Pseudonymisation and the GDPR: Does It Exclude the Application of Data Protection Rules?

Can pseudonymised personal data lose their identifying nature and, as a result, fall outside the scope of the GDPR? In a recent judgment, widely commented on and which we also reported on¹, the Court of Justice of the European Union (CJEU) held that a recipient of pseudonymised data, such as a processor, may receive data that are no longer identifying from its perspective, provided that no reasonable means of re-identifying the individuals exist for that recipient.

This decision, largely interpreted as a relaxation of the definition of personal data and incorporated into the European Commission’s Digital Omnibus Package reform project², must, in our view, be interpreted with caution. Its practical and general scope should be assessed in light of re-identification risks and capabilities.

Understanding the New Interpretation

The CJEU judgment³ concerned a dispute between the European Data Protection Supervisor (the EU equivalent of a supervisory authority such as the CNIL) and the Single Resolution Board (SRB), the institution responsible for managing failing banks. In order to determine potential compensation for shareholders and creditors of a failing bank, the SRB collected their comments along with proof of identity and evidence of their status as shareholders or creditors.

The analysis of part of these comments was then entrusted to a consulting firm, which received only the comments associated with an alphanumeric code. In this case, the data processor did not have access to the correspondence table nor directly to the identity data of the authors of the comments, which were held exclusively by SRB staff.

The Court therefore considered that the consulting firm did not possess the re-identification key and could not obtain it from the SRB staff. Consequently, with regard to the pseudonymised data transferred by the SRB, such data could not be re-identified by the consulting firm.

However, contrary to what has sometimes been suggested, the Court does not remove pseudonymised data from the protection of the GDPR. Instead, it invites organisations and their DPOs to carry out a contextual, case-by-case assessment, focusing on the purposes of the processing and the data transfer, the robustness of the pseudonymisation mechanism, and the recipient’s ability to combine data or obtain a re-identification key.

A Reduced Level of Security?

For pseudonymised data to no longer be considered personal data for the recipient, the CJEU requires effective measures preventing access to identifying information and the absence of legal or technical means to obtain it. By way of example, the judgment refers to situations in which obtaining a re-identification key would be illegal or would require disproportionate effort and cost.

However, two key lessons can be drawn from the conditions set out by the Court:

• The illegality of a practice does not appear, in itself, to be sufficient for pseudonymised data to cease being identifying from the recipient’s perspective.
  • The interception of unencrypted data and cross-referencing with public data or data held by a third party may occur in the absence of adequate security for the data-sharing process.
  • An error in data sharing or malicious behaviour by an individual with access to non-pseudonymised data or re-identification means remains a risk that is virtually impossible to eliminate.
• The GDPR’s overall risk-based approach implies deploying genuine technical and organisational measures aimed at minimising re-identification risks and documenting them, with the objective of demonstrating that such risks have been reduced to an “insignificant” level, as stated by the Court.

What Does This Mean in Practice?

This new interpretation by the Court therefore encourages raising security requirements rather than lowering them. For re-identification to be considered materially impossible, the controller and its processor will need to implement particularly stringent pseudonymisation and security measures, or even achieve anonymisation of the data:

• Encryption;
• Key separation;
• Logging;
• Penetration testing;
• Regular audits;
• Contracts limiting reuse.

However, in practice, the possibility opened by the CJEU of treating pseudonymised data as non-personal appears not only ill-suited to the current threat landscape but also highly theoretical.

Indeed, although they do not concern pseudonymised data, two recent sanctions imposed by the CNIL suggest that contractual safeguards and technical security requirements are not always respected, taken into account, or effectively managed by organisations.

In the first case⁴, the CNIL fined Mobius Solutions Ltd, a processor for Deezer France, €1 million for reusing French users’ data for analytical purposes and for copying and retaining the data beyond the contractual period, contrary to the terms of the data processing agreement, for advertising purposes.

In the second case⁵, NEXPUBLICA France, a software publisher for Departmental Centres for Disabled Persons (MDPH), received a record fine of €1,700,000 for serious security failings. Users had access to third-party files, and several MDPHs notified the CNIL of multiple data breaches. The authority’s investigation revealed obsolete security measures and inaction on the part of the publisher, despite being aware of the software’s security issues.

These cases illustrate, in our view, the importance of maintaining an objective risk-based approach. Given, in particular, cyber risks, the required level of security and robustness of pseudonymisation mechanisms will necessarily be increased, and it will be difficult in practice to achieve a situation of “perfect” pseudonymisation as implied by the Court’s position.

‍