CJEU - C-413/23 - EDPS v SRB
| CJEU - C-413/23 EDPS v SRB | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 15(1)(d) GDPR |
| Decided: | 06.02.2025 |
| Parties: | EDPB Single Resolution Board (SRB) |
| Case Number/Name: | C-413/23 EDPS v SRB |
| European Case Law Identifier: | ECLI:EU:C:2025:59 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion |
| Initial Contributor: | tjk |
The AG held, that the EDPS must determine whether “the pseudonymisation of the data at issue was sufficiently robust to conclude that [the data subjects] were not reasonably identifiable.”
English Summary
Facts
In 2017 the Single Resolution Board (the controller) adopted a resolution scheme in respect of Banco Popular which means in practice that the bank’s capital instruments were written down or converted and disposed of by way of a transfer of shares.
The controller entrusted Deloitte (the processor) to determine whether the shareholders and creditors, thus affected by the resolution action (data subjects), would have received better treatment if that institution had entered into normal insolvency proceedings. The processor sent its results ("Valuation 3") to the controller. By a preliminary decision, the controller stated that, to be able to take its final decision on whether the data subjects affected should be granted compensation, it was launching the right to be heard process (the process), including an initial registration phase, to verify the eligibility of the parties expressing an interest, and a subsequent consultation phase, in the context of which the affected data subjects submitted their comments on the controller’s preliminary decision, to which the processor's "Valuation 3" was attached.
The data collected during the registration phase (proof of the data subjects’ identity and of the ownership of affected capital instruments) were accessible to a limited number of the controller's staff tasked with determining the data subjects’ eligibility. Those data were not visible to the controller staff tasked with processing the comments received in the consultation phase, during which those staff members only received comments identified by reference to an alphanumeric code allocated to each individual comment submitted using the form.
Following the aggregation, automatic filtering and categorisation of the comments, the controller sent to the processor theses comments relating to the processor's "Valuation 3". The comments transferred to the processor were solely those that were received during the consultation phase and that bore an alphanumeric code, developed for audit purposes to enable the controller to verify, and if necessary to demonstrate subsequently, that each comment had been handled and duly considered. On account of that code, only the controller could link the comments to the data received in the registration phase. The processor had, and still has, no access to the database of data collected during the registration phase.
The EDPS' decision
Affected data subjects submitted five complaints under Regulation 2018/1725 (EU Data Protection Regulation - EUDPR) to the EDPS on the ground that the privacy statement published by the controller did not mention the transmission to the processor. They alleged that the controller had infringed its obligation to provide information under Article 15(1)(d) EUDPR. The EDPS decided:
- that the data the controller shared with the processor were pseudonymous data, because the controller shared the alphanumeric code that allows linking the replies given in [the registration phase] with the ones given in [the consultation phase] – notwithstanding the fact that the data provided by the data subjects to identify themselves in [the registration phase] were not disclosed to the processor.
- that the processor was a recipient of the data subjects’ personal data under Article 3(13) EUDPR without being mentioned in controller’s [privacy statement] as a potential recipient of the data collected and processed by the controller in the context of the [right to be heard] process constitutes an infringement of Article 15(1)(d) EUDPR.
- that due to the technical and organisational measures set up by the controller to mitigate the risks for the data subjects’ protection in the context of the [right to be heard] process, the EDPS does not exercise any corrective powers of Article 58(2) EUDPR.
- to recommend to the controller to ensure that the data protection notice in future [right to be heard] processes covers the processing of personal data in both the registration phase and the consultation phase, and includes all potential recipients of the information collected, in order to fully comply with Article 15 EUDPR.
The controller supported by the Comission, brought an action before the General Court (GC) seeking, first, the annulment of the decision at issue and, second, a declaration that the original decision of the EDPS of 24 June 2020 is illegal.
The General Court's decision
The GC annulled the decision at issue, finding that the EDPS had presumed the information transmitted to the processor to be ‘related’ to a natural person within the meaning of Article 3(1) EUDPR, without examining the content, the purpose or the effect of the information transmitted to the processor, as required by Nowak.
Regarding the condition of Article 3(1) EUDPR that the information must relate to an ‘identified or identifiable’ natural person, the GC held that it was for the EDPS to examine whether the comments transmitted to the processor constituted personal data for the processor.
