Good to read about the EDPB promoting pseudonymisation in Seoul, but let’s be honest: their guidelines on the topic need serious updating further to the CJEU’s SRB judgment. Yes, they do say the opposite of SRB:
22. Pseudonymised data, which could be attributed to a natural person by the use of additional information, is to be considered information on an identifiable natural person, and is therefore personal. This statement also holds true if pseudonymised data and additional information are not in the hands of the same person.
First sentence a bit absolute given SRB already. Next (still para. 22):
If pseudonymised data and additional information could be combined having regard to the means reasonably likely to be used by the controller or **by another person**, then the pseudonymised data is personal. Even if all additional information retained by the pseudonymising controller has been erased, the pseudonymised data becomes anonymous only if the conditions for anonymity are met.” (emphasis mine)
By another person” is not limited by the Guidelines. The EDPB could easily have added that this only refers to a person from whom the controller could lawfully obtain (re)identification of those natural persons. Yet it didn’t. “Another” thus becomes synonymous with “any other”.
Plus, “pseudonymised data becomes anonymous only if the conditions for anonymity are met”? That’s only relevant for the pseudonymising controller, not for the recipient of pseudonymised data.
That one paragraph then influences all that follows in the Guidelines (including e.g. how we are supposed to read paragraph 60 of the Guidelines, as well as why the EDPB includes references to threat actors – despite “reasonable means” clearly being limited to lawful means and thus *excluding hacking and the use of data from the dark web*).
I also like to point out that paragraph 77 of the Pseudonymisation Guidelines creates a reverse burden of proof: while normally the GDPR doesn’t apply if something isn’t personal data (and thus the burden of proof that something is personal data doesn’t lie on the alleged controller), the EDPB suggests that Article 11 of the GDPR relates not only to the condition for a data subject to be deemed “identified” but also to those for “identifiable” – despite what the provision *actually* says.
So yes, some real changes are needed – and they must lead to a very different outcome, one in which the GDPR *doesn’t* apply in a number of scenarios.
For more on what SRB actually entails and when data ceases to be personal, do read my in-depth analysis here: https://lnkd.in/e2eNmGUP
And you should re-read the criticism levelled at the guidelines back when they came out:
– my comments: https://lnkd.in/ejFZmdXa
– comments of IAB Europe and others: https://lnkd.in/ejXPYFs6
The issues highlighted back are even more problematic in the light of SRB.
Let’s hope the update fixes this cleanly and isn’t an exercise in verbal gymnastics!
Data protection privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