OK, a few words about the CNIL decision re IQVIA. Spoiler alert: it’s in my view a completely wrong decision, and it deliberately misquotes the CJEU’s SRB judgment:
1. “[T]his role as controller prevents, in itself, the data from being regarded as anonymous” (CNIL, §90): incorrect!
The CJEU explicitly states the following in §76 of SRB: “as is usually the case for controllers who have pseudonymised data, the SRB does, in the present case, have additional information enabling the comments transmitted to Deloitte to be attributed to the data subject, with the result that, in its view, those comments are, in spite of pseudonymisation, still personal in nature” (emphasis mine)
=> “usually”.
If a controller *does not* have additional information enabling attribution, the pseudonymised data *is not* personal data. When would this be the case? If measures are taken precisely to *prevent* the collection or sharing of such additional information.
2. “[I]t seems more than plausible that the anonymity of the data subjects concerned could be lifted by reasonable means” (CNIL, §94): “more than plausible” is not the same as “demonstrating” that there is personal data.
The GDPR *does not* apply if there is not personal data – and the accountability obligation under Art. 5(2) & 24 GDPR only applies *if* the GDPR applies.
Therefore, as some national courts have held (notably in Poland), it is up to an authority to *demonstrate* that there is personal data, not to *assume* it.
[See https://lnkd.in/enQ673hc ]
And alleging that just because the company considered it as personal data at the time – before SRB made it clear “personal data” is indeed a relative concept – doesn’t change the fact that the CNIL needs to demonstrate that it *is* personal data, not that someone *thinks* it might be personal data.
3. “[I]f even a single person can be re-identified by reasonable means, the data contained in the database is classified as personal data” (CNIL, §107): assumptions again. If just *one* data point is shown to be personal data, that doesn’t create a right to assume everything else is. You still have to show why the reasoning would extend beyond one individual.
4. In §108, the CNIL describes the process whereby an individual can provide additional data to IQVIA to enable identification. This is irrelevant!
Yes, it means that in the hypothetical scenario of the individual making contact, that individual record can become personal data. But this has no impact on what happens before, or the other records!
[See again that Polish decision, which tackles this issue.]
5. The point about whether a contractual prohibition of identification prevents “legal” means of identification is a topic I have discussed with many clients – interesting to see this here, to be seen whether the CNIL’s position is taken up anywhere else.
An appeal would make sense, but so far the Conseil d’Etat doesn’t seem to understand SRB either…
Decision (FR): https://lnkd.in/eeZdJXm5
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