The Court of Justice of the European Union (CJEU) has handed down a decision providing significant clarification amongst other things on the definition of personal data in the context of pseudonymisation under EU data protection laws. The court also looked at whether opinions are personal data and the obligations of controllers when sharing pseudonymised data.

By way of reminder, pseudonymisation is the processing of personal data in such a way that the data can no longer be attributed to a specific individual without additional information, where such additional information is kept separate.

This case was an appeal raised by the European Data Protection Supervisor based on a previously annulled decision.

Key findings of the Court:

• Opinions are personal data: individuals’ personal opinions constitute personal data because personal opinions or views are an expression of a person’s thinking and are necessarily closely linked to that person.
• Context matters: if technical and organisational measures are put in place that are sufficient to prevent reidentification, that data may not be personal data under data protection laws. In making an assessment as to whether pseudonymised data is personal data, an assessment must be made on objective factors such as the cost and time required for re-identification, the available technology and the likelihood that re-identification would be attempted.
• Transparency obligations are strict: the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller. This means that even though the data transferred to a third party (Deloitte in this case) was pseudonymised, Deloitte should have been included as a recipient in the controller’s privacy notice and the controller is still subject to obligations under data protection laws.

Implications

This ruling provides greater legal clarity and may support a risk-based, contextual approach to pseudonymisation. This may come as welcome news to those businesses processing pseudonymised data which struggle to understand why pseudonymised data is deemed personal data if they lack the means to identify the individuals without additional information – but it is not a blanket exemption.

Even though this is an EU decision, English courts may follow a similar approach and there are some key takeaways from a data protection compliance perspective:

• Data sharing agreements should carefully assess who can re-identify data and under what circumstances.
• Pseudonymisation is not a blanket exemption from compliance with data protection laws—it depends on actual risk and context.
• Controllers must still inform data subjects about data sharing, even if the recipient cannot re-identify them.