CJEU - C-413/23 - EDPS v SRB
| CJEU - C-413/23 EDPS v SRB | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 15(1)(d) GDPR |
| Decided: | 06.02.2025 |
| Parties: | EDPB Single Resolution Board (SRB) |
| Case Number/Name: | C-413/23 EDPS v SRB |
| European Case Law Identifier: | ECLI:EU:C:2025:59 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion |
| Initial Contributor: | tjk |
The AG opined that pseudonymised data can fall outside the concept of ‘personal data’ for a recipient of the data when it is factually impossible for the recipient to identify any data subjects from the data – even if it would be possible for the sender of the information.
English Summary
Facts
In 2017 the Single Resolution Board (the controller) adopted a resolution scheme in respect of a bank which meaning that the bank’s capital instruments were liquidated
The controller entrusted Deloitte (the processor) to determine whether the shareholders and creditors affected by the resolution (data subjects), would have been better of within normal insolvency proceedings. The processor sent its results ("Valuation 3") to the controller. The controller launched a right to be heard process (the process) to determine whether the data subjects affected should compensated, including an initial registration phase, to verify the eligibility of the parties expressing an interest, and a subsequent consultation phase, in the context of which the affected data subjects submitted their comments on the controller’s preliminary decision, to which the processor's "Valuation 3" was attached.
Following the aggregation, automatic filtering and categorisation of the comments, the controller sent to the processor theses comments relating to the processor's "Valuation 3". The comments transferred to the processor were solely those that were received during the consultation phase and that bore an alphanumeric code, developed for audit purposes to enable the controller to verify, and if necessary to demonstrate that each comment had been handled and duly considered. On account of that code, only the controller could link the comments to the data received in the registration phase. The processor had, and still has, no access to the database of data collected during the registration phase.
The EDPS' decision
The data subjects submitted five complaints under Regulation 2018/1725 (EU Data Protection Regulation - EUDPR) to the EDPS on the ground that the privacy statement published by the controller did not mention the transmission to the processor. They alleged that the controller had infringed its obligation to provide information under Article 15(1)(d) EUDPR. The EDPS decided - inter alia - :
- that the data the controller shared with the processor were pseudonymous data, because the controller shared the alphanumeric code that allows linking the replies given in [the registration phase] with the ones given in [the consultation phase] – notwithstanding the fact that the data provided by the data subjects to identify themselves in [the registration phase] were not disclosed to the processor.
- that the processor was a recipient of the data subjects’ personal data under Article 3(13) EUDPR without being mentioned in controller’s privacy statement as a potential recipient of the data collected and processed by the controller in the context of the right to be heard process constitutes an infringement of Article 15(1)(d) EUDPR.
The controller supported by the Comission, brought an action before the General Court (GC) seeking the annulment and a declaration that the decision is illegal.
The General Court's decision
The GC annulled the EDPS' decision, finding that the EDPS had presumed the information transmitted to the processor to be ‘related’ to a natural person according to Article 3(13) EUDPR, without examining the content, the purpose or the effect of the information transmitted to the processor, as required by Nowak. The GC held that since the EDPS did not investigate whether the processor had legal means to access the additional information necessary to re-identify the data subjects, the EDPS could not conclude that the information transmitted to the processor constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) EUDPR.
The Appeal
In support of its appeal, the EDPS, supported by the EDPB challenged the GC’s interpretation of the concept of ‘personal data’ within the meaning of Article 3(1) and (6) EUDPR and alleges a breach of the principle of accountability laid down in Article 4(2) and Article 26(1) EUDPR.
They submitted that the pseudonymised data are still personal data for the sole reason that the data subjects remain identifiable since the information enabling them to be identified continues to exist. According to the EDPS and EDPB the controller had the obligation to provide information to the data subjects regarding the recipient, submitting, in essence, that the GC misinterpreted the judgment in Breyer.
The controller and the Commission contended, that pseudonymised data remain personal data for the controller who pseudonymised them, however, for the recipients, it is necessary to examine whether the data subjects are identifiable. Moreover, they argued that, even though Article 3(1) EUDPR does not specify who must be able to identify the data subject, in the light of Recital 16 and in the context of Article 15(1)(d) EUDPR it is the recipient’s point of view that matters.
