On February 6, 2025, Advocate General Spielmann released his opinion in the EDPS vs. SRB case (Case C‑413/23 P). In this case, the European Data Protection Supervisor appealed a decision from the General Court (see our blog post here).
In essence, the case turns on the question of whether coded (pseudonymized) personal data shared by the Single Resolution Board (“SRB”), an agency of the EU, with its consultants, Deloitte, was personal data for Deloitte and whether an authority can automatically conclude that the pseudonymized data must also be personal data for Deloitte.
The AG concludes, as a threshold point, that the key-coded opinions expressed by individuals and shared by SRB with Deloitte are personal data relating to those individuals and that the EDPS did not have to examine the substance of these opinions to come to this conclusion. The opinions “relate to” those individuals forming them, and as such qualify as their personal data.
Second, and more contentiously, the AG states that the EDPS should not have concluded that the pseudonymized data shared by SRB, with Deloitte, is automatically personal data for Deloitte. Instead, the EDPS should have verified whether Deloitte had “reasonable means” at its disposal – i.e., technical, legal or other capabilities – to identify the individuals concerned. However, the AG also notes that “it is only where the risk of identification is non-existent or insignificant that data can legally escape classification as ‘personal data’”, effectively setting a high bar when applying this standard.
Finally, the AG holds that SRB should have informed individuals under the law’s transparency obligations about the disclosure of their pseudonymized data to Deloitte, even if that data is anonymous for Deloitte.
The CJEU will now need to render its judgement in light of the AG’s opinion, something that may be expected before this Summer. Historically, the Court has tended to follow an AG’s opinion in the majority of cases, but it is not bound by it.