpose or effect of the assessment relates to that person. In the second case, by contrast, in order to determine whether the assessment relates to the person who issued it, it seems to me that it could be presumed that this is the case and that an opinion or assessment necessarily relates to its author.
32. Thus, in the judgment in Nowak, it was essentially a question of assessing the information contained in an examination script. There were therefore two data subjects: the candidate and the examiner. It is true that the Court examined the content, purpose and effect of the candidate’s answers and concluded that they related to him. That said, with regard more specifically to the examiner’s comments, which reflect his opinion or assessment, (15) while the Court examined the content, purpose and effect of the information contained in the script in order to conclude that those assessments related to the candidate, it did not carry out such an examination in order to find that they constituted information relating to the examiner who was the author of those assessments. (16) In my view, it cannot therefore be entirely ruled out that a (mere) presumption may apply when assessing whether an opinion or assessment or, as in the present case, a comment, ‘relates’ to its author.
33. I conclude that, in the absence of proof to the contrary, the comments at issue in the present case, since they emanated from the complainants and showed ‘their logic and reasoning’, thus reflecting the expression of their ‘subjective opinion’, necessarily ‘related’ to those complainants, irrespective of the purpose or effect of their comments.
34. In any event, even in the absence of such a presumption in the present case, I am of the opinion that the comments at issue ‘relate’ to the complainants by reason of their content, purpose and effect.
35. In that regard, the SRB contends that the arguments based on the purpose and context of the comments at issue are ineffective since they were not examined in the decision at issue, are inadmissible since they contain a new factual allegation and, in any event, are incorrect.
36. I am not convinced by that line of argument. Both the examination carried out by the EDPS in the decision at issue and the General Court’s assessment form part of a legal context which was taken into account and which clearly mentions the purpose and effect of the comments at issue, made in the context of the right to be heard process. Those arguments relating to the purpose and effect of the comments at issue are therefore effective and admissible.
37. Moreover, as regards the substance, it is clear from the applicable legal framework that the purpose of the right to be heard process, in the context of which the comments at issue were submitted, was to enable the affected shareholders and creditors to contribute to the process, in particular to enable the SRB to have all the information necessary to take a final decision on whether the shareholders and creditors affected by the resolution of Banco Popular should be granted compensation in accordance with the principle that no creditor should be worse off than in the event of liquidation under normal insolvency proceedings. (17) Furthermore, those comments, once taken into account by the SRB, were liable to have an effect on the complainants’ interests and rights regarding financial compensation.
38. I conclude on that basis that the comments at issue relate to the data subjects in the present case, including by reason of their purpose and effect.
39. I would add that it is true that the comments at issue, as transferred to Deloitte, were ‘filtered, categorised and aggregated’, with the result that, as is clear from the facts established by the General Court, (18) individual comments could not be distinguished within a single theme; however, it may be accepted that, even when aggregated, those collective comments, in terms of their content, reflect personal views regarding Valuation 3. They constitute a sum of opinions which, as such, constitute information relating to the persons who expressed them. Their filtering, categorisation and aggregation do not alter that finding, otherwise it would be sufficient, in order to avoid the requirement of information ‘relating’ to a natural person, to aggregate several points of view. The fact that it is not possible, within that sum of comments, to distinguish the various individual opinions seems to me to fall more within the scope of the second cumulative condition, relating to the identifiability of the data subjects, examined in the context of the second part of the present ground of appeal, than within the scope of the condition requiring the comment to be ‘linked’ to a natural person.
40. In those circumstances, I am of the view that the General Court’s assessment may be regarded as vitiated by an error of law in that regard, inasmuch as it considered that the EDPS had not complied with the examination required by the judgment in Nowak in order to conclude that the comments at issue ‘related’ to natural persons, within the meaning of Article 3(1) of Regulation 2018/1725.
41. If the Court were to decide to reject that first part and were to hold that the pseudonymised comments at issue do not relate to their authors, examination of the second part of the ground of appeal would be superfluous, since, under Article 3(1) of Regulation 2018/1725, that is a necessary condition for the existence of personal data, which is cumulative with the condition that data subjects are identifiable, examined below.
2. The second part, relating to the condition that data subjects are identifiable
42. The EDPS and the European Data Protection Board submit, in essence, that the General Court made two errors, the first concerning the concept of ‘pseudonymisation’ and the second concerning the interpretation of the judgment in Breyer, (19) assertions which the SRB and the Commission dispute.
