Relative nature of personal data, consent for pseudonymisation? Dissecting the EDPS v SRB AG Opinion

Understanding what is and is not personal data is fundamental to the proper interpretation and enforcement of the most famous data protection law, the GDPR. If no personal data are being processed, the GDPR simply does not apply.

Some have considered that "personal data" is an absolute concept, i.e. information can be "in and of itself" personal data for anyone, while others (such as myself) have long contended that it is a relative concept. The idea of the relative concept is that information that I have about Mr John Doe might be personal data from my perspective when I process it, but not from yours if you receive it.

For instance, if I know that John Doe likes vanilla ice cream and not chocolate ice cream, and I have given him the userID AB12345, while Jane Doe prefers chocolate and has the userID AB12346, those userIDs and ice cream preferences are personal data when I process them. Why? Because I have identified John Doe or I am lawfully able to identify or get to identification of John Doe.

However, when I give you a copy of those userIDs or ice cream preferences, you don't know that it is John and Jane who are concerned by this data, and you have no legal means of obtaining any additional information ("who is behind userID AB12345?") from me. If you can't get that additional information anywhere else (lawfully, again), or it would require unreasonable means (in terms of effort, cost, etc.) to reidentify John and Jane, surely you must be able to view this data as non-personal data and cannot be bound to comply with the GDPR?

This is where the SRB v EDPS case comes in.

The judgment of the EU General Court

In April 2023, the EU General Court adopted an important decision on the nature of "personal data" in the EDPS v SRB case (T‑557/20).

I summarised it as follows at the time in a LinkedIn post on the topic:

Personal data is a relative concept, EU General Court stresses in a new judgment - "it is necessary to put oneself in [the relevant organisation's] position in order to determine whether the information transmitted to it relates to ‘identifiable persons’."

The judgment reaffirms the conditional findings of the CJEU in its Breyer judgment (which found that an IP address can be personal data if there are lawful means reasonably likely to be to be used to identify a data subject).

The General Court considers that "it was for the EDPS [= the regulator in question] to examine whether the comments transmitted to Deloitte [= the relevant organisation] constituted personal data for Deloitte" - i.e. that information could only be personal data in relative terms (= relative to the organisation), not in absolute terms.

The General Court continues: "the EDPS is incorrect to maintain that it was not necessary to ascertain whether the authors of the information transmitted to Deloitte were re-identifiable by Deloitte or whether such re-identification was reasonably possible."

In conclusion, "since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’".

The decision concerns Regulation 2018/1725, the GDPR equivalent for EU Institutions, but the concepts and relevant data protection requirements are the same.

So victory for the relative concept of personal data. But it was appealed. So moving on from the EU General Court (GCEU) and on to the EU Court of Justice (CJEU).

Advocate General Spielmann's take

Now before the CJEU (case C‑413/23 P), Advocate General Spielmann delivered on 6 February 2025 his Opinion on the EDPS v SRB case.

In summary, AG Spielmann says that:

1. Pseudonymised data falls outside of the scope of the [EU Institutions’] GDPR “in so far as the data subjects are not identifiable” (para. 51), which does not require additional identification data to have been completely erased but requires that “the risk of identification is non-existent or insignificant” (57);
2. The obligation for a controller to inform data subjects regarding recipients also applies in relation to recipients who receive pseudonymised data;
3. The controller in the present case [SRB] has met its burden of proof under the accountability obligation by relying “on several factual elements (including the processes for filtering, categorisation and aggregation of comments, described in the decision at issue and the [GCEU judgment]) in order to prove, in accordance with the principle of accountability incumbent on it, that it was impossible for [the recipient = Deloitte] to identify the data subjects” (94) – which triggers a reversal of the burden of proof, such that “it was for the EDPS [= the regulator] to demonstrate for what reason, legal or technical, the pseudonymisation process implemented by the SRB [= the controller] in the present case was not sufficient and should have led to the conclusion that Deloitte [= the recipient] was processing personal data” (96)

Some remarks:

1/ Pseudonymised data = sometimes not personal data

First, I am glad to see the AG confirming what I and many others have been claiming for a while, namely that “personal data” is a relative concept, in line with the Breyer / Scania / IAB Europe judgments.