According to the GC, the EDPS merely examined whether it was possible to re-identify the authors of the comments from the controller’s perspective and not from the processor’s. Therefore, since the EDPS did not investigate whether the processor had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to the processor constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) EUDPR.
The Appeal
In support of its appeal, the EDPS, supported by the EDPB challenged the GC’s interpretation of the concept of ‘personal data’ within the meaning of Article 3(1) and (6) EUDPR and alleges a breach of the principle of accountability laid down in Article 4(2) and Article 26(1) EUDPR:
- Concerning the question whether the information ‘relates’ to a natural person the EDPS, supported by the EDPB argued, that further examination by it was not required. The controller contends that the EDPS merely stated that the comments at issue, produced by the data subjects during the consultation phase of the right to be heard process, reflected their opinions or views whereas he should have examined whether the information transmitted to the processor was linked to a particular person by its content, purpose or effect.
- Regarding the condition that data subjects are identifiable, the EDPS and the EDPB submit, in essence that the pseudonymised data are still personal data for the sole reason that the data subjects remain identifiable since the information enabling them to be identified continues to exist. It is argued that the GC’s approach is incorrect in that it allows pseudonymised data to be regarded as anonymised data vis-à-vis the recipient, which poses a risk to the protection of data subjects and creates confusion between pseudonymisation and anonymisation. Such an approach, which is contrary to the wording and purpose of EUDPR, would allow the controller unduly to remove personal data from the scope of EU law relating to the protection of such data. According to the EDPS and EDPB the pseudonymised data at issue are personal data for the controller and, therefore, the obligation to provide information to the data subjects regarding the recipient was incumbent on the controller. He submits, in essence, that the GC misinterpreted the judgment in Breyer.
- The EDPS, supported by the European Data Protection Board, submits, in essence, that the GC should have verified whether the controller, had proved that it had anonymised the data at issue vis-à-vis the processor.
The controller and the Commission contend,
- that pseudonymised data remain personal data for the controller who pseudonymised them, however, for the recipients, it is necessary to examine whether the data subjects are identifiable.
- Moreover, it is argued that, even though Article 3(1) EUDPR does not specify who must be able to identify the data subject, in the light of recital 16 of that regulation and in the context of Article 15(1)(d) thereof, which are at issue here, it is the recipient’s point of view that matters. According to them, if that recipient does not receive personal data, the data subjects have no interest in being informed about the transfer of data because their rights are not affected. According to the controller, supported by the Commission, by contrast, the comparison with the judgment in Breyer is relevant and leads to the conclusion that the obligation to provide information applies only if the data transferred are personal data from the point of view of the recipient, in this case the processor, which, they argue, as the GC correctly held, has not been demonstrated in the present case.
- The controller contends that the principle of accountability applies only where personal data exist and that, in the present case, the data in the processor’s possession had been anonymised. The Commission, for its part, contends that, first, the EDPS bears a reasonable burden of proving, on the basis of the available evidence, the existence of personal data. Second, it would be for the controller concerned to rebut that finding by submitting further evidence.
- The controller maintains in particular that, in the administrative procedure preceding the adoption of the GC's decision, the EDPS infringed its right of access to the file, its right to be heard and the principle of equality of arms by refusing it access to the file, on the one hand, and by not communicating to it the data subjects’ observations or the content thereof, on the other.
Advocate General Opinion
I. Interpretation of the concept of personal data
1. Does the information ‘relate’ to a natural person?
The AG stated, that the Court has repeatedly held that the use of the expression ‘any information’ in the definition of the concept of ‘personal data’ reflects the aim of the EU legislature to assign a wide scope to that concept encompassing not only objective but also subjective information such as opinions and assessments, provided that it ‘relates’ to the data subject.
Regarding the data subjects’ comments at issue, the AG distinguished whether consideration is given to whether those opinions or assessments ‘relate’ to a person or persons referred to in the text of the opinion or assessment, or whether, as in the present case, it is a matter of determining whether they relate to their author. In the first case, in order to conclude that there is information relating to the person who is the subject of the assessment, it is necessary to analyse whether the content, purpose or effect of the assessment relates to that person. In the second case, by contrast, in order to determine whether the assessment relates to the person who issued it, it seems to the AG that it could be presumed that this is the case and that an opinion or assessment necessarily relates to its author.