(a) The first complaint, alleging an error concerning the effects of pseudonymisation
43. This complaint illustrates the existence of two very different approaches to the scope of data protection rules. Should pseudonymised data be included within that scope automatically on the sole ground that the data subjects remain identifiable, irrespective of the accessibility of the additional identification data, or should it be considered that, following the pseudonymisation process, the data are personal data only for those persons who can reasonably identify the data subjects?
(1) Arguments of the parties
44. The EDPS and the European Data Protection Board submit, in essence, that the pseudonymised data are still personal data for the sole reason that the data subjects remain identifiable since the information enabling them to be identified continues to exist. It is argued that the General Court’s approach is incorrect in that it allows pseudonymised data to be regarded as anonymised data vis-à-vis the recipient, which poses a risk to the protection of data subjects and creates confusion between pseudonymisation and anonymisation. Such an approach, which is contrary to the wording and purpose of Regulation 2018/1725, would allow the controller unduly to remove personal data from the scope of EU law relating to the protection of such data.
45. The SRB and the Commission contend, for their part, that pseudonymised data remain personal data for the controller who pseudonymised them, however, for the recipients, it is necessary to examine whether the data subjects are identifiable. Moreover, it is argued that, even though Article 3(1) of Regulation 2018/1725 does not specify who must be able to identify the data subject, in the light of recital 16 of that regulation and in the context of Article 15(1)(d) thereof, which are at issue here, it is the recipient’s point of view that matters. According to them, if that recipient does not receive personal data, the data subjects have no interest in being informed about the transfer of data because their rights are not affected.
(2) Assessment
46. At the outset, it is worth recalling that pseudonymisation is processing applied to personal data in order, in accordance with recital 17 of Regulation 2018/1725, to ‘reduce the risks’ of a data set being correlated with the identity of a data subject and to ‘help controllers and processors to meet their data protection obligations’.
47. Article 3(6) of Regulation 2018/1725 thus defines pseudonymisation as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, [which] is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’. (20)
48. Pseudonymisation is therefore not part of the definition of personal data, which are defined by Article 3(1) of Regulation 2018/1725, in the light of the concept of the ‘identifiability’ of the data subject. Moreover, as the Commission indicated in its statement in intervention, that regulation defines the concept of ‘pseudonymisation’, thus referring to the process for putting in place a safeguard or technical and organisational measure, but not the concept of ‘pseudonymised data’.
49. That interpretation is confirmed by a combined reading of Article 3(6) and recital 16 of the abovementioned regulation, the first sentence of the latter provision stating that ‘the principles of data protection should apply to any information concerning an identified or identifiable natural person.’
50. Furthermore, recital 16 of Regulation 2018/1725 merits a more detailed analysis. (21) It contains a second sentence stating that ‘personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person’. This is followed by the third and fourth sentences, which specify the content of that identifiability requirement.
51. I infer from the wording of those provisions that pseudonymisation leaves open the possibility that the data subjects may not be identifiable, otherwise the wording of recital 16 of that regulation would be pointless. I would add that the final sentences of that recital concerning anonymisation confirm this interpretation: they exclude anonymised data (or data rendered anonymous) from the scope of Regulation 2018/1725, (22) but exclude pseudonymised data from it only in so far as the data subjects are not identifiable. If it is impossible to identify those data subjects, they are therefore legally considered to be sufficiently protected by the pseudonymisation process, notwithstanding the fact that the additional identification data have not been completely erased.
52. In other words, it is not a matter of automatically excluding pseudonymised data from the scope of that regulation. (23) However, in the light of recital 16 thereof, it cannot be ruled out that such data may, under certain conditions, fall outside the scope of the concept of ‘personal data’.
53. Contrary to what the EDPS maintains, such an approach does not appear to me to be contrary to the objective of ensuring a high level of protection of personal data, in particular in the light of the identifiability requirements laid down by the applicable provisions, on the one hand, and in the light of their interpretation by the case-law, on the other.
54. First, recital 16 of Regulation 2018/1725 refers to identifiability by the controller ‘or by another person’: that broad, albeit not unlimited, (24) concept forms part of a protective approach to personal data.
55. Similarly, recital 16 of that regulation states that account should be taken of the means reasonably likely to be used to identify, directly or indirectly, a natural person, taking into account all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments, which constitutes a broad and protective definition of personal data.
56. Second, the interpretation in the case-law of that concept of ‘identifiability’, which focuses on the risk of re-identification of data subjects, also allows for a broad application of the concept of ‘personal data’. Thus, the Court has consistently classified as ‘personal data’ data which, although dissociated from the identification data held by someone else, could, in the situation in question, give rise to a risk that the data subjects would be re-identified. (25)
57. Thus, it is only where the risk of identification is non-existent or insignificant (26) that data can legally escape classification as ‘personal data’.
