Pseudonymization And Anonymization Of Data: Recent Developments From European Case-Law

• Published date: 19 June 2023
• Subject Matter: Corporate/Commercial Law, Privacy, Data Protection, Shareholders
• Law Firm: Global Advertising Lawyers Alliance (GALA)
• Author: Ms Laura Liguori (Portolano Cavallo) and Eleonora Curreli (Portolano Cavallo)

Thanks to Elena Mandarà for collaborating on this article

On April 26, 2023, the General Court of the European Union issued its decision in case T-557-20, focusing on the difference between pseudonymous and anonymous data. More specifically, the decision was issued in relation to the notion of personal data as defined by Regulation (EU) 2018/1725 on the processing of personal data by the institutions, bodies, offices, and agencies of the European Union, which is identical to the content of the GDPR on the subject.

The case involved the Single Resolution Committee ("SRC") and the European Data Protection Supervisor ("EDPS") and concerned the difference between treatment of shareholders and treatment of creditors and the latter's right to receive compensation upon implementation of a resolution scheme by a Spanish credit institution.

The dispute stemmed from five complaints submitted to the EDPS by a group of shareholders and creditors who complained that they had not been adequately informed by the SRC that the observations they had made and submitted via forms would be shared with third-party independent auditors to verify the accuracy of preliminary decisions made by the SRC in part in light of observations submitted by shareholders.

The data at the center of the case were shareholder and creditor observations received by the SRC in the consultation stage that had been assigned alphanumeric codes. These codes, generated for the purpose of handling any future disputes, allowed the SRC to link each observation to its registration data, thus identifying the subject who made each.

Only the observations and the corresponding alphanumeric codes were communicated to third parties; only the SRC could access the additional data.

According to the EDPS, the data transmitted to third parties qualified as pseudonymous data, and therefore as personal data, because shareholders could be reidentified using personal data possessed by the SRC only. Furthermore, the EDPS' position was that if the SRC could identify the shareholders, that meant the shared observations and alphanumeric codes were personal data, and this was true even if only the SRC had access to the data allowing identification of the shareholders.

In supporting its argument, the EDPS pointed out the following:

• In line with the GDPR, in defining personal data, Article 3 no. 1, Regulation (EU) 2018/1725 cites the possibility of identifying an individual "indirectly," and therefore it is not necessary that...