A recent decision of the Court of Justice of the EU (EDPS v SRB) confirms that a pseudonymised data set may be considered anonymous (and therefore not subject to data protection regulations) in the hands of a third-party recipient.
This fundamental question has day-to-day practical implications to organisations processing personal data in a pseudonymised form and sharing it with third parties and will facilitate such data sharing activities. However, in reaching this conclusion, the Court has disregarded long-standing views of EU data protection regulators.
You can read about the background of the decision and the issues addressed in more detail in our paper.
Download here - Insights: Pseudonymisation scrutinised by the CJEU
Key take-aways:
- The decision provides clarity: a pseudonymised dataset may be anonymous in the hands of a third party.
- The decision will provide flexibility when sharing data with third parties. However, the parties of a data sharing agreement, will still have to agree on whether the recipient has means to re-identify the data.
- The decision concerned a controller-to-controller transfer. However, it does not necessarily apply to the situation where the recipient is a processor or a joint controller. If it did not apply to instances where the recipient is a processor or a joint controller, the EU would mirror the UK position on this matter set out in the UK ICO's guidance.
- The organisation sharing a pseudonymised dataset considered anonymous in the hands of the recipient will still need to comply with GDPR requirements in relation to that dataset, in particular providing information to individuals about the fact that their data is going to be shared with a third-party recipient. This is explicitly set out in the decision.
- In practice, the organisation sharing the data should consider putting in place contractual terms to cover an eventual re-identification and restrict any reidentification efforts form by the recipient.
Don't miss a thing, subscribe today!
Stay up to date by subscribing to the latest Data and Privacy insights from the experts at Fieldfisher.
Subscribe nowWhile this presents a step forward in clarifying the concept of personal data and facilitating data sharing, care will be needed in drafting appropriate terms especially if reliance is made on the assumption that the data set is anonymous (for the recipient).
![A close-up of computer code displayed on a screen, with lines of code in vibrant blue, pink, and purple colors. One line of text is highlighted in red, stating "[error] virus detected," indicating a security issue within the code.](https://res-1.cloudinary.com/fieldfisher/image/upload/c_lfill,dpr_2,g_auto,h_240,w_440/f_avif,q_auto/v1/services/data%20protection%20and%20cyber%20security/dataprotection_code-errordetected_1048264156_medium_tjlow9)
