How the European Court of Justice is shaping health data anonymisation

The European General Court delivered a ruling on 26 April that provides new guidance on the concept of personal data. The court’s decision in Single Resolution Board v European Data Protection Supervisor (T-557/20) deals with the highly relevant question about when personal data can be considered anonymous and follows the steps of the European Court of Justice’s (ECJ) landmark rulings in Patrick Breyer v Bundesrepublik Deutschland (C-582/14) and Peter Nowak v Data Protection Commissioner (C-434/16). 

The judgment of the General Court is one of the very few rulings that can be drawn upon for authoritative interpretation of the most essential question in European data protection law; that is, what qualifies as personal data. 

Personal data action

The decision concerns an action by the Single Resolution Board (SRB) against the European Data Protection Supervisor (EDPS). The SRB is an EU agency established by the EU Single Resolution Mechanism Regulation of 2014, which acts as a resolution authority for banks. It oversees the restructuring of a bank in order to protect public interests in financial stability. The EDPS is the independent supervisory authority for the EU’s institutions and bodies. 

Five data subjects complained to the EDPS about the SRB’s processing of their personal data under the applicable legal framework of Regulation (EU) 2018/1725. Although this is a distinct regulation that applies to the processing of personal data by EU institution, it is nonetheless also relevant for the interpretation of the General Data Protection Regulation, as it relies on the same legal principles and uses the same definition of personal data. 

The SRB brought an action before the court following a decision of the EPDS concerning, among other things, the classification of categories of data transmitted by the SRB to professional services firm Deloitte. It assessed whether the data were pseudonymised personal data or should be considered as anonymised, non-personal data. 

More specifically, the data transmitted to Deloitte consisted of comments from shareholders and creditors, together with a 33-digit randomly generated alphanumeric code that served as a globally unique identifier. The information provided by creditors during an earlier registration phase (enabling the SRB to identify individual creditors) was kept by the SRB alone and not made available to Deloitte.

The EDPS considered that the code was additional information that, when used by the SRB, would make it possible to reidentify individuals and that the comments should, therefore, be considered as personal data. The EDPS was satisfied that the comments and the code qualify as personal data, irrespective of whether it was practically feasible for Deloitte to reidentify the individuals. 

EPDS failure

The court did not follow the EDPS’ arguments. It held that the EPDS failed to examine whether the comments constituted information relating to a natural person and to demonstrate that the code enabled Deloitte to reidentify a specific creditor. In its decision, the court essentially relies on the ECJ’s judgment in Breyer and clarifies the concept of reidentification. 

More specifically, the court states that in situations where personal data is scattered across several pseudonymous subsets that are in the possession of different entities, one cannot draw an absolute inference that a given subset qualifies or not as personal data. Instead, a more detailed and fact-based analysis is required.

It also states that the perspective of the party using the data – in this case Deloitte – must be taken into account in order to determine whether the data in hand relates to identifiable individuals (that is, whether the data is anonymised or pseudonymised) and not from the point of view of another party who may be involved in the processing (in this case the SRB).

The time, cost and man-power necessary for reidentification work must also be taken into account in order to determine whether data is to qualify as personal data or not.

Identifiable people?

In particular, the court states in paragraphs 104 and 105 of the decision that: "It is apparent from paragraph 45 of the judgment of 19 October 2016, Breyer (C 582/14, EU:C:2016:779), cited in paragraph 92 above, that it was for the EDPS to determine whether the possibility of combining the information that had been transmitted to Deloitte with the additional information held by the SRB constituted a means likely reasonably to be used by Deloitte to identify the authors of the comments."

"Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725."

Practical ramifications

The decision’s importance follows from its interpretation of the ECJ’s ruling in Breyer. In recent years, Breyer has served as a justification for an extensive understanding of when data should be considered personal data. European supervisory authorities, in particular, have interpreted Breyer in such manner. 

From an academic perspective, the underlying question is whether the criterion of “identifiability” must be determined from a relative or from an absolute perspective. Where a relative perspective leads to a narrower understanding of personal data because it requires that the actual holder of data can identify a natural person from it, an absolute perspective may ultimately qualify almost any data as personal because it only requires that any person can identify a specific natural person from the data.

