pseudonym for one may be anonymous for the other, personal data processing space

Settlement with independent external investigation

THE matter relates to a settlement agreement entered into by the Single Resolution Board has been declared applicable to a Spanish bank. This is a complex question of financial law and I will (hopefully) leave these financial aspects as they are.

As part of the resolution, it should be assessed, among other things, whether shareholders and creditors would have been better off if the normal insolvency procedure had been followed instead of the specific resolution procedure (loosely translated: the bank should it have been allowed to go bankrupt?). The shareholders and creditors concerned could register to be heard on this subject. They could then submit their comments in an online form.

Several thousand comments are received in the procedure. The majority of them turn out to be identical after a first analysis (therefore apparently a standard text). After a first filter on these duplicates, relevance and subject, there are nearly 4000 relevant comments. More than 1100 of them deal with the question of whether people would have been better off in a normal bankruptcy.

These more than 1100 comments are shared with the external auditor Deloitte for independent external advice. The comments are thus stripped of their personal data; only a unique alphanumeric code is associated with comments. Deloitte did not have the key to trace the alphanumeric code to a person; this key was only held by the financial authority.

Complaints from data subjects: lack of transparency on the sharing of personal data

Some shareholders and creditors report to the European regulator for the protection of privacy (of EDPS) complaining that it was not made clear enough in advance that the data would be shared with Deloitte, among others.

Privacy regulator: insufficiently transparent, but not enforced

The complaint of the persons concerned finally leads – after some procedural hassles – to the conclusion of the EDPS that there has indeed been a lack of transparency. The EDPS is of the opinion that the data shared with Deloitte qualifies as (pseudonymized) personal data, that Deloitte was therefore the “receiver” of it and that transparency should therefore have been exercised. However, given all the safeguards that had already been put in place, the EDPS saw no reason to take formal enforcement action.

The financial authority contests the decision

Although no enforcement action is taken, the Single Resolution Board contests the decision of the EDPS. This question (of principle) ultimately ends up before the General Court of the Court of Justice.

The question before the Court is whether the AG can appeal now that no enforcement action has been taken. The General Court clarifies that this is the case, the decision of the EDPS having binding legal effects. After all, now that the EDPS has established that the GA acted in breach of confidentiality rules, the GA could be held liable. Furthermore, the EDPS could use this prior breach against the AG in another enforcement action in the future. These two reasons mean that the AG’s appeal is simply admissible.

Court: justification requires data to be personal data

The key question in the procedure is whether personal data has been provided to Deloitte or not. After all, the answer to this question determines whether or not the GA has been transparent to Deloitte as the “receiver” of this data.

The Court adopts the interpretation of the Nowak decision and only states it when the information is due to it content, aim Or result is affiliated with a specific person, there is personal data. The EDPS had not tested or proven that it was personal data, but simply took the position that every opinion is personal data:

70 However, in the revised decision, the EDPS did not examine the content, purpose and effect of the information transmitted to Deloitte.
71 Indeed, it confined itself to indicating that the observations made by the complainants during the consultation phase reflected their opinions or positions and concluded on that basis alone that the information concerning them was sufficient for them to be classified as personal data.
72 During the hearing, the EDPS confirmed his view that any personal opinion is personal data. He also acknowledged that he had not considered the content of the comments made by the complainants at the consultation stage.

The Court is then very clear: it is up to the supervisor to find out whether the information is actually due to him content, aim Or result associated with a specific person. It cannot be based on guesswork. The simple reasoning “this is an opinion and therefore personal data” is therefore not sufficient. The EDPS had not further substantiated this point and the EDPS decision therefore fails on this point alone.

Court: personal data must be identifiable to the controller

A second question is whether the data was identifiable to Deloitte.

The GA had pointed out that the data provided to Deloitte was accompanied by a unique alphanumeric number and was otherwise devoid of identifying characteristics and that Deloitte did not have the key. Although the EPDS acknowledged that it was impossible for Deloitte to trace the identity in these circumstances, it also stated this because the key was in the hands of the GA and the data should therefore be considered personal data pseudonymized by Deloitte.

The General Court reconsiders the previous Breyer judgment of the Court of Justice. In this judgment, it was – in essence – considered that the question is whether a party has a means which can reasonably be used to identify the data subject. This is certainly not the case if it would require undue effort or if identification is prohibited by law.

The Court then points out that it follows from that judgment that it is required to from the point of view of the controller to assess whether personal data is concerned:

97 However, it is also apparent from the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), that, in order to determine whether the data transmitted to Deloitte constituted personal data, it Deloitte’s position to determine whether the information transmitted to it relates to “identifiable persons”.
(…)
100 In accordance with paragraph 44 of the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), cited in paragraph 91 above, it was therefore for the EDPS to examine whether the observations transmitted to Deloitte for its personal data.

However, the EDPS only assessed whether personal data is concerned from the position of the MA. The decision is therefore insufficiently substantiated.

Court: decision quashed

The General Court therefore annuls the decision of the EDPS according to which the AG breached the legislation relating to the protection of privacy.

Last word

As far as I am concerned, the judgment is a classic example of the application of the earlier Breyer judgment. The question of the applicability of privacy legislation is not whether the data is identifiable to a party (someone), but whether the data is identifiable to a specific party. After all, otherwise it could have already been decided in the Breyer case that each IP address is still personal data (which it is not).

However, this often goes wrong in practice. In many cases, complicated discussions arise on how to deal with pseudonymised or anonymised data. It is often forgotten that the point of view of the data controller must be taken into account. It is quite conceivable that, for example, personal data is pseudonymised in the context of scientific research and that the party to whom the data is then provided has nothing to do with privacy legislation. . It may nevertheless be wise to conclude certain agreements, if only on the prohibition of tracing data back to natural persons.

Interesting borderline cases quickly arise in such discussions. What about providing pseudonymised data to a foreign (e.g. American) research institute. From the provider’s perspective, personal data is transferred outside of the EEA, so all sorts of additional safeguards are needed. From the recipient’s point of view, non-traceable data is received and it seems a bit of a stretch to include all sorts of privacy guarantees. In practice, it would be good here if material reality prevailed over formal reality and if we could act a little more in the spirit of the law, instead of putting in place all sorts of formalities, the question being what is the added value (assuming the data cannot be traced, of course).

Another interesting point in this matter is the explicit judgment that it is important to also challenge decisions where no sanction has been imposed. Admittedly, in the past we have seen that the decisions of the Dutch data protection authority were not or hardly challenged. In fact, the Court now says that is not wise, because it establishes the breach and the “breach” can then be used against the party.

It should also be noted that the AG used all sorts of algorithms in this respect to filter and sort the responses and that the EDPS does not investigate this matter further. After all, there are all kinds of social discussions about the use of algorithms. It seems – albeit speculation – that the EDPS also understands that if nearly 24,000 comments are received, of which around 84% are completely identical, it is reasonably necessary to use digital means in order for the work remains somewhat manageable. In this sense, the sober figures in the matter also show that not all uses of algorithms have to be so “exciting” from the outset (contrary to what some media sometimes suggest).

Ask? Comments?

Do you have questions about the processing of personal data? About anonymization, pseudonymization, scientific research or something else? Do not hesitate to contact us. Comments on this blog are of course also welcome.