With its judgment in SRB, the ECJ has created a paradox in EU information safety regulation: information could also be each private and non-personal on the identical time. This can be harking back to a thought experiment broadly often known as Schroedinger’s cat. Nonetheless, not like the hypothetical cat, the info within the pseudonymisation field is each private and non-personal, relying on who’s wanting on the field. For the controller, i.e. the entity figuring out the needs and technique of the processing, who has the extra data that enable them to open the field, the info is private. The identical is true for anybody who might fairly possible attain this data. For many who do not need this extra data, the ECJ argues, the info are non-personal.
The GDPR solely applies to private information. So this case regulation has main implications for the safety of such information and the relevant regulation. On this submit I take the ECJ’s case regulation on the definition of non-public information, pseudonymisation and the scope of knowledge safety regulation as a place to begin to contemplate the broader implications of this line of jurisprudence. I additionally look forward on the Fee’s latest Digital Omnibus proposal to vary the definition of non-public information within the GDPR, purportedly underneath the impression of this case regulation. I discover that the relative strategy for the definition of non-public information, adopted by the Court docket, results in a large number of issues in the middle of processing operations and that the modifications proposed by the Fee would additional irritate the scenario.
1. Pseudonymisation and the SRB judgment
Pseudonymisation of knowledge is a technical and organisational measure, which signifies that ‘the private information can not be attributed to a particular information topic with out the usage of further data supplied that such further data is stored individually and is topic to [further] technical and organisational measures that be sure that the info aren’t attributed to an recognized or identifiable pure particular person’ in response to Article 4(5) GDPR. In the meantime, the GDPR itself, in response to Article 2(1), solely applies to private information, that are outlined in flip as ‘any data regarding an recognized or identifiable pure particular person’ in Article 4(1) GDPR. If, thus, pseudonymisation goals to hinder attribution of knowledge to individuals, this technical and organisational measure is also seen as affecting the applying of the GDPR underneath Article 2(1).
This query was one of many points within the ECJ’s judgment in SRB, the place the eponymous Single Decision Board had pseudonymised feedback that have been submitted to it, earlier than passing them on to Deloitte, which was tasked with assessing them and thereafter, presumably, returned them to the SRB which continued its processing operation after de-pseudonymising the info (paras. 21-28). The Court docket discovered that pseudonymisation was not a part of the definition of non-public information, however a technical and organisational measure (paras 71-72). But, when the pseudonymisation of non-public information prevented the identification of an information topic, then this would possibly, if applied in response to the authorized necessities, ‘have an effect on whether or not or not these information are private throughout the which means of [Art. 4(1) GDPR]’ (paras 74-75). Within the judgment the ECJ referred to the relevant EU Information Safety Regulation (EU) 2018/1725. For simplicity, I discuss with the an identical provisions of the GDPR.
Referring again to its judgments in OC v Fee (para. 51) and, in the end, Breyer (para. 46), the Court docket said that for danger mitigation by pseudonymisation it was adequate if the danger of identification appeared insignificant, for example as a result of a authorized prohibition of disproportionate effort (SRB, para. 82). Having thus set the scene, the Court docket discovered that the existence of further data enabling identification didn’t indicate that pseudonymised information was private information for each particular person in all instances (para. 82). Counting on its judgments in Breyer (paras 44, 47-48) and IAB Europe (paras 43 and 48) it held that ‘information which can be inherently impersonal […] have been however linked to an identifiable particular person, because the controller had authorized technique of acquiring further data from one other particular person making it attainable to establish the info topic’ (SRB, para. 83). Whereas the Court docket didn’t additional elucidate the considerably opaque which means of ‘inherently impersonal information’, it continued that in such circumstances, the truth that the knowledge enabling identification was held by third events, didn’t truly stop their identification by the controller.
The Court docket additional invoked its judgment in Gesamtverband Autoteile-Handel (paras 46 and 49) the place it had held that impersonal information might turn into private when the controller places them at disposal of people that have fairly possible technique of identification (SRB, para. 84). Thus, the ECJ concluded that whether or not information have been private needed to be decided in every context. As an example, when pseudonymised information have been transferred to a 3rd get together and it couldn’t be dominated out that the recipient had means fairly possible permitting them to establish information topics, for example by cross-checking with different information out there to them, the pseudonymised information needed to be thought of private information (para. 85). Nonetheless, because the Court docket had beforehand careworn that the recipient within the case at hand, Deloitte, had at no time had entry to the extra data for identification (para. 28), it concluded that pseudonymised information didn’t represent private information in all instances for each particular person, when the pseudonymisation successfully prevented them from figuring out the info topic (para. 87).
2. The relative definition and the extent of safety
The ECJ, thus, additional developed its relative definition of non-public information that it has been pursuing since Breyer in 2016. Taking SRB and Breyer collectively, we are able to see that there are two main points that, taken collectively, considerably decrease protections for information topics when coping with pseudonymised information: These dealing with pseudonymised information could also be exempt from the GDPR altogether and a mere authorized prohibition, fairly than different, extra strong technical and organisational measures, could also be adequate to set off this exemption.