Advocate General Opinion
I. Plea in Law: Interpretation of the concept of personal data
1. Do the comments ‘relate’ to a natural person?
The AG opined that a (mere) presumption may apply when assessing if a comment ‘relates’ to its author, but that the comments even without such a presumption ‘relate’ to the data subjects by reason of their content, purpose and effect because they were liable to have an effect on the data subjects’ interests and rights regarding financial compensation. Additionally the AG held, that the aggregated content still reflects personal views, constituting a sum of opinions relating those who expressed them. Otherwise, the AG found, one could avoid the requirement of information ‘relating’ to a natural person by just aggregating them. Therefore the AG took the view that the GC’s assessment is erroneous as it considered that the EDPS had wrongfully found the comments at issue to be ‘related’ to natural persons, within the meaning of Article 3(1) EUDPR.
2. Is it necessary to establish whether data subjects are identifiable
The AG states, that the question of identifiability illustrates the existence of two very different approaches to the scope of data protection rules, framing the question such: Should pseudonymised data be included within that scope automatically, irrespective of the accessibility of the additional identification data, or should the data following the pseudonymisation process be considered personal data only for those persons who can reasonably identify the data subjects?
Firstly, the AG found, that the wording of Recital 16 EUDPR would be pointless if pseudonymisation would not leave open the possibility that the data subjects may not be identifiable. The AG draws a parallel to anonymisation: anonymised data is excluded from the scope of the EUDPR but pseudonymised data is only excluded in so far as the data subjects are not identifiable. Therefore the AG concludes, that pseudonymised data may fall outside the scope of the concept of ‘personal data’ but only where the risk of identification is non-existent or insignificant.
The AG considers this to be a strict interpretation of the concept of personal data in line with the objective of ensuring a high level of protection of personal data. The AG states, that the fact that the EUDPR does not apply to data relating to non-identifiable persons does not preclude legal liability where appropriate. On the other hand, the AG found it disproportionate to impose on an entity obligations arising from the EUDPR, which cannot not reasonably identify the data subjects, as this would specifically require it to attempt to identify the data subjects. Therefore, the AG agrees with the GC that it was necessary to determine whether the pseudonymisation of the data at issue was sufficiently robust to conclude that the data subjects were not reasonably identifiable.
3. Does the transfer of pseudonymised data impact the information requirement?
The AG opined, that the obligation to provide information, laid down in Article 15(1)(d) EUDPR, and the parallel with the judgment in Breyer lead, is part of the legal relationship between the data subjects, on the one hand, and the controller on the other, and not part of the relationship between the controller and the recipient, namely the processor. Therefore, the AG found, that the controller was obliged to provide information prior to the transfer of the data at issue and irrespective of whether or not they were personal data in the processor’s possession. Therefore, the issue of whether or not pseudonymisation is sufficiently robust and effective ultimately does not seem to the AG to be material with regard to the controller’s obligation to provide information. Consequently, the AG is of the opinion, that the judgment under appeal must be set aside on the ground of an error of law.
II. Plea in law: Breach of the principle of Accountability
The AG stated, that the controller would be able to demonstrate compliance with the principle of accountability laid down in Article 4(2) and Article 26(1) EUDPR by relying on filtering, categorisation and aggregation of comments to prove that it was impossible for the processor to identify the data subjects. If it was accepted, in the the alternative, that the recipient’s point of view was relevant in the present case, the AG agrees with the GC, that it was for the EDPS to demonstrate why the pseudonymisation was not sufficient. The AG was therefore of the opinion that, the judgment under appeal should be upheld as regards this ground of appeal.
III. Conclusion
The AG concludes, that since the controller failed to fulfill its obligation to provide information under Article 15(1)(d) EUDPR, the decision at issue should therefore be confirmed.
Regarding the alleged infringement by the EDPS of the right to good administration in the context of the procedure before the GC, the AG finds, that it does not permit final judgment because it was not necessary for the GC to examine all the facts of this plea after upholding the first. The AG therefore considers that the case should be referred back to the GC for judgment in that regard.
Holding
TBD
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
