Where exactly is the line between ‘personal data’ and ‘no longer personal data’ when you transfer data from one party to another? More specifically, where is the boundary if you do not share names or email addresses from your database, but only self-generated reference numbers? Is that pseudonymisation? Anonymisation? And are those data then still personal data?
The General Data Protection Regulation (GDPR) has been in force for more than six years, yet this question remains unresolved. Today, the Advocate General (AG) of the Court of Justice of the European Union (the Court) provides a sneak preview, but unfortunately little more than that.
This issue has been debated before the European courts for several years (see this judgment). The conclusion at the time was that the key question was whether the receiving party could still link the data to natural persons. How that linkage should be assessed and which factors were relevant? On that point, the court said very little.
We are now at the appeal procedure, and the AG’s opinion has been published. What does it show? Surprise. It depends.
According to the AG, pseudonymised personal data can still be personal data, but, at least under the wording of the legislation, they may also no longer qualify as such. According to the AG, this depends on whether the risk of (re)identification is non-existent or negligible. If that is the case, the data are no longer personal data and the GDPR no longer applies, at least not for the recipient if that recipient cannot identify individuals from the data.
This leads to another interesting question: if the data are personal data for the sending party, but possibly not for the receiving party, does the sender still have to inform data subjects about the recipient as a recipient of personal data? The AG essentially says that this is not the right question to ask. What matters is that the sender informed data subjects that their information would be pseudonymised in order to transfer it to the receiving party. That obligation arose before the transfer and should therefore have been fulfilled at that stage.
The AG concludes by recommending that the case be referred back to the EU court of first instance.
An important footnote: the Court may still decide differently. The AG advises the Court, but the Court will decide for itself and although it often follows the AG, it does not always do so.
Will we soon have a definitive answer? It would be a nice gift for the next ‘birthday’ of the GDPR in May, but there is a good chance that the Court will indeed refer the question back to the court of first instance once again.
Read the full opinion of the AG here.
