As we’ve written about before, the question of anonymization can be tricky. When is something “anonymized” or merely “de-identified” or “pseudonymous” — and when does it matter? This is a particularly fraught issue under the GDPR, where the text of the regulation creates practical compliance complications under various scenarios.
But in an important recent decision, the European General Court (or EGC, which hears actions against EU institutions, and where actions are appealable to the Court of Justice), the EGC apparently clarified that in certain important instances, data that we might think of as “de-identified” (or “pseudonymized,” in GDPR-speak) can be considered anonymous. This matters, because while the GDPR regulates pseudonymized data, it does not govern anonymous data.
In very brief summary and relevant to this post, the case — Single Resolution Board v. European Data Protection Supervisor, or SRB v. EDPS — SRB created a survey of shareholders. The survey respondent names were replaced with an alphanumeric code, and data (codes along with survey responses) was provided to a consulting firm for analysis.
One of the questions before the EGC was whether the information provided to the consulting firm was anonymized. The EGC responded that, because the consulting firm was provided de-identified information, it was not provided the “key” to that information (that is, the names linked to the codes). Because it had no way to access the uncoded information, the consulting firm could not re-identify the information as both a legal and practical matter. Accordingly, the information was not “pseudonymous,” it met the requirements for being anonymous (that is, it did not relate to an identified or identifiable person).
Per the decision, “in order to determine whether the information transmitted” to the third party “constituted personal data, it is necessary to put oneself” in the position of the third party “in order to determine whether the information transmitted to it relates to ‘identifiable persons.'” Here, in the absence of legal and practical means to access the information, the third party only had survey results with codes; as such, the did not relate to identifiable persons.
As a practical matter, this decision is not only sensible, but is also a huge sigh of relief to organizations that receive tokenized or de-identified information as a matter of course, but do not otherwise receive the “key” to unlocking that information. Thus a clinical trial sponsor running a trial from the U.S., but receiving coded information from a patient site in the EU, would not under this decision be forced to consider GDPR compliance because the information it is receiving is anonymized.
As a matter of plain text, however, the decision might not stand. The Court of Justice could take the case on appeal; if it does, it is likely to closely scrutinize the legal question. The EGC may not be the final word here, and the GDPR’s text and recitals — as well as the CJEU’s past interpretations of the GDPR and surrounding legal authorities — suggest that a reversal should not be discounted.