Discussion of the Verdict of the EuG from 26.04.2023, T-557/20
Let’s say I’m a scientist working with personal data in my day-to-day work. Sooner or later, I will have to ask myself how I can prevent this data from floating around without any protection in the open net space.
Most of the time the solution to that problem will be pseudonymization. During this process identifying markers of a data set are being separated and stored away from the data set in a way that hinders a simple reidentification. This is also an encouraged procedure by the General Data Protection Regulation (GDPR) to ensure a higher level of data protection.
But what happens when I upload my pseudonymized data onto a repository. Are they considered pseudonymous for the repository as well? Or maybe even anonymous? The relevance of this question will be evident when we look at the consequences of pseudonymous vs. anonymous data:
The former is still considered personal data. The GDPR stays applicable and has to be adhered to. In that case the repository operators would have to potentially inform the person concerning the data about the collection and use of it, among other things.
If they were classified as anonymous on the other hand, the GDPR would not apply and the repository operators therefor wouldn’t have to adhere to it because in the process of anonymization the identifying markers are permanently removed from the data set and not stored.
We have three different actors:
1 – The SRB, the data collectors: An EU-institution guaranteeing the proper settlement of finance instituts in danger of bankruptcy. They created an electronic form, in which the shareholders and creditors could state their opinion in the matter. They encrypted the data by replacing the name of the participants with an ID and stored the encryption key separately.
2 – Deloitte, the data receiver: A private business. It received the encrypted data from the SRB as an independent assessor, but not the encryption key.
3 – The European Data Committee (EDSP): they took on the case and decided, that the data given to Deloitte is to remain to be considered personal data for the business, since they theoretically could gain access to the encryption key and therefor making a reidentification of persons possible again.
The EGC then had to decide, if the data given to Deloitte is in fact pseudonymous or anonymous. In its verdict, it disagreed with the EDSP with the following reasoning:
If identifying complimentary knowledge is exclusively in the hands of the initial responsible entity (here the SRB), the encrypted data is considered as non-personal data for the receiver of said data. If the receiver can – even hypothetically – gain access to the encryption key neither legally nor technically, the pseudonymous data is considered anonymous for them.
In this specific case, Deloitte didn’t have any legal possibilities to gain access to the key nor any reasonable technical option, since the key was stored on a separate computer.
If we now position the scientist in the shoes of the SRB and the repository operators in the shoes of Deloitte, we get the following: if the repository operators are legally not allowed to access the encryption key or don’t have a reasonable technical ability to do so, the pseudonymous data uploaded on a repository becomes anonymous for the operators and third-party data users.
As a result, the operators don’t need to adhere to the GDPR when receiving encrypted data and providing that data to other users. Neat, isn’t it?