Thus, in the judgment in Nowak, it was essentially a question of assessing the information contained in an examination script. There were therefore two data subjects: the candidate and the examiner. It is true that the Court examined the content, purpose and effect of the candidate’s answers and concluded that they related to him. That said, with regard more specifically to the examiner’s comments, which reflect his opinion or assessment, while the Court examined the content, purpose and effect of the information contained in the script in order to conclude that those assessments related to the candidate, it did not carry out such an examination in order to find that they constituted information relating to the examiner who was the author of those assessments. In my view, it cannot therefore be entirely ruled out that a (mere) presumption may apply when assessing whether an opinion or assessment or, as in the present case, a comment, ‘relates’ to its author.
The AG concludes that, in the absence of proof to the contrary, the comments at issue in the present case, since they emanated from the data subjects and showed ‘their logic and reasoning’, thus reflecting the expression of their ‘subjective opinion’, necessarily ‘related’ to those data subjects, irrespective of the purpose or effect of their comments.
In any event, even in the absence of such a presumption in the present case, The AG is of the opinion that the comments at issue ‘relate’ to the data subjects by reason of their content, purpose and effect.
The AG stated, that the purpose of the right to be heard process, in the context of which the comments at issue were submitted, was to enable the affected data subjects to contribute to the process, in particular to enable the controller to have all the information necessary to take a final decision on whether the data subjects affected by the resolution of Banco Popular should be granted compensation in accordance with the principle that no creditor should be worse off than in the event of liquidation under normal insolvency proceedings. (17) Furthermore, those comments, once taken into account by the controller, were liable to have an effect on the data subjects’ interests and rights regarding financial compensation.
38. The AG concludes on that basis that the comments at issue relate to the data subjects in the present case, including by reason of their purpose and effect.
39. The AG would add that it is true that the comments at issue, as transferred to the processor, were ‘filtered, categorised and aggregated’, with the result that, as is clear from the facts established by the GC, (18) individual comments could not be distinguished within a single theme; however, it may be accepted that, even when aggregated, those collective comments, in terms of their content, reflect personal views regarding Valuation 3. They constitute a sum of opinions which, as such, constitute information relating to the persons who expressed them. Their filtering, categorisation and aggregation do not alter that finding, otherwise it would be sufficient, in order to avoid the requirement of information ‘relating’ to a natural person, to aggregate several points of view. The fact that it is not possible, within that sum of comments, to distinguish the various individual opinions seems to the AG to fall more within the scope of the second cumulative condition, relating to the identifiability of the data subjects, examined in the context of the second part of the present ground of appeal, than within the scope of the condition requiring the comment to be ‘linked’ to a natural person.
40. In those circumstances, The AG is of the view that the GC’s assessment may be regarded as vitiated by an error of law in that regard, inasmuch as it considered that the EDPS had not complied with the examination required by the judgment in Nowak in order to conclude that the comments at issue ‘related’ to natural persons, within the meaning of Article 3(1) EUDPR.
41. If the Court were to decide to reject that first part and were to hold that the pseudonymised comments at issue do not relate to their authors, examination of the second part of the ground of appeal would be superfluous, since, under Article 3(1) EUDPR, that is a necessary condition for the existence of personal data, which is cumulative with the condition that data subjects are identifiable, examined below.
2. Is it necessary to establish whether data subjects are identifiable
The AG states, that the question of identifiability as a condition of personal data illustrates the existence of two very different approaches to the scope of data protection rules. Should pseudonymised data be included within that scope automatically on the sole ground that the data subjects remain identifiable, irrespective of the accessibility of the additional identification data, or should it be considered that, following the pseudonymisation process, the data are personal data only for those persons who can reasonably identify the data subjects?
Firstly the AG states that pseudonymisation in accordance with Article 3(6) and Recital 17 EUDPR as processing applied to personal data to (in accordance with recital 17 of EUDPR) ‘reduce the risks’ of a data set being correlated with the identity of a data subject and to ‘help controllers and processors to meet their data protection obligations’ is not part of the definition of personal data in Article 3(1) EUDPR. He finds, that the EUDPR defines the concept of ‘pseudonymisation’ but not the concept of ‘pseudonymised data’.
Secondly, the AG finds that as Recital 16 EUDPR states that pseudonymised personal data, which could be attributed to a natural person should be considered to be information on an identifiable natural person this wording would be pointless if pseudonymisation would not leave open the possibility that the data subjects may not be identifiable. The AG finds this confirmed by a parallel to anonymisation: anonymised data is excluded from the scope of the EUDPR, but pseudonymised data is only excluded in so far as the data subjects are not identifiable.