The primary main subject I wish to talk about is that underneath the present case regulation, the GDPR might not apply to some pseudonymised information. Underneath the relative definition, whether or not information is thought to be private or non-personal is dependent upon the precise scenario of the particular person processing information. The place a controller pseudonymises private information, a co-controller, processor or different third get together, might declare they don’t have entry to the extra data, the info are thus not private for them and so they function exterior the scope of the GDPR.
The relative strategy thus provides controllers appreciable leeway, particularly contemplating that there are lots of totally different types of pseudonymisation that differ broadly when it comes to effectiveness of safety for the private information at subject. Importantly, elevating the attitude of controllers, processors or different third events to a decisive criterion is a alternative and it’s not with out different. Certainly, the attitude of controllers, processors or different third events might not be the only related perspective. Information safety, in response to Article 1(2) GDPR goals to guard the basic rights of people with regard to the processing of non-public information, i.e. it’s supposed to guard people from the inherent dangers of knowledge processing (intimately Bieker, pp. 195-202). To counter such dangers, controllers should take technical and organisational measures in response to Article 24 GDPR. Because the Court docket rightly factors out, pseudonymisation is one such measure.
But, the Court docket’s line of reasoning doesn’t account for the sensible dangers of knowledge processing. Underneath Article 24(1) GDPR, the technical and organisational measures should be acceptable to the dangers to the rights of people. Certainly, if the extra data held by the controller just isn’t disclosed to the processor – as was the case in SRB from all we all know – there may be, in the long run, no injury to the person. Nonetheless, the mere existence of the extra data creates a danger that it might be disclosed to the processor or third events. And this warrants safety. So fairly than exclude this operation from the scope, it must be be sure that the dangers are appropriately mitigated.
After all, the duty to mitigate dangers just isn’t limitless. Article 32 GDPR scales the obligations of controllers and processors in response to the danger of the processing. Pseudonymisation might cut back the danger to people. Making certain that the extra data is saved safely with the controller additional reduces the danger. And but, it doesn’t utterly remove the danger. As we see in observe, information breaches occur. They happen at a really giant scale, simply taking into account these which can be reported within the media . Thus, it doesn’t appear warranted to launch the co-controller or processor from their restricted obligation to implement acceptable technical and organisational measures to guard the pseudonymised information they obtain.
The second main downside when making use of the present case regulation is that the Court docket finds a authorized prohibition, i.e. a provision that bans a sure observe, to be adequate to guard towards the danger of de-pseudonymisation. Technical and organisational measures as required inter alia by Articles 24 and 32 GDPR can take numerous varieties and could also be of various usefulness for a particular danger. Pseudonymisation itself in a single such measure. Nonetheless, because it comes with its personal dangers, particularly de-pseudonymisation, it requires additional technical and organisational measures to mitigate this follow-up danger. In SRB (para. 82) the Court docket reiterates its discovering (initially from Breyer, para. 46) {that a} authorized prohibition, is an acceptable measure to forestall dangers of re-identification of pseudonymous information. Following this argument, it might be adequate, if the legislator banned a given third get together from accessing data, for example by a authorized provision that protected the confidentiality of the info in query. This argument originated in Advocate Normal Campos Sánchez-Bordona’s 2016 Opinion (para. 68) in that case. The DPD, as relevant laws on the time, didn’t comprise any additional particulars on tips on how to account for pseudonymised information. Nonetheless, in recital 26 GDPR, the legislator discovered that to establish whether or not means have been fairly possible for use to establish people, the out there expertise on the time and the technological developments needs to be taken into consideration. The recital doesn’t point out authorized measures.
So whereas the ECJ depends on authorized ensures, the legislator solely thought of technical methods to revert pseudonymisation. Contemplating the danger for people, there’s a substantive distinction whether or not it’s technically possible to interrupt pseudonymisation or whether or not a controller, processor or different third get together violates a prohibition.
3. A decrease normal and different penalties
Taking the ECJ’s requirements collectively, co-controllers and even processors could also be launched of their restricted obligations underneath the GDPR by a easy authorized rule that states that they and third events aren’t allowed to revert the pseudonymisation of knowledge, even when this can be a easy technical course of. This doesn’t consider the above-mentioned information breaches and the fact of present information practices. There are lots of methods information movement between controllers, processors and third events in fairly advanced processing operations that face problems with scope and authorized compliance (intimately Cobbe, pp. 17-30 and Balayn/Gürses). The Court docket’s jurisprudence has not accounted for this and thus, with its relative strategy, exposes people to appreciable dangers.
