Clouds outside of the scope of GDPR? (identifiability test)

Aug 16, 2023

In 2016 Court of Justice of the European Union (“CJEU”) issued a landmark ruling in Breyer case (C-582/14) where upon the request of the German Federal Court of Justice for an interpretation, CJEU ruled that even a dynamic IP address registered by an online media services provider constitutes personal data, due to the fact that the online provider had the means which may likely reasonably be used in order to identify the data subject, even with the assistance of other persons. It followed the long-established premise that pseudonymised data are still personal data as opposed to anonymised data.

Another argumentative leap rather in the opposite direction in favour of the controllers and processors, was achieved in the recent General Court case dated 26 April 2023 within a “clash” between Single Resolution Board and European Data Protection Supervisor (T-557/20). The judgement of the General Court is not final, since an appeal was filed against the judgement (C-413/23). EDPS in this case involving pseudonymised data understandably among other arguments also referred to the broad definition of personal data with the possibility of indirect identification of natural persons and the postulate that there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person (in line with the preceding Breyer case).

Despite the plausible ratio decidendi in Breyer case, the practical application of the CJEU judgement by the supervisory authorities was in most cases leaning to the objective/absolute criterion when assessing the pseudonymisation (regardless of the abilities and means of the controller or processor, it is feasible to identify the data subject solely by combining the pseudonymised data with data provided by a third party).

The General Court in April underlined the conditions accentuated at the previous Breyer case, mainly that the pseudonymised data will not be considered as personal data if the identification of the data subject had been prohibited by law or had been practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared in reality to be insignificant.

Therefore, it can be assumed that a certain type of “identifiability test” has to be performed by the controller or processor, whereas according to the General Court, the burden of proof is transferred to the supervisory authority to determine whether there is a possibility of combining the information and identify the data subjects from the pseudonymised data (in contrast with the controller’s accountability principle).

This General Court’s “common-sense interpretation”, opens the window to personal data transfers which would not be classified as personal data and potentially be outside of the GDPR material scope. The recent ruling can represent a ticket for various types of cloud services where the “identifiability test” can be potentially passed by implementing robust technical measures which would render practically impossible for the cloud service providers to acquire the key for the reversal of pseudonymized data to personal data. It could possibly be accomplished by creating a specific highly encrypted algorithm which would pseudonymize the personal data (e.g. software or hardware based key token) exclusively applied at the controller which transfers the data, without any possibility to acquire the algorithm by the processor.

It would definitely depend on the type of cloud service and whether an additional processing of the data is required by the processor beyond a basic data storage. If there is a requisite for a more complex processing activities related to the personal data, the processing power could still be provided by the cloud service provider, however the processed output from the cloud service provider will be reversed only by the controller and exclusively by the algorithm supervised solely by the controller.

A distant or analogous inspiration could be found at various cloud service providers which already claim that all the stored data is encrypted with the key available to the customer only and the cloud service provider itself does not possess the technical ability to decrypt the data. Of course, regardless of how high the encryption is applied, encrypted personal data will under nearly every circumstance remain personal data, however the technical principle to meet the GDPR’s and/or court’s requirement of insignificant risk of identification, can by similar.

Worth mentioning is that the rulings eluded the (legally non-binding) recital 28 of GDPR pursuant to which the explicit introduction of pseudonymisation shall not be intended to preclude any other measures of data protection, specifically in this case referring to the data privacy setup of the processor at which the processing of pseudonymised data would pass the “identifiability test”. Naturally a general compliance of assets will still prevail, however the potential opportunity to reduce the applicability of GDPR requirements, would be unquestionably convenient.

Noted that the last CJEU ruling dealt with relatively simple construct of personal data and pseudonymisation and also the question remains, why bother with pseudonymisation and why not approach the more suitable process of anonymisation instead. It will always depend on the controller’s requirements in certain case, still the substance of argument is relevant to pseudonymisation and anonymisation if a reversal token/algorithm is present, which will have to satisfy the absence of insignificant risk of identification and pass the “identifiability test”. Clearly we can expect further development as the Court of Justice is now in play due to the filing of an appeal by the EDPS.

About this article:

In our “National Insights” series, experts from our national member associations write about current issues in the field of data privacy. Sometimes from a national, sometimes from a European perspective – but always concise and well-versed.

Author: JUDr. Pavol Szabo, LL.M., Spolok pre ochranu osobných údajov (Slovakia)

Recent news

Privacy Symposium, june 10-14, 2024, Venice

Privacy Symposium, june 10-14, 2024, Venice

The EFDPO is a pround member of the Organizing Committe of this international conference. It will offer over 100 sessions with over 300 top level speakers and data protection authorities, including international organizations, European authorities, and national data protection authorities, as well as experts in innovative technologies.

read more