Therefore the AG concludes that it cannot be ruled out that pseudonymised data may fall outside the scope of the concept of ‘personal data’ but only where the risk of identification is non-existent or insignificant. This strict interpretation of personal data , the AG considers to be in line with the objective of ensuring a high level of protection of personal data. He relies on Recital 16 EUDPR, stating that it constitutes a broad and protective definition of personal data, referring to identifiability by any person and taking into account the factual risk of identification. Secondly, the AG finds it also to be in line withe the CJEU's case-law which has consistently classified data as ‘personal data’ which, could, in the situation in question, give rise to a risk that the data subjects would be re-identified.
The AG states, that the fact that the EUDPR does not apply to data relating to non-identifiable persons would not preclude entities from incurring legal liability where appropriate, for example in the event of disclosure of data resulting in harm. On the other hand, it seems to the AG disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from EUDPR, as this would specifically require it to attempt to identify the data subjects.
Therefore, the AG agrees with the GC that it was necessary to determine whether the pseudonymisation of the data at issue was sufficiently robust to conclude that the data subjects were not reasonably identifiable.
3. Alleged error in the comparison made with the judgment in Breyer
The AG is of the opinion that the obligation to provide information, laid down in Article 15(1)(d) EUDPR, and the parallel with the judgment in Breyer lead, in the present case, to a solution different from that reached by the GC. The AG finds, that the obligation to provide information is part of the legal relationship between the data subjects, on the one hand, and the controller on the other, and not part of the relationship between the controller and the recipient, namely the processor. The obligation to provide information therefore concerns the data as held by the controller before the transfer to the processor. It is not disputed that the data in question are personal data, since the controller holds the comments and the database for identifying the persons who made them.
The AG pointed out that the question in Breyer was whether the dynamic IP address held by the controller could be classified as ‘personal data’ and, accordingly, in the context of the legal relationship between Mr Breyer and that controller, trigger obligations for the latter in terms of storage, even though the data identifying Mr Breyer were in the hands of a person other than the controller. It was held, in essence, that the controller, although not in possession of the additional identifying data, could reasonably have access to it and the dynamic IP address was therefore classified as ‘personal data’.
In the present case, the AG stated, the obligation to provide information is part of the relationship between the data subjects and the controller: it is when the data in question are collected by the controller and, in particular as regards the information about the recipient, at the latest when that recipient is known, that the obligation to provide information arises. At that particular moment, the data in question are personal data in the controller’s possession, which holds the additional identification data. In the light of the obligation to provide information at issue and having regard to the specific point in time at which it arises, the data at issue therefore constituted personal data, irrespective of their identifiability by the processor, which is not concerned either by the legal relationship between the data subjects and the controller – the only relationship that is relevant – or by that obligation to provide information incumbent on the controller.
According to the AG, it follows that the obligation to provide information was incumbent on the controller and by virtue of its relationship with the data subjects, from whom it collected the data at issue, irrespective of whether or not the data as transferred into the processor’s possession were personal data. The controller’s argument, which was reiterated at the hearing, that the recipient’s point of view is relevant because it is important to ascertain whether or not it is a ‘recipient of personal data’ must, on that basis, be rejected.
In that regard, it is true that the wording of Article 15(1)(d) EUDPR, which refers to the ‘recipients … of the personal data’, may give rise to confusion. However, the effectiveness of that provision requires that the information be transmitted to the data subjects as soon as possible and prior to that transfer of data. In the present case, even though the controller did not, when initially collecting the comments, intend to seek the processor’s opinion as to whether those comments changed "Valuation 3", it is apparent from the decision that was contested before the GC that the processor assisted the controller in the context of the right to be heard process. Moreover, the controller’s intention to disclose the pseudonymised data to the processor may be considered to have existed at the latest at the time when it was decided to process the comments in question precisely for the purpose of pseudonymising them, otherwise there would be no justification for pseudonymisation.