On a sensible degree, the Court docket’s case regulation additionally creates points for controllers, as they should conclude a co-controller or processing settlement, after they switch private information to a different entity for processing. Nonetheless, if these information aren’t private to the recipient, the GDPR wouldn’t apply to them and they’d not must conclude such an settlement. As the 2 events must conclude some type of contract, it might be in the very best curiosity of controllers to make sure that this contract consists of the provisions of a co-controller or processing settlement, if not in title then in substance. This, in flip, would imply that co-controllers and processors are freed from their GDPR obligations solely formally, because the contract must set equal requirements. Additional, they must always consider whether or not the info have turn into private.
In instances of knowledge breaches or information topic complaints, the info safety authorities would first have to determine jurisdiction (additionally see noyb, p. 5) and, the place the info haven’t turn into private for the processor, wouldn’t be capable to intervene on information topics’ behalf. This may solely go away people with civil actions towards processors, which might require pricey courtroom proceedings.
4. The Fee’s Digital Omnibus proposal
Apparently, the Fee, in its purported try to introduce simplifications to the GDPR, selected this explicit line of jurisprudence to incorporate in its Digital Omnibus proposal. Article 3(1)(a) of the proposal amends the definition of non-public information in Article 4(1) GDPR by three sentences. The primary two sentences resemble para. 86 of SRB, stating that ‘[i]nformation regarding a pure particular person just isn’t essentially private information for each different particular person or entity, merely as a result of one other entity can establish that pure particular person […] the place that entity can’t establish the pure particular person to whom the knowledge relates, making an allowance for the means fairly possible for use by that entity.’ The third proposed sentence provides that ‘[s]uch data doesn’t turn into private for that entity merely as a result of a possible subsequent recipient has means fairly possible for use to establish the pure particular person to whom the knowledge relates.’ Thus, the Fee didn’t solely not embody the clarification of the Court docket in SRB (para. 84) that ‘impersonal information my turn into “private” in nature the place the controller places them on the disposal of different individuals who’ve means fairly prone to allow information topics to be recognized’, referring to its earlier judgment in Gesamtverband Autoteile-Handel (paras 46 and 49), however even contradicts this case regulation (additionally see Korff, p. 6) with the third sentence of Article 3(1)(a) of the proposal.
In line with the accompanying Employees Working Doc (p. 38), the proposal implements latest case-law of the ECJ and brings readability to this key notion, thus rising authorized certainty. Whereas the Fee is pushing a questionable narrative that there are solely focused amendments (intimately Alemanno) that make clear the GDPR, maintain its core intact (additionally see Ruschemeier), the proposed change to Article 4(1) GDPR would significantly prohibit its utility. Given the substantive jurisprudence of the Court docket in different judgments, reminiscent of Gesamtverband Autoteile-Handel, Breyer or OC v Fee, it’s unclear, why the Fee would solely implement what quantities to at least one paragraph of a judgment with out different related context from the exact same and additional judgments. Whereas the legislator is free to resolve to reform guidelines even after the Court docket has interpreted them, the inherent contradiction with the Court docket’s different case regulation, betrays the Fee’s narrative. Passing Article 3(1)(a) of the Digital Omnibus could be a disservice to the consistency of the info safety framework (see additionally Stalla-Bourdillon, p. 10) and authorized certainty, as it might require additional jurisprudence to make clear its scope (additionally see EDRi). On the identical time, from the attitude of people affected by information processing, the Court docket is unlikely to completely resolve the problems, because the Court docket itself has brought on appreciable authorized uncertainty with its case regulation (intimately Lodie/Lauradoux, pp. 11-13).
5. Conclusion and outlook
EU information safety regulation has already handed a important juncture – and brought the improper path. The ECJ’s relative strategy to the definition of non-public information lowers the usual of safety, aggravates enforcement by information safety authorities and also will trigger the Court docket a substantial workload. Information topics, information safety authorities and, in the end, courts must set up who has or had fairly possible entry to the extra data to even know whether or not the GDPR applies. On the identical time, the Fee’s proposal would erode the definition of non-public information even additional, would trigger much more authorized uncertainty and go away information topics with out redress exterior of courtroom proceedings in lots of situations.
In the meantime, in observe, we’re already seeing Huge Tech firms co-opting privateness enhancing applied sciences to obfuscate and develop their processing operations. Giving them additional avenues to cut back safety, for example by adopting the Fee’s proposal, will backfire and trigger hurt for people. The ECJ may adapt its jurisprudence when going through such practices. There would nonetheless be potential for higher differentiating between nameless information which can be exterior of the scope of the GDPR and pseudonymous information that fall inside its scope. Because it at present stands, the Court docket’s case regulation just isn’t well-equipped to cope with such future developments. Maybe in information safety, as in physics, the simultaneous state of being and never being just isn’t very secure.
Dr. Felix Bieker is senior researcher at ULD, the info safety authority of Schleswig-Holstein, and works on platforms, infrastructures, and important approaches to EU information regulation.
This work was funded by the Federal Ministry of Analysis, Expertise and House throughout the undertaking ‘Neue Datenschutzgovernance – Technik, Regulierung und Transformation’ (DatenTRAFO), https://plattform-privatheit.de.