58. I am not convinced by the arguments of the EDPS and of the European Data Protection Board concerning the dangers arising from an overly strict interpretation of personal data. The fact that the rules stemming from Regulation 2018/1725 do not apply to data relating to non-identifiable persons would not preclude entities that are at the origin of misconduct from incurring legal liability where appropriate, for example in the event of disclosure of data resulting in harm. On the other hand, it seems to me disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from Regulation 2018/1725, (27) obligations which that entity could not, in theory, comply with or which would specifically require it to attempt to identify the data subjects.
59. In the light of those considerations, if the dispute is analysed with regard to the data as transferred to Deloitte, I am of the opinion that, contrary to what the EDPS maintains, it was necessary to determine whether the pseudonymisation of the data at issue was sufficiently robust to conclude that the complainants, who were the authors of the information transmitted to Deloitte, were not reasonably identifiable. In other words, in that context, if Deloitte had reasonable means to identify those complainants, it could be considered to be processing personal data.
60. The first complaint raised by the EDPS should therefore, in my view, be rejected.
(b) The second complaint, alleging an error in the comparison made with the judgment in Breyer
(1) Arguments of the parties
61. According to the EDPS, supported by the European Data Protection Board, the pseudonymised data at issue are personal data for the SRB and, therefore, the obligation to provide information to the data subjects regarding the recipient was incumbent on the SRB. He submits, in essence, that the General Court misinterpreted the judgment in Breyer which concerned a different factual situation.
62. According to the SRB, supported by the Commission, by contrast, the comparison with the judgment in Breyer is relevant and leads to the conclusion that the obligation to provide information applies only if the data transferred are personal data from the point of view of the recipient, in this case Deloitte, which, they argue, as the General Court correctly held, has not been demonstrated in the present case.
(2) Assessment
63. I am of the opinion that the obligation to provide information, laid down in Article 15(1)(d) of Regulation 2018/1725, and the parallel with the judgment in Breyer lead, in the present case, to a solution different from that reached by the General Court, which I will set out in the context of the analysis of the present complaint.
64. Article 4(1)(a) of Regulation 2018/1725 lays down the requirement of lawful, fair and transparent processing of data in relation to the data subject.
65. In particular, Article 15(1)(d) of that regulation provides that, where personal data relating to a data subject are collected from the data subject, the controller is to inform the data subjects, ‘at the time when personal data are obtained’, of the possible recipients of those data. It thus appears that that information must be provided by the controller immediately, namely at the time when the data are collected. (28)
66. The importance of compliance with such an obligation to provide information is also confirmed by recital 35 of Regulation 2018/1725 which states that the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes, it being emphasised that the controller should provide any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. (29)
67. Such an obligation to provide information is all the more important since the validity of the consent given by the data subject depends, inter alia, on whether that person has previously obtained the information to which he or she was entitled in the light of all the circumstances surrounding the processing of the data in question, under Articles 14 and 15 of Regulation 2018/1725, and which allows him or her to give consent in full knowledge of the facts. (30)
68. I would add that the only exception to that obligation to provide information, laid down in Article 15(4) of Regulation 2018/1725, concerns the situation in which the data subject already has the information in question.
69. On that basis I conclude that, in the present case, that obligation to provide information is part of the legal relationship between the data subjects, in this case the complainants, on the one hand, and the SRB as controller, on the other, and not part of the relationship between the SRB and the recipient, namely Deloitte. The obligation to provide information therefore concerns the data as held by the SRB before the transfer to Deloitte. It is not disputed that the data in question are personal data, since the SRB holds the comments and the database for identifying the persons who made them.
70. Such an approach from the ‘relevant perspective’ (31) thus leads me to a different solution from that reached by the General Court, even if I make the comparison with the judgment in Breyer.
71. I would point out that, in the dispute which gave rise to the question referred for a preliminary ruling in that judgment, Mr Breyer sought to prohibit the controller (the Federal Republic of Germany) from storing his dynamic IP address. The additional data enabling him to be identified through the IP address attached to his computer was in the hands not of the controller, but of the internet service provider. The question was therefore whether the dynamic IP address held by the controller could be classified as ‘personal data’ and, accordingly, in the context of the legal relationship between Mr Breyer and that controller, trigger obligations for the latter in terms of storage, even though the data identifying Mr Breyer were in the hands of a person other than the controller. It was held, in essence, that the controller, although not in possession of the additional identifying data, could reasonably have access to it and the dynamic IP address was therefore classified as ‘personal data’.
