Where is the line between anonymization and pseudonymization?
As a lawyer, you are often confronted with the following case constellation: A data controller has a data set with pseudonymized data. A controller can establish the personal reference through additional information, which means that the data is clearly personal data. The data record is then forwarded to a recipient. The recipient does not have the additional information and therefore cannot establish the personal reference. Where is the boundary between anonymization and pseudonymization?
Our article in the journal Datenschutz Konkret
In the above case constellation, it was disputed whether the recipient had personal data. We already discussed this topic in a 2018 article in the Dako (Dako 2018/33, https://lnkd.in/g2mt-NDW) and argued for a relative approach, i.e. that it depends on the recipient's horizon. This means that a data set can be pseudonymized, i.e. personal, for one person, but anonymized for another. Ermano Geuer and his former colleague Alexander Wollmann also discussed the topic with a special focus on Art 26 and Art 28 GDPR in jusIT (jusIT 2020/6).
Recent decision of the European General Court
Fortunately, the EGC has opted for a similar reasoning in its decision T-557/20. According to the EGC, it depends on whether the recipient has the additional information or is able to obtain it. In this regard, the ECJ also refers to the Breyer case (ECJ, C-582/14), which is repeatedly used as a blanket reference for an alleged personal reference of IP addresses. At the time, the ECJ referred to the specific legal situation in Germany in connection with copyright infringements.
From our point of view, this is a welcome development that gives players a certain amount of leeway when handling data. If a data set with pseudonymous data for the controller is transmitted to a recipient who cannot establish the personal reference, it should also be possible to analyze large amounts of data without having to comply with the strict requirements of the GDPR.
Link to the decision: https://curia.europa.eu/juris/document/document.jsf?text=&docid=272910&pageIndex=0&doclang=DE&mode=lst&dir=&occ=first&part=1&cid=2068606
Link to our article from 2018: https://rdb.manz.at/document/rdb.tso.LIdako20180304?execution=e1s1&highlight=geuer+pseudonymization (RDB access required)