EU Court clarifies handling of pseudonymized data

The EU Court of Justice has issued a significant ruling concerning the processing of pseudonymized data and its classification as personal data under the General Data Protection Regulation (GDPR). The court clarified that the determination of whether data is personal is not absolute but depends on whether the specific entity processing the data has the means to identify an individual.

In the case brought before it, an EU authority pseudonymized comments before transmitting them to an external service provider. The EU Court of Justice ruled that the data transmitted to the service provider did not constitute personal data because the provider lacked the necessary additional knowledge and means to reverse the pseudonymization. The authority had implemented sufficient technical and organizational measures to effectively prevent such re-identification.

The ruling clarifies that pseudonymization is not automatically anonymization. However, pseudonymized data can appear anonymous to a recipient if, realistically, they have no access to, or ability to obtain, the key or additional information needed for re-identification, and if technical and organizational measures effectively preclude such an outcome. Conversely, the same dataset could be considered personal data for another recipient if they possess supplementary data or the ability to link them.

Consultancy firm dhpg states that the ruling provides clarity and offers relief for areas like AI development and research projects involving large datasets. It also raises new questions, particularly regarding data processing agreements. If pseudonymized data is transferred to a processor who cannot reverse the pseudonymization, it creates complexities regarding the nature of the processing and the necessity of data processing agreements, even if the processor perceives the data as non-personal from their standpoint. The original data controller remains accountable for data protection compliance.