From a privacy law perspective, it is therefore of crucial importance whether a relative or an absolute perspective is taken. Luckily, the court confirmed a relative approach and specified how Breyer has to be interpreted. In other words, the decision can be seen as lowering the threshold for effective anonymisation in a multi-party setting, making it easier for controllers to argue that data has been effectively anonymised. 

Healthcare application

Access to data and concerns about privacy implications are major "pain points" for many in the healthcare sector; in particular, in the context of scientific research and artificial intelligence (AI). For some, privacy regulation may even be seen as an obstacle for the development of new products and services or a roadblock to innovation and scientific progress. Initiatives like the European Health Data Space or national initiatives like the German digital strategy for the healthcare sector are examples for political regulation that seeks to provide a more clarity on how sensitive personal data may be used for research and AI. 

However, this decision may also help companies in certain scenarios to use patient data by arguing that the data does not qualify as personal data.

For example, the decision may be beneficial in situations where obtaining informed consent in advance is not possible, such as in cases of secondary use by third parties. Strict and effective separation of identifiers ensuring that only the data collector can associate data sets with identifiers while preventing other parties from accessing those identifiers can result in anonymised data for other parties. Depending on the particular circumstances, this approach may also be utilised in intra-group scenarios or where the controller shares de-identified data with a processor. 

Utilising a data-trustee concept or data intermediary may also allow the arguments that a data recipient receives and processes only anonymised data. The concept of data trustees and other intermediaries play a crucial role in the sharing of (health) data under new and upcoming EU legislation, such as the Data Governance Act or the European Health Data Space. 

As there is no common legal framework in place which would allow processing personal data for the purposes of post-market surveillance of medical devices, the related processing of sensitive personal data may create privacy challenges. It may be worthwhile to explore options how a setup can be created where only anonymised data is shared and processed.

Also, where the controller retains the full data set and only provides “anonymous” data to its processor – as the processor is commonly regarded as an extension of the controller itself rather than an independent third party – particular emphasis must be put on implementing safeguards impeding the processor from reidentifying the provided data sets with proportionate effort.

Finally, anonymisation will open up additional possibilities to process data by new means such as AI, which may yield even more advanced insights and enable scientific progress. Processing non-personal data would also minimise risks and constraints for a repurpose of the data that result from the principle of purpose limitation.

Anonymisation remains difficult

However, especially in the healthcare sector, anonymisation will remain difficult despite this decision; for example, if the de-identified data sets still allow the identification of the individual because of the uniqueness of the information (for example, where data sets contain details on particular doctor visits). 

With respect to genetic data, the European Data Protection Board has also raised concerns whether anonymisation of genetic data is possible. Also, where a processor has the full data set with identifiers and the controller’s access is in principle limited to a de-identified subset of the data, it will be difficult to argue the controller processes only anonymised data. This is because a processor is commonly regarded as an extension of the controller rather than an independent third party and the knowledge and access by the processor is typically ascribed to the controller. 

However, the decision should not be seen as blanket solution to the question when personal data can be considered anonymous. A case-by-case analysis of each processing scenario will still be required and the question of identifiability must always be assessed individually.

Osborne Clarke comment

The decision of the court can be and has already been appealed before the ECJ which will need to provide a final decision as the court of last resort. It is unclear, however, when the ECJ will issue such final decision. 

In the near future, however, the ECJ has to rule yet again on the question of personal data in a similar case, Gesamtverband Autoteile-Handel v Scania CV (Case C-319/22), in which Osborne Clarke represents the plaintiff. The case has been referred to the ECJ by the Regional Court of Cologne. One of the questions referred to the ECJ seeks for guidance on vehicle identification numbers (VIN) assigned to a vehicle by its manufacturer and whether these must be considered information that makes a natural person identifiable. 

In Gesamtverband Autoteile-Handel, the advocate general's opinion – which is non-binding but nonetheless often followed by the ECJ – takes a very similar view to that of the court, stating that a piece of information that is not personal in nature may become personal data for someone who reasonably has means enabling the piece of information to be associated with a specific person. The opinion has followed a "relative" approach. If the ECJ follows this view, it is very likely that it will also uphold the court’s decision and confirm its interpretation of the ECJ’s ruling in Breyer.

Please contact our experts on this and related developments.