The idea of “non-existent or insignificant” risk of identification is a good way of expressing this, but it’s worthwhile recalling that only actual, legal means of reidentification are relevant. So even hypothetical “B might provide A with additional information” scenarios are irrelevant if unlawful or extremely remote and in practice implausible.

Next, I find para. 58 to be great, as it combines legal risk management with practical considerations:

“The fact that the rules stemming from [the EUI GDPR] do not apply to data relating to non-identifiable persons would not preclude entities that are at the origin of misconduct from incurring legal liability where appropriate, for example in the event of disclosure of data resulting in harm. On the other hand, it seems to me disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from [the EUI GDPR], obligations which that entity could not, in theory, comply with or which would specifically require it to attempt to identify the data subjects.”

Yes, this is precisely what many of us have been saying for a while now – to actually treat something as personal data, you might need more information, and that cannot be the intention.

2/ Information obligation & consent (?) for pseudonymisation

Paragraphs 72 & 74 state in summary that the perspective of the recipient is irrelevant to the assessment of which information needs to be provided to a data subject under the transparency obligation. Put differently, whether the recipient considers the data it receives to be personal data or not, the transfer of such data to that recipient is covered by the transparency obligation as well, because one should only look at the perspective of the sender.

Paragraphs 77 and 78 then throw in a curveball regarding consent, as the AG states in para. 78 that there was no “informed consent for the pseudonymisation of the data and their transfer to Deloitte”.

Wait, is consent then needed for pseudonymisation & the transfer of pseudonymised data?

This is an odd part, as the initial GCEU judgment never mentions consent. Based on the context, it looks like the AG is looking more broadly at the entire package of information that had been provided to data subjects by the initial controller (SRB). That processing by SRB is in fact described in its “Right to be heard Privacy Statement” (at least, I think that’s the right one). And that privacy statement never mentions consent either but relies solely on legal obligation as a legal ground for processing.

And that is what I believe the AG is getting at:

• the processing that SRB mentions in its privacy statement only covers the processing that is actually necessary for compliance with SRB’s legal obligations;
• the act of pseudonymising data is a form of processing by SRB, as is the transfer itself of the pseudonymised data to Deloitte, irrespective of what happens once Deloitte received the pseudonymised data;
• those processing activities are not shown to be necessary for compliance with SRB’s legal obligations or otherwise covered by the SRB privacy statement, so they need to be justified otherwise;
• consent appears to be the only relevant legal ground given that SRB has not argued that it could rely on any other legal ground for that processing.

I don't think this last point can be really what the AG intended, as there must surely be a way to do this on the basis of legitimate interests. Requiring consent for pseudonymisation would defeat the purpose of pseudonymisation. After all, if you need to ask for consent for pseudonymisation and for the transfer of pseudonymised data, why not then ask for consent for the transfer of non-pseudonymised data?

Because of the particular context, I don't think we should read too much into the AG's reference to consent, and I hope the CJEU doesn't adopt in its judgments any considerations in relation to consent (after all, that is not even part of the GCEU's judgment).

Closing thoughts

I like much of this Opinion. It is measured, it is practical, and it takes into consideration the fact that just because information isn't personal data for a particular recipient, doesn't mean that data protection is an illusion. The (actual & initial) controller isn't free to share it with every potential recipient, just like that. There are always assessments to be made, depending on the nature of the information in question and how high (or low) the risk of reidentification seems to be.

The AG's view on information isn't outrageous in my view, provided we adopt a clear and workable interpretation of who is a recipient (= direct recipient, not indirect [2nd degree] recipient?) - otherwise that might be unworkable for pseudonymised data. I'm not too keen on an expansive view of the AG's suggestions regarding consent, for the reasons explained above, but I think I understand why he mentions it.

But at least the AG seems to recognise one key truth about information and data protection approaches: absolutist approaches don't work.

Let's hope the CJEU adopts a pragmatic view too.