Advocate General Spielmann recently considered whether pseudonymised data shared by the Single Resolution Board (SRB) with a third party qualified as personal data under the EU General Data Protection Regulation (GDPR).

The European Data Protection Supervisor (EDPS), the body responsible for ensuring compliance with EU data protection laws, had previously determined that the SRB violated the GDPR by not informing individuals about the data sharing. However, the General Court annulled the EDPS's decision, stating that the third party that had received the data did not have the means to identify the individuals concerned, meaning that there had been no breach of the regulations by SRB.

Key points to remember:

• Recital 16 of the GDPR: recital 16 provides that “personal data which have undergone pseudonymisation... should be considered to be information on an identifiable natural person”.
• Definition of pseudonymisation: The GDPR broadly defines pseudonymisation as the processing of personal data in such a way that the data can no longer be attributed to a specific individual without additional information, where such additional information is kept separate.
• Business challenges: Many businesses, particularly in certain sectors like pharmaceuticals, often struggle to understand how pseudonymised data is deemed personal data if they lack the means to identify the individuals and whether they are subject to the requirements of the regulations in these cases.

Advocate General's opinion

The Advocate General of the Court of Justice of the European Union (CJEU) stated that pseudonymised data should not automatically be considered personal data if the risk of re-identification by the recipient is "non-existent or insignificant." The perspective of the data recipient is crucial in determining whether the data is personal data. To deem any pseudonymised data "personal" just because of a remote probability of re-identification undermines recital 16 of the GDPR, which provides that when determining whether an individual is identifiable, consideration should be given to  "the means reasonably likely to be used to identify the natural person" with reference to factors such as the cost and the amount of time required for identification. 

While this opinion is not binding, the CJEU often follows the Advocate General's advice.

You can read the full opinion here.

Implications

This opinion suggests a more pragmatic approach to data protection compliance, offering a commercial interpretation of the GDPR's requirements. It seems likely that English courts might adopt a similar approach.