On April 26, 2023, the General Court of the European Union issued a ruling in Case T-557/20, SRB v EDPS, finding that pseudonymized data shared by one party with another will not be considered personal data in the hands of the recipient, if the recipient does not have legal means to re-identify the individuals behind the data. The General Court also addressed the matter of personal opinions being considered personal data, clarifying that just because personal opinions can qualify as personal data, they are not automatically personal data – each situation must be assessed on a case-by-case basis.
This case arose out of a shareholder survey undertaken by the Single Resolution Board (SRB) as part of which it shared the resulting responses with a third party consulting firm. Before doing so, SRB pseudonymized that data by replacing the name of each respondent with alphanumeric code, to ensure responses could not be linked back to individuals. The decoding key capable of linking the alphanumeric codes to individual respondents was not shared with the consulting firm.
Following a number of complaints by survey participants, the European Data Protection Supervisor (EDPS) determined that SRB had shared pseudonymized personal data with the consulting firm without informing the affected individuals of this sharing. To qualify as personal data under the GDPR, data must "relate" to a natural person, and that person must be "identified or identifiable". SRB appealed to the General Court, rejecting the EDPS determination that the survey data shared met these cumulative conditions.
"Identified or identifiable": General Court ruling on pseudonymized personal data
The General Court clarified that the analysis of whether or not data is pseudonymized and therefore personal data, or anonymized and therefore outside of the scope of the GDPR, should take into account the circumstances of the party holding the data. The General Court found that pseudonymized data shared with a third party will not be considered personal data in the hands of the recipient, where the recipient does not have the additional decoding information required to re-identify the data subjects and no legal means of obtaining this information. The fact that the sender of pseudonymized data has the decoding key, and therefore the means to re-identify data subjects, is considered irrelevant.
"Relates to": General Court ruling on personal views and opinions
In responding to the argument by the EDPS that the survey responses shared by SRB were collected to obtain the viewpoints of individuals and therefore are personal data, as they "relate to" an individual, the General Court held that although personal views and opinions may constitute personal data, they cannot be presumed to contain personal data by default. A case-by-case assessment is necessary to determine whether a view or opinion is actually linked to an identifiable person.
What does this mean for companies?
This ruling by the General Court provides much needed clarity on the definition of personal data in the context of pseudonymized data and personal opinions. In particular, it has shifted the focus on to the extent that identifying data resides with a particular party, inviting companies to revisit whether data they are sharing, or the recipient of, is personal data.
However, it is important to note that the EDPS can still appeal this ruling to the Court of Justice of the European Union.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.