On April 26th 2023, the General Court (Eighth Chamber, Extended Composition) of the European Union issued its judgment in Case T-557/20, (SRB v EDPS).
The General Court highlighted that, in order to determine whether pseudonymized information transmitted to a data recipient constitutes personal data, it is necessary to consider whether the data recipient has legal access (or not) to any additional information that would enable re-identification of the data subjects.
To this end the General Court referred to a previous judgment by the Second Chamber on October 19h 2016, Case C-582/14, Breyer v Bundesrepublik Deutschland, where in paragraphs 45-46 the Court of Justice sought to ascertain whether the possibility to combine a pseudonymous dataset (dynamic IP address) with the additional information held by the data handler (internet service provider) constituted a means likely reasonably to be used to identify the data subject, and stated that that would not have been the case if the identification of the data subject had been prohibited by law or had been practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared in reality to be insignificant.
Similarly in Case T-557/20 (paragraph 105) it is decided that since the data recipient had no legal means available to it which could in practice enable it to access the additional information necessary to re-identify the data owners, consequently the transmitted data did not constitute information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725.
The fact that the data transmitter has the means to re-identify data subjects is irrelevant and does not mean that the transmitted data is automatically also personal data for the recipient.
The Key takeaways that most are transmitting on social media are:
- It's necessary to consider the data recipients perspective when considering whether data is personal data;
- Pseudonymized data transmitted to a recipient will be anonymous data if the recipient does not have the means to re-identify the data subject;
- The fact the data transmitter has the means to re-identify the data subjects is irrelevant and does not mean the transmitted data is automatically also personal data for the recipient.
Now, it is important to note that whilst the decision is a welcome step in the direction of clarifying the legal perimeter for data sharing within EU, it still leaves quite some to desire on the front of citizens' protection. The Court decision seems in facts based on the sole assumption that legal access to further data is not available to the recipient, whilst it ignores the other condition mentioned in case 582/14, namely that of practical possibility over time (highlighted above).
Much like in the "Harvest Now, Decrypt Later" scenarios of quantum computing threat analyses behind the acceleration in NIST's post-quantum cryptography initiative, it is possible to re-identify data at later stages when new information becomes available legally (or new techniques become available to efficiently guess them... be reminded that research is constantly moving the bar). Thus, a decision looking at responsibilities in data sharing only from a hic et nunc perspective, falls short on defending citizens interests, which is arguably the initiating motivation for the subsistence of the norms in GDPR.
Will we wait for the first accidents to occur, even when it's common talk today that we need to harden the defenses of our data infrastructures to be ready to a rapidly evolving geopolitical scene? Or how can practitioners share a pedagogical and reciprocally beneficial conversation with Courts to agree on pragmatic means to include impact assessments at a reasonable future horizon when talking about responsibility/accountability in citizens protection within data ecosystems?
P.S.: Incidentally, in the judgement of the same Case T-557/20, the Court also clarified that an individual’s opinions cannot be assumed to be personal data; instead, a case-by-case assessment is necessary, which seems to be relevant to projects adopting ethnographical methods and involving data from conversations and informal sources, e.g. with the goal of monitoring the alignment of actions to strategic goals, or of extracting intelligence about edge cases... and this is an interesting opening to embracing the complexity of individualized data points' governance.
