Pseudonymised data and whether it is personal information. The Court of Justice of the European Union in European Data Protection Supervisor v Single Resolution Board finds that it is not personal data in all cases. Relevant for Australia

September 7, 2025 |

The question of the status of pseudonymised data confounds many and is the subject of some controversy. OVIC published a report The Limitations of De-Identification – Protecting Unit-Record Level Personal Information. In its guidelines the Privacy Commissioner’s guidelines regarding Pseudonymity state that:

2.6Pseudonymity requires that an individual may deal with an APP entity by using a name, term or descriptor that is different to the person’s actual name. Examples include an email address that does not contain the person’s actual name, a user name that a person uses when participating in an online forum, or an artist who uses a ‘pen-name’ or ‘screen-name’.

2.7 The use of a pseudonym does not necessarily mean that an individual cannot be identified. The individual may choose to divulge their identity, or to volunteer personal information necessary to implement a particular transaction, such as credit information or an address at which goods can be delivered. Similarly, an APP entity may have in place a registration system that enables a person to participate by pseudonym in a moderated online discussion forum, on condition that the person is identifiable to the forum moderator or the entity.

2.8 An APP entity should bear in mind that the object of APP 2 is to provide individuals with the opportunity to deal with the entity without revealing their identity. Personal information should only be linked to a pseudonym if this is required or authorised by law, it is impracticable for the entity to act differently, or the individual has consented to providing or linking the additional personal information. An entity could also restrict access to personal information that is linked to a pseudonym to authorised personnel (for a discussion of the security requirements for personal information, see Chapter 11 (APP 11)).

In EDPS v SRB the Court of Justic of the European Union  confirmed that pseudonymised data will not be personal data in all cases. Whether the data is actually personal depends on the context requiring an assessment of all the means reasonably likely to be used to identify the individual.

The Decision

The Court relevantly stated:

The requirement that the identifying information be kept separately indicates that the objective of pseudonymisation is, among other things, to prevent the data subject from being identified solely by means of pseudonymised data [74].

Provided there is technical and organisational measures in place  to prevent the data  from being attributed to the data subject, in such a way that the data subject is not or is no longer identifiable, pseudonymisation may have an impact on whether or not those data are personal [75]

It is usually the case for controllers who have pseudonymised data to also have additional information enabling the comments to be attributed to the data subject, with the result thatthose comments are, in spite of pseudonymisation, still personal in nature[76].

The technical and organisational measures may have the effect that, for that company, those comments are not personal in nature. Those measures must be able to prevent a company from attributing those comments to the data subject including by recourse to other means of identification such as cross-checking with other factors, in such a way that, for the company, the person concerned is not or is no longer identifiable [77].

In order to determine whether a natural person is identifiable, account should be taken of ‘all the means reasonably likely’ to be used by the controller or by ‘another person’ to identify the natural person ‘directly or indirectly’. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of ‘all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments’. [79]

A means of identifying the data subject is not reasonably likely to be used where the risk of identification appears in reality to be insignificant, in that the identification of that data subject is prohibited by law or impossible in practice. The existence of additional information enabling the data subject to be identified does not, in itself, mean that pseudonymised data must be regarded as constituting, in all cases and for every person, personal data [82].

Data that are inherently impersonal and have been collected and retained by the controller were nevertheless connected to an identifiable person, since the controller had legal means of obtaining additional information from another person making it possible to identify the data subject. In such circumstances, the fact that the information enabling the data subject to be identified was in the hands of other people did not actually to prevent that subject from being identified in such a way that the subject was not identifiable for the controller [83].

Data which are in themselves impersonal may become ‘personal’ in nature where the controller puts them at the disposal of other persons who have means reasonably likely to enable the data subject to be identified. It is apparent, in particular, from the latter judgment that – where those data are put at their disposal – those data are personal data both for those persons and, indirectly, for the controller [84].

Pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data in so far as pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable [86]

Issue

Extrapolating, the data does not always remain personal, and would not be personal where disclosed in circumstances where only the original controller was able to identify the data subject.

The CJEU makes it clear that:

  • the individual whose personal data has been collected with information about recipients or categories of recipients of personal data at the time of collection.
  • the controller must assess at the time of collection whether the data is personal in their own hands.  That does not extent to an an assessment of whether the data is personal in the recipient’s hands.

This decision confirms that pseudonymised data will not always be personal.The recipient of the information needs to assess “means reasonably likely” in the context of the data.  It still remains likely that the data is personal.

While the decision related to European law the principles are useful in the Australian context.

The press release relevantly provides:

Following the resolution of Banco Popular Español, on 7 June 2017, the Single Resolution Board (SRB) adopted a preliminary decision on whether or not it was necessary to grant compensation to the former shareholders and creditors of that bank as a result of that resolution. Since that decision was adopted without hearing those persons, the SRB subsequently organised a procedure to enable them to submit comments on that preliminary decision. In the context of that procedure, the SRB transferred some of those comments, in the form of pseudonymised data, to Deloitte, an auditing and advisory company tasked by the SRB with carrying out a valuation of the effects of the resolution procedure on shareholders and creditors.

A number of affected shareholders and creditors submitted complaints to the European Data Protection Supervisor (EDPS) on the grounds that the SRB had not informed them that data relating to them would be transmitted to third parties, namely Deloitte. The EDPS found that, in the present case, Deloitte was a recipient of the complainants’ personal data. In addition, he found that the SRB had infringed the obligation to provide information laid down in Regulation 2018/1725. 1 The SRB then brought an action for annulment of the EDPS’s decision before the General Court of the European Union. The General Court upheld that action in part and annulled the decision in question. 2

Hearing an appeal brought by the EDPS, the Court of Justice has set aside the judgment of the General Court and referred the case back to it.

The Court of Justice has found, in the first place, that the General Court erred in law in holding that the EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte ‘related’, within the meaning of Regulation 2018/1725, to the persons who submitted those comments, should have examined the content, purpose or effects of those comments, whereas it was common ground that they expressed the personal opinion or point of view of their authors. According to the Court of Justice, the General Court’s

interpretation misconstrues the particular nature of personal opinions or views which, as an expression of a person’s thinking, are necessarily closely linked to that person.

In the second place, the Court of Justice has confirmed that the General Court was correct in so far as it held that pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application of Regulation 2018/1725. It follows from the provisions of that regulation as interpreted in case-law that pseudonymisation may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable. In that context, the Court of Justice is careful to recall the guidance from its case-law regarding the assessment of whether or not the data subject is identifiable in situations in which the information enabling that subject to be identified was not in the hands of other people,

In the third place, the Court of Justice has found that the General Court erred in law in holding that, in order to assess whether the SRB had complied with its obligation to provide information, the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data. According to the Court of Justice, it is clear from case-law that the relevant perspective for assessing the identifiable nature of the data subject depends, in essence, on the circumstances of the processing of the data in each

individual case. With regard to that obligation to provide information, the Court of Justice notes that that obligation

is part of the legal relationship between the data subject and the controller and, therefore, it concerns the information in relation to that data subject as it was transmitted to that controller, thus before any potential transfer to a third party. Accordingly, the Court of Justice has found that the identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller. The SRB’s obligation to provide information was applicable prior to the transfer of the data at issue and irrespective

of whether or not those data were personal data, from Deloitte’s point of view, after any potential pseudonymisation.

Leave a Reply