72. In the present case, as recalled above, (32) the obligation to provide information is part of the relationship between the data subjects (the complainants) and the controller (the SRB): it is when the data in question are collected by the SRB and, in particular as regards the information about the recipient, at the latest when that recipient is known, that the obligation to provide information arises. At that particular moment, the data in question are personal data in the SRB’s possession, which holds the additional identification data. In the light of the obligation to provide information at issue and having regard to the specific point in time at which it arises, the data at issue therefore constituted personal data, irrespective of their identifiability by Deloitte, which is not concerned either by the legal relationship between the complainants and the SRB – the only relationship that is relevant – or by that obligation to provide information incumbent on the SRB.
73. It is in that respect that the parallel with the judgment in Breyer must in my view be placed in context in the present case.
74. It follows that the obligation to provide information was incumbent on the SRB as controller and by virtue of its relationship with the complainants, from whom it collected the data at issue, irrespective of whether or not the data as transferred into Deloitte’s possession were personal data.
75. The SRB’s argument, which was reiterated at the hearing, that the recipient’s point of view is relevant because it is important to ascertain whether or not it is a ‘recipient of personal data’ must, on that basis, be rejected.
76. In that regard, it is true that the wording of Article 15(1)(d) of Regulation 2018/1725, which refers to the ‘recipients … of the personal data’, may give rise to confusion. However, the effectiveness of that provision requires that the information be transmitted to the data subjects as soon as possible and prior to that transfer of data. (33) In the present case, even though the SRB did not, when initially collecting the comments, intend to seek Deloitte’s opinion as to whether those comments changed Valuation 3, it is apparent from the decision that was contested before the General Court that Deloitte assisted the SRB in the context of the right to be heard process. (34) Moreover, the SRB’s intention to disclose the pseudonymised data to Deloitte may be considered to have existed at the latest at the time when it was decided to process the comments in question precisely for the purpose of pseudonymising them, (35) otherwise there would be no justification for pseudonymisation.
77. I therefore take the view that to review compliance with the obligation to provide information at the time when the data were transferred by the SRB to Deloitte, by adopting the viewpoint of the recipient in order to classify the data at issue as personal or not, results in the timing of that review being shifted. That review would, as a consequence, be wrongly delayed in that it would be carried out in relation to data already transferred to the recipient, even though the purpose of the obligation to provide information concerns the relationship between the SRB and the complainants and is intended to enable the latter to give their informed consent before the transfer.
78. Moreover, as regards the complainants’ consent, their participation in the right to be heard process may admittedly be interpreted as implicit consent to share personal data with the controller with a view to having their comments taken into account. However, that is not sufficient, in my view, to constitute informed consent for the pseudonymisation of the data and their transfer to Deloitte without prior information in that regard from the SRB. (36)
79. It follows that, in my view, the SRB’s obligation to provide information applied in the present case prior to the transfer of the data at issue and irrespective of whether or not they were personal data in Deloitte’s possession.
80. Therefore, the issue of whether or not pseudonymisation is sufficiently robust and effective, so as to permit a conclusion regarding whether or not the data in Deloitte’s possession constitute personal data, ultimately does not seem to me to be material with regard to the SRB’s obligation to provide information.
81. Consequently, the obligation to provide information, incumbent on the SRB as controller, had to be complied with in the present case and the judgment under appeal must, for that reason, be set aside on the ground of an error of law.
82. Since the point of view of the recipient of the data at issue is not relevant to the obligation to provide information laid down in Article 15(1)(d) of Regulation 2018/1725, the arguments of the parties concerning the possibility for Deloitte to identify, by lawful and practically feasible means, the data subjects are ineffective and there is therefore no need to examine them.
83. If the Court of Justice were not to take that view, I note in the alternative that the EDPS disputes, in that regard, the General Court’s finding that Deloitte did not have access to the identification data. He relies, in particular, on the alleged contractual relationship based on controller-processor subcontracting between the SRB and Deloitte. The SRB and the Commission contend that, in so doing, the EDPS raises new factual allegations which are inadmissible at the appeal stage. I agree with that contention. The existence of a contractual relationship between the SRB and Deloitte, which would demonstrate that Deloitte could ask the SRB to identify the complainants, constitutes a new line of argument on which, moreover, the General Court did not in any way rule. It follows that that line of argument should, if necessary, be rejected as inadmissible under the second sentence of Article 170(1) of the Rules of Procedure of the Court of Justice, according to which the subject matter of the proceedings before the General Court may not be changed in the appeal. (37)
B. The second ground of appeal, examined in the alternative
84. By his second ground of appeal, alleging breach of the principle of accountability laid down in Article 4(2) and Article 26(1) of Regulation 2018/1725, the EDPS, supported by the European Data Protection Board, submits that the General Court erred in holding that it was for the EDPS to demonstrate that the information transmitted to Deloitte was personal data, in breach of the principle of accountability of the SRB.