The AG therefore took the view that to review compliance with the obligation to provide information at the time when the data were transferred by the controller to the processor, by adopting the viewpoint of the recipient in order to classify the data at issue as personal or not, results in the timing of that review being shifted. That review would, as a consequence, be wrongly delayed in that it would be carried out in relation to data already transferred to the recipient, even though the purpose of the obligation to provide information concerns the relationship between the controller and the data subjects and is intended to enable the latter to give their informed consent before the transfer.
Moreover, as regards the data subjects’ consent, their participation in the right to be heard process may admittedly be interpreted as implicit consent to share personal data with the controller with a view to having their comments taken into account. However, that is not sufficient, in the AG's view, to constitute informed consent for the pseudonymisation of the data and their transfer to the processor without prior information in that regard from the controller.
In the AG's view it follows that the controller was obliged to provide information prior to the transfer of the data at issue and irrespective of whether or not they were personal data in the processor’s possession. Therefore, the issue of whether or not pseudonymisation is sufficiently robust and effective, so as to permit a conclusion regarding whether or not the data in the processor’s possession constitute personal data, ultimately does not seem to the AG to be material with regard to the controller’s obligation to provide information. Consequently the judgment under appeal must be set aside on the ground of an error of law.
Since the point of view of the recipient of the data at issue is not relevant to the obligation to provide information laid down in Article 15(1)(d) EUDPR, the arguments concerning the possibility for the processor to identify, by lawful and practically feasible means, the data subjects are ineffective and there is therefore no need to examine them.
The AG noted in the alternative that the EDPS disputes, in that regard, the GC’s finding that the processor did not have access to the identification data. The EDPS relies on the alleged contractual relationship based on controller-processor subcontracting between the controller and the processor. The controller and the Commission contend that, in so doing, the EDPS raises new factual allegations which are inadmissible at the appeal stage. The AG agree with that contention. The existence of a contractual relationship between the controller and the processor, which would demonstrate that the processor could ask the controller to identify the data subjects, constitutes a new line of argument on which, moreover, the GC did not in any way rule. It follows that that line of argument should, if necessary, be rejected as inadmissible under the second sentence of Article 170(1) of the Rules of Procedure of the Court of Justice, according to which the subject matter of the proceedings before the GC may not be changed in the appeal.
II. Breach of the principle of Accountability
The AG considered that there is no need to examine whether it was for the EDPS to demonstrate that the information transmitted to the processor was personal data and the transmission a breach of the principle of accountability laid down in Article 4(2) and Article 26(1) EUDPR.
However, the AG found, that it thus follows from the principle of accountability, set down in Article 4(2) and fleshed out in Article 26(1) EUDPR, that the controller must be able to demonstrate its compliance with the principles relating to the processing of personal data laid down in Article 4(1) of that regulation. Where the controller provides sufficient evidence to that effect, it may be regarded as having discharged its burden of proof.
In the present case, it seems to the AG that the controller has relied on several factual elements (including the processes for filtering, categorisation and aggregation of comments) to prove that it was impossible for the processor to identify the data subjects. If it is accepted, for the purposes of the alternative examination, that the processor’s point of view was relevant in the present case, it may be considered, as the GC held, that it was for the EDPS to demonstrate for what reason, legal or technical, the pseudonymisation process implemented by the controller in the present case was not sufficient and should have led to the conclusion that the processor was processing personal data. The AG would therefore be of the opinion that, if appropriate, the judgment under appeal should be upheld as regards that second ground of appeal.
III. Conclusion
If the appeal is well founded the CJEU is to quash the decision of the GC. It may itself give final judgment in the matter, where the state of the proceedings so permits, or refer the case back to the GC for judgment. The first plea in law raised by the controller alleges infringement of Article 3(1) EUDPR. Since the controller failed to fulfil its obligation to provide information under Article 15(1)(d) EUDPR, the decision at issue should therefore be confirmed.
Regarding the allgeged infringement by the EDPS of the right to good administration in the context of the procedure which led to the adoption of the GC's decision, does not appear to the AG to permit final judgment to be given in the matter.
The GC held that, since the first plea of the action had been upheld, it was not necessary to examine the second plea raised before it. Consequently, the state of the proceedings does not permit final judgment to be given on that second plea, which involves, inter alia, factual assessments. The AG therefore consider that the case should be referred back to the GC for judgment in that regard, the costs being reserved.
In the light of the foregoing considerations, The AG proposed that the Court should set aside the judgment of the GC and refer the case back to the GC for judgment on the second plea in law raised before it;
Holding
TBD
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
