EU General Court annuls EDPS decision and examines when personal data can be considered anonymised

In the context of a bank resolution procedure in respect of Banco Popular Español, SA, the SRB invited the bank shareholders and creditors that were potentially impacted by this procedure to exercise their right to be heard. This process involved two steps: (a) registration (submission of ownership and identity information) and (b) subsequent provision of comments. Only a small number of SRB employees had access to the registration information whilst the comments were stored separately by reference to a randomly generated 33-digit alphanumeric code. As part of the right to be heard process, the comments (along with their respective codes) were provided to external consultant, Deloitte.

Following receipt of five complaints from affected shareholders and creditors of the bank, the EDPS decided that the SRB had shared personal, albeit pseudonymous, data with Deloitte. As the SRB privacy notice failed to reference such disclosure, the EDPS therefore found that the SRB was in breach of its transparency obligations under Article 15(1)(d) of Regulation 2018/1725. 

The EDPS initially issued the SRB with a reprimand but, following review of further information, revised and replaced its original decision, determining that the technical and organisational measures put in place by the SRB mitigated the risk to individuals such that it was not necessary to exercise any of its corrective powers (though it did recommend updating the SRB privacy notice to ensure full compliance).

Following appeal by the SRB, the Court annulled the EDPB’s decision. The Court considered that the EDPS had erred in finding that the information provided to Deloitte was personal data as defined in Article 3(1) Regulation 2018/1725. 

Personal data constitutes information that “relate to” an identified or identifiable natural person. The Court considered that where information, by its content, purpose or effect, was linked to a particular person it can be said to relate to them. However, the EDPS had not considered the content, purpose or effect of the information, but rather presumed that comments constituting views or opinions must therefore relate to the individual.  The Court found that this was an incorrect presumption.

Further, to constitute personal data, information must relate to an “identified or identifiable” natural person.  The SRB considered that the data was anonymous as it did not share with Deloitte the information necessary to enable re-identification of the author of the comments. The EDPS considered the data was personal data because it was possible to identify individuals with use of additional information (ie the decoding database held by the SRB) even though Deloitte did not hold that additional information.  

The Court acknowledged that data may constitute personal data even if the additional information necessary to identify the relevant individual is not held by the same party. However, in this case, the Court decided that the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ as required by the definition of personal data. Importantly, the EDPS had not considered whether there were legal means available to Deloitte which could, in practice, enable it to access that additional information necessary to re-identify the comment authors. The EDPS had simply considered whether re-identification was possible from the point of view of the SRB. On this basis, it is clear that the same data may be considered pseudonymous in the hands of one person but anonymous in the hands of another. 

The Court decision is available here.