Pseudonymisation and anonymisation: the blurred line between personal and non-personal data

In the context of the General Data Protection Regulation (GDPR), Article 4(5) defines pseudonymisation as the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information. It is essential to note that this additional information must be stored separately and subject to technical and organizational measures to ensure that such personal data is not attributed to an identified or identifiable natural person.

Contrary to a common perception, pseudonymisation should not be regarded solely as a technological aspect, but rather as an operational and organizational strategy. In fact, the GDPR, in recital 29, recognises the possibility of pseudonymisation measures with the capacity for general analysis within the same controller, provided that the necessary technical and organizational measures are taken and that the additional information for attributing personal data to a specific data subject is stored separately.

Conceptual and Legal Foundations of Pseudonymisation and Anonymisation

The conceptual elaboration reveals that pseudonymisation is not an isolated concept, but rather an integral part of an orchestral complex of measures aimed, on the one hand, at protecting the data of the data subject and, on the other hand, at facilitating the circulation of data by safeguarding compliance with data protection obligations by data controllers.

In this context, discerning between pseudonymisation and anonymisation is of crucial importance. In short, while pseudonymisation allows the information to be reconstructed, anonymisation renders the data unconstructable.  This principle is clearly stated in Recital 26, which excludes the application of data protection principles to anonymous information, i.e. information that does not relate to an identified or identifiable natural person or to personal data rendered sufficiently anonymous to prevent or no longer allow the identification of the data subject.

But how do we determine whether a piece of data is pseudonymous or anonymous? Here again, we are helped by recital 26 of the GDPR, which states that to establish the identifiability of a person, account should be taken of all the means, such as identification, which the controller or a third party may reasonably use to identify that natural person directly or indirectly. 

Judgment T-557-20 of the European Court of First Instance on Pseudonymisation and Anonymisation of Data

The recent judgment delivered by the European General Court on 26 April 2023, in the context of Case T-557-20, represents a significant milestone in the legal understanding of anonymisation and pseudonymisation practices. Moving away from the previous orientation of the Article 29 Working Party (now replaced by the European Data Protection Board), which postulated a more restrictive approach, the General Court adopted a more nuanced and relativist perspective.

The Court’s decision emphasized the need to carefully consider the specific circumstances when assessing the identifiability of data. In the present case, concerning the transmission of shareholder and creditor comments by the Single Resolution Committee (CRU) to third parties, the General Court rejected the idea that the possibility of automatic re-identification qualifies the data as personal. In particular, the General Court concluded that, despite the fact that the CRU had access to additional data for identification purposes, the transmitted comments and alphanumeric codes had to be qualified as anonymous data by consistently applying a principle that is contained in Recital 26 of the GDPR and Recital 16 of Regulation 1725/18 such that if personal data have been rendered sufficiently anonymous that the data subject cannot or can no longer be identified, data protection principles do not apply.

This change of course represents a significant departure from previous restrictive interpretations, emphasising the need to carefully assess the actual identifiability of data in specific contexts. The European Court’s ruling has significantly influenced the legal landscape with regard to anonymisation and pseudonymisation techniques, raising crucial questions about the practical application of these concepts in the current regulatory context.

Conclusions and Key Role of Pseudonymisation and Anonymisation Techniques

In conclusion, the proper implementation of pseudonymisation and anonymisation techniques is imperative to ensure user privacy, especially in sensitive sectors such as health and finance. The technologies used must comply with legal principles, and the choice between pseudonymisation and anonymisation should be guided by specific needs and the required reversibility. A thorough understanding of these concepts and their accurate implementation are crucial to address the legal and regulatory challenges related to the protection of personal data.

In this context, the ruling of the European Court of First Instance not only provides a crucial clarification of the distinction between anonymous and pseudonymous data, but also raises important reflections on the future of data protection practices. The decision emphasizes the importance of taking a contextual and circumstantial approach when assessing the anonymisation and pseudonymisation of data. It defines that, in order to determine whether information constitutes personal data, it is necessary to put oneself from the perspective of the recipient, assessing whether the possibility of combining the information transmitted with any additional information held by the third party is a reasonably feasible means of identifying data subjects.

This new orientation of the Luxembourg courts may influence the way organizations implement data protection measures. A careful analysis of the specific circumstances therefore becomes crucial to determine whether data can indeed be considered anonymous, even when they are associated with alphanumeric codes or other identifiers.