In Case C-413/23 P | EDPS v SRB, the Court of Justice of the European Union has overturned a previous ruling by the General Court which annulled a decision by the European Data Protection Supervisor.
This case began after a resolution decision of Banco Popular Español on 7 June 2017. The Single Resolution Board (SRB) made an initial decision about whether former shareholders and creditors should be compensated. Because they weren’t consulted before that decision, the SRB later allowed them to submit comments. Some of these comments, which were anonymised, were shared with Deloitte, which had been hired to assess the impact of the resolution on those individuals. Several shareholders and creditors complained to the European Data Protection Supervisor (EDPS), saying they hadn’t been told their data would be shared with Deloitte. The EDPS agreed, finding that Deloitte had received personal data and that the SRB had failed to meet its legal duty to inform the individuals under EU data protection rules.
The SRB challenged this decision in the General Court, which partly agreed with the SRB and cancelled the EDPS’s decision. The EDPS then appealed, and the Court of Justice has now ruled that the General Court erred in law as follows:
Personal opinions as data
The General Court erred in law in holding that the EDPS, in order to conclude that the information contained in the comments transmitted to Deloitte ‘related’, under Regulation 2018/1725, to the people who submitted those comments, should have examined the content, purpose or effects of those comments, whereas it was common ground that they expressed the personal opinion or point of view of their authors. According to the Court of Justice, the General Court’s interpretation misconstrued the particular nature of personal opinions or views which, as an expression of a person’s thinking, are necessarily closely linked to that person.
Pseudonymised data
The Court said that the General Court was correct to the extent that it held that pseudonymised data must not be regarded as constituting, in all cases and for every person, personal data under Regulation 2018/1725. Pseudonymisation may, depending on the circumstances of the case, effectively prevent people other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable. In that context, the Court followed case law about the assessment of whether the data subject is identifiable in situations in which the information enabling that subject to be identified was not in the hands of other people.
Providing information
The Court of Justice found that the General Court erred in law in holding that, to assess if the SRB had complied with its obligation to provide information, the EDPS should have examined whether the comments transmitted to Deloitte constituted, from Deloitte’s point of view, personal data. The Court said that case law makes it clear that the relevant perspective for assessing the identifiable nature of the data subject depends, in essence, on the circumstances of the processing of the data in each individual case. Regarding that obligation to provide information, the Court of Justice noted that that obligation is part of the legal relationship between the data subject and the controller and, therefore, it concerns the information in relation to that data subject as it was transmitted to that controller, thus before any potential transfer to a third party.
As a result, the Court found that the identifiable nature of the data subject must be assessed when the data is collected and from the point of view of the controller. The SRB’s obligation to provide information was applicable prior to the transfer of the data at issue and irrespective of whether the data was personal data, from Deloitte’s point of view, after any potential pseudonymisation.