85. In the light of the foregoing and in particular points 81 and 82 above, I consider that there is no need to examine the second ground of appeal.
86. I shall therefore address it only briefly and in the alternative.
87. As regards the admissibility, disputed by the SRB, of that ground of appeal, which was not raised as a plea before the General Court, I would point out that an appellant is entitled to lodge an appeal relying on grounds which arise from the judgment under appeal itself and seek to criticise, in law, its correctness. (38) That seems to me to be the case with the present ground of appeal, which is therefore admissible.
88. As to the substance, it should be recalled that the General Court held that, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the complainants, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725.
89. The EDPS, supported by the European Data Protection Board, submits, in essence, that the General Court should have verified whether the SRB, the controller, had proved that it had anonymised the data at issue vis-à-vis Deloitte.
90. The SRB disputes that line of argument, contending that the principle of accountability applies only where personal data exist and that, in the present case, the data in Deloitte’s possession had been anonymised.
91. The Commission, for its part, contends that, first, the EDPS bears a reasonable burden of proving, on the basis of the available evidence, the existence of personal data. Second, it would be for the controller concerned to rebut that finding by submitting further evidence.
92. I would point out that, under Article 4(1)(a) of Regulation 2018/1725, personal data are to be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 4(2) of that regulation provides that ‘the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1’. It thus follows from the principle of accountability, set down in Article 4(2) and fleshed out in Article 26(1) of Regulation 2018/1725, that the controller must be able to demonstrate its compliance with the principles relating to the processing of personal data laid down in Article 4(1) of that regulation. (39)
93. Where the controller provides sufficient evidence to that effect, it may be regarded as having discharged its burden of proof. (40)
94. In the present case, it seems to me that the SRB has relied on several factual elements (including the processes for filtering, categorisation and aggregation of comments, described in the decision at issue and the judgment under appeal) in order to prove, in accordance with the principle of accountability incumbent on it, that it was impossible for Deloitte to identify the data subjects.
95. Before the General Court, the EDPS took a position of principle in that regard, consisting of putting himself in the SRB’s position and not Deloitte’s and thus classifying the comments transferred to Deloitte as ‘personal data’.
96. If it is accepted, for the purposes of the alternative examination of the present ground of appeal, that Deloitte’s point of view was relevant in the present case, (41) it may be considered, as the General Court held, that it was for the EDPS to demonstrate (42) for what reason, legal or technical, the pseudonymisation process implemented by the SRB in the present case was not sufficient and should have led to the conclusion that Deloitte was processing personal data.
97. I would therefore be of the opinion that, if appropriate, the judgment under appeal should be upheld as regards that second ground of appeal.
VII. The action before the General Court
98. In accordance with the first paragraph of Article 61 of the Statute of the Court of Justice of the European Union, if the appeal is well founded the Court of Justice is to quash the decision of the General Court. It may itself give final judgment in the matter, where the state of the proceedings so permits, or refer the case back to the General Court for judgment.
99. The first plea in law raised by the SRB against the decision that was contested before the General Court alleges infringement of Article 3(1) of Regulation 2018/1725. It follows from points 63 to 82 of this Opinion that, since the SRB failed to fulfil its obligation to provide information under Article 15(1)(d) of Regulation 2018/1725, the decision at issue should therefore, in my view, be confirmed.
100. By contrast, the second plea in law, alleging infringement by the EDPS of the right to good administration in the context of the procedure which led to the adoption of the decision at issue, does not appear to me to permit final judgment to be given in the matter.
101. The SRB maintains in particular that, in the administrative procedure preceding the adoption of the decision at issue, the EDPS infringed its right of access to the file, its right to be heard and the principle of equality of arms by refusing it access to the file, on the one hand, and by not communicating to it the complainants’ observations or the content thereof, on the other.
102. The General Court held that, since the first plea of the action had been upheld, it was not necessary to examine the second plea raised before it. Consequently, the state of the proceedings does not permit final judgment to be given on that second plea, which involves, inter alia, factual assessments. I therefore consider that the case should be referred back to the General Court for judgment in that regard, the costs being reserved.
VIII. Conclusion
103. In the light of the foregoing considerations, I propose that the Court should:
– set aside the judgment of the General Court of the European Union of 26 April 2023, SRB v EDPS (T‑557/20, EU:T:2023:219);
– refer the case back to the General Court for judgment on the second plea in law raised before it;
– reserve the costs.
Holding
TBD
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
