On April 26, 2023, the General Court of the European Union issued its judgment in Case T-557/20, SRB v EDPS.
The Court held that pseudonymized data transmitted to a data recipient will not be considered personal data if the data recipient does not have the means to re-identify the data subjects. The Court also clarified that an individual’s opinions cannot be assumed to be personal data; instead, a case-by-case assessment is necessary.
Background. The Single Resolution Board (‘SRB’) used an electronic form for interested parties to express their views and shared the responses received with a consulting firm. Before sharing the responses, SRB replaced the name of each respondent with a code. Following a number of complaints, the European Data Protection Supervisor (‘EDPS’) decided that the SRB shared pseudonymized personal data with the consulting firm without informing the affected individuals of this sharing. The SRB considered that providing that information was unnecessary because the data transmitted were anonymized and, consequently, could not be considered personal data for the data recipient.
Pseudonymous or anonymous data. The General Court highlighted that, in line with the Court of Justice’s decision in Breyer (see our blog here), in order to determine whether pseudonymized information transmitted to a data recipient constitutes personal data, it is necessary to consider the data recipient’s perspective. If the data recipient does not have any additional information enabling it to re-identify the data subjects and has no legal means available to access such information, the transmitted data can be considered anonymized and therefore not personal data. The fact that the data transmitter has the means to re-identify data subjects is irrelevant and does not mean that the transmitted data is automatically also personal data for the recipient.
Opinions as personal data. The General Court also held that, while personal views or opinions may constitute personal data, they cannot be presumed to be so; instead, a case-by-case assessment “based on the examination of whether, by its content, purpose or effect, a view is linked to a particular person” is needed.
Appeal. The General Court’s judgment can be appealed to the Court of Justice of the European Union.
The Covington Data Privacy and Cybersecurity team will continue to monitor this case, including any appeal, and report on any relevant court decisions or Advocate General opinions.