Anonymization vs Pseudonymization: what is the true status of coded data?

On 16 January last year, the European Data Protection Board (EDPS) revived a crucial debate on the protection of personal data, reaffirming that pseudonymization aims to reduce risks to the rights and freedoms of individuals, without completely eliminating them.

‍

So what is the real status of pseudonymized data?

‍

The ongoing case before the Court of Justice of the European Union (CJEU), opposing the EDPS to the Single Resolution Board of the European Union (SRB) (Case C-413/23 P), could redefine the way in which pseudonymization is interpreted at European level and raises questions about the obligations of data controllers in an ever more complex digital environment.

‍

This case places at the heart of the debates the question of whether coded, and therefore pseudonymized, data should be considered personal data or not, subject to the requirements of the GDPR.

‍

Clarification of the concept of pseudonymisation by the EDPS

‍

On 16 January last, the EDPS adopted guidelines indicating that pseudonymised data is, and remains, personal data as long as it can be linked to a person by the data controller or any other person. Therefore, it does not matter that the pseudonymized data and the additional information that allows the identification of an individual are in different hands, as long as it is possible to re-identify the person.

‍

Thus, the EDPS recalls that while pseudonymization makes it possible to reduce the risks for the persons concerned, the fact remains that the entities using this process must comply with all the requirements of the GDPR, and in particular with the principles of legality, transparency and confidentiality.

‍

Moreover, this position of the EDPS is the one adopted in the context of the EDPS v. SRB case.

‍

Background of the ECPD v. SRB case

‍

The case began in 2017, when the SRB set up a bank resolution plan, in which it allowed impacted shareholders and creditors to express their opinions electronically. The SRB entrusts to Deloitte, as a subcontractor, the analysis of these opinions that he sends to him by replacing the name of each participant by an alphanumeric code.

‍

After receiving five complaints, the EDPS concluded that the SRB had breached the obligations to provide information to the persons concerned, and considered that:

- the data shared by SRB with its subcontractor was pseudonymized data, since the alphanumeric code shared by the SRB made it possible to link the answers given during the registration phase to those given during the consultation phase of the bank resolution plan; and

- the failure to mention the subcontractor as a potential recipient of the data collected and processed in the SRB privacy policy constituted a violation of article 15 of the General Data Protection Regulation (RGPD).

‍

The case was then brought before the General Court of the European Union (TEU) by the SRB, appealing this decision sincehe considered that the data sent was anonymous since the data provided by the persons concerned to identify themselves in the registration phase had not been disclosed to the subcontractor.

‍

TEU decision

‍

On 26 April 2023, the TEU annulled the decision of the EDPS, considering that the EDPS had wrongly considered the pseudonymous data entrusted to Deloitte as personal data, without examining its content, purpose or effect (CJEU, Nowak v. DPC, 20 December 2017, C-434/16).

‍

Indeed, the TEU considered that the EDPS did not take into account, in its analysis, the fact that the recipient of the data did not have any legal means to access the additional information necessary to re-identify the persons concerned. The EDPS could therefore not validly conclude that the information transmitted to the subcontractor related to an identifiable natural person.

‍

The EDPS then appealed this decision, contesting the TEU's interpretation of the concept of personal data and maintaining that pseudonymised data is and remains personal data as long as the information allowing the re-identification of the persons concerned continues to exist.

‍

It is in this context that the Advocate General of the CJEU delivered an enlightening opinion.

‍

Opinion of the General Counsel

‍

Should pseudonymized data be automatically characterized as identifying, regardless of the accessibility of additional identification data, or should it be considered personal data only for actors who can reasonably re-identify the persons concerned?

‍

In answering this question, the Advocate General first recalls that anonymous data is excluded from the scope of the GDPR, and that therefore, pseudonymous data is also excluded only insofar as the persons concerned are not identifiable.

‍

Therefore, the General Counsel makes a strict interpretation of the concept of personal data and concludes that pseudonymized data may escape the qualification of personal data, when the risk of identification is non-existent or insignificant. Thus, pseudonymized data may not be considered personal data for the recipient of the data, if it is impossible for him to re-identify the persons concerned, even if this is possible for the sender of the information.

‍

In the opinion of the General Counsel, it would be disproportionate to impose obligations under the GDPR on an entity if the entity cannot reasonably identify the persons concerned, since this would require it to make efforts to specifically attempt re-identification. Therefore, the General Counsel recommends determining whether the pseudonymization processing of data was sufficiently robust to conclude that Deloitte could not reasonably identify the persons concerned.  

‍

However, the Advocate General recalls that the result of this analysis does not impact in any way the obligation for the data controller to provide the persons concerned with all the information required by the RGPD before any data transfer.

‍

It is now appropriate to monitor the future decision of the CJEU, which, although not bound by these conclusions, generally follows the opinion of the Advocate General.

‍

And in French law?

‍

Questions relating to the pseudonymization of data were of interest, both European and French, during the month of February. Indeed, by calling Qwant, the French search engine, to order for non-compliance with its obligations in terms of the protection of personal data, the CNIL was able to specify the difference between anonymization and pseudonymization.

‍

The sending by Qwant to Microsoft of truncated or hashed IP addresses does not allow complete anonymization of the data, contrary to what was advanced by Qwant during checks carried out in 2019. As a result, the data was indeed considered personal data, which should be subject to the obligations of the GDPR, particularly in terms of transparency and user information.

‍

This decision of the CNIL, and the conclusions of the Advocate General of the CJEU, highlight the importance of correctly qualifying the data processed, and of complying with the requirements of the RGPD in order to ensure respect for the rights and persons concerned.

‍

Recommendations for businesses

‍

In light of these cases, it is essential that businesses take concrete steps to ensure compliance with the GDPR:

- Precise assessment of the nature of the data processed : Before transferring or processing data, determine whether they are truly anonymized or simply pseudonymized. Pseudonymized data remains personal data and is subject to the GDPR.

- Transparency towards users : Clearly inform individuals about the collection, use, and transfer of their data. This information should be accessible, understandable, and provided at the time of data collection.

- Rigorous choice of partners : Ensure that third parties with whom data is shared also comply with GDPR standards. Data processing agreements must be established to oversee these relationships.

- Regular updating of privacy policies : Continuously adapt internal policies in accordance with legislative developments and the recommendations of data protection authorities.

- Training and awareness-raising : Train employees in data protection principles and internal procedures to ensure consistent and effective application of the GDPR.

‍

Sources:

• ‍Conclusions of the Advocate General‍
• Norton Rose Fulbright, CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data, February 10, 2025 ‍
• Covington, CJEU Advocate General Supports Pragmatic Definition of Personal Data, February 6, 2025‍
• GDPR Hub, CJEU -C-413/23 - EDPS v SRB

Jeannie Mongouachon, partner lawyer and Juliette Lobstein, associate lawyer at Squair