In judgment of 26 April 2023 (case T-557/20), the Court of Justice of the European Union (‘CJEU’) ruled that pseudonymised data transmitted to a recipient who does not have the means to identify the data subject is not personal data. This means that such information does not fall within the scope of the legislation on the protection of personal data.
Before entering into the merits of the judgment in comment, it seems appropriate to define what is meant by ‘pseudonymisation’. According to Article 4 of Regulation (EU) 2016/679 (better known by the acronym ‘GDPR’) pseudonymisation means ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’.
The facts of the case
The case examined by the CJEU is examined below.
The case originates from several complaints received by the European Data Protection Supervisor (the ‘EDPS’) reporting specific conduct of the Single Resolution Board (‘SRB’).
Specifically, the SRB, after collecting through an electronic form some opinions of shareholders and creditors (the ‘data subjects’), had transferred the answers obtained to a consulting firm. Before forwarding it to the consulting firm, however, the SRB had pseudonymised this data by replacing the names of the data subjects with alphanumeric codes. However, the latter complained to the EDPS that the information notices on the processing of personal data provided by the SRB did not specify that their personal data would be shared with third parties.
The EDPS stated that, although the data thus disclosed did not allow the company to identify the authors of the survey, the data, although pseudonymised, should nevertheless be considered personal data, also in view of the fact that the outsourcer received the alphanumeric code that allowed it to link the replies received.
For these reasons, the EDPS held the consulting firm (the recipient of personal data) and the SRB liable for the breach referred to in Article 15 of the GDPR – governing the right of access of the data subject – for not having provided, among other things, information about the recipients or categories of recipients to whom the personal data would be disclosed.
The decision of the Court of Justice of the European Union
The judges of the CJEU overturned the EDPS’s decision. The CJEU, in fact, stated that the decision taken by the EDPS on the nature of the pseudonymised data was incorrect, as the EDPS had not verified whether or not the company to which the data had been disclosed was able to re-identify the data subjects. That verification should have taken place on the basis of the instruments it held, or did not hold, enabling it to identify natural persons.
To identify whether or not pseudonymised information disclosed to a recipient constitutes personal data, it is necessary to ‘consider the recipient’s perspective’. If the recipient does not have additional information enabling him/her to identify the data subjects or does not have legal means to access it, the disclosed data are considered to be anonymous data and therefore are not personal data. Therefore, they are excluded from the scope of application of the principles in force regarding data protection. On the contrary, the fact that the party disclosing the data has the means to identify the data subjects is irrelevant.
On these grounds, the Court of Justice annulled the EDPS’s decision and ordered it to pay the costs of the proceedings.
Other related insights:
GDPR: security measures to support data protection
On 10 June, the Italian Data Protection Authority approved the new ” Cookie Guidelines.”The term cookie refers to a small text file that a website (publisher or “first party”) can autonomously send to the user’s device (e.g. Smartphone, PC or Tablet) when viewing a web page or different sites or web servers (“third parties”). Usually, cookies make it possible to store the preferences expressed by the user so that they do not have to be re-entered later. The browser saves the information and transmits it to the site’s server when the user visits that website again.
The Guidelines, adopted by the Data Protection Authority, considered what emerged during the public consultation promoted at the end of last year. The guidelines aimed to strengthen users’ decision-making power over the use of their data when surfing online.
Here are the main changes.
Under Regulation (EU) 2016/679 on the protection of personal data (better known as the “GDPR“), the policy to be issued to users/data subjects shall specify (i) possible recipients, (ii) the retention periods of personal data processed and (iii) a description of all the consequences of any action taken by the user/data subject.
The Data Protection Authority recommends that Analytics cookies, which the Data Controller uses to assess the effectiveness of a service, be used only for statistical purposes.
The multi-layer privacy policy is confirmed, with a banner (short policy) when accessing the site containing specific information on positioning, size, font and content, and a link to the extended policy.
The user/data subject must choose between consent or modulating their preferences on tracking and be provided with a link to another area to select the functions, third parties and cookies, possibly grouped by similar categories, to the use of which the user consents.
The mere “scrolling down” of the page cursor is unsuitable for the collection of an appropriate consent to the installation and use of profiling cookies or other tracking tools by the data controller.
Given the controller’s autonomy in identifying the most appropriate solutions to achieve compliance with data processing regulations, the Data Protection Authority invites the controller to assess every possible solution rigorously. According to the Data Protection Authority, if the user action does not correspond to any unmistakable, documentable computer event with the mentioned features, including user awareness, it will be impossible to attribute the consent validity under applicable regulations.
Obtaining consent for cookies may not be repeated unless (i) the processing conditions change significantly, (ii) the site operator can’t record the user’s previous choice due to a user decision and (iii) at least six months have elapsed since the previous request.
Users/data subjects shall be provided with the ability to review choices made at any time and in a simple, immediate and intuitive manner. This can be done using a dedicated area made accessible through a link placed in the footer of the site that makes the function explicit and says “review your choices on cookies” or similar.
Website owners have six months to comply with the principles contained in the Guidelines.
Other related insights:
The Court of Appeal of Venice, in ruling no. 476 of 28 June, 2021, ruled about remote control, considering video recordings of cameras on company premises to be entirely usable.
A company (a gambling house) had used the images collected through a video surveillance system installed on the company’s premises to initiate two separate disciplinary proceedings against an employee.
The employee, a cashier, was accused of embezzling money from the company’s cash register through various contrivances to make up for shortfalls, attributable to her, in the payment of winnings to customers and realise capital gains to her own advantage.
The judge during the summary proceeding considered the video recordings to be entirely usable as they were covered by the trade union agreement under the legislation on remote control. The only formal defect was that the employer had failed to produce the footage collected during the disciplinary proceedings.
Against the employee objection, the judge reformed the order of the summary proceeding, considering that the video recordings could not be used. Therefore the unlawful acts were not proved, with a consequent order for the company to reinstate the employee in her job (under art. 18, paragraph 4 of the Workers’ Statute).
The losing company appealed.
The Court of Appeal, upholding the company’s appeal, noted that:
In addition, interpreting the trade union agreement signed, the Court of Appeal noted that the images collected through the video surveillance system installed could be used for disciplinary purposes if there had been conduct “of particular importance or seriousness.”
For these reasons, the Court of Appeal considered the employee’s conduct to be “undoubtedly serious and capable of irreparably damaging the employer’s trust in the correctness of future performance” and recognised that all the conditions for dismissal for just cause were met.
Decree-Law no. 82/2021 (the “Decree“) was published in the Official Gazette on 14 June, containing “urgent provisions on cyber-security – definition of the national cyber-security architecture and establishment of the National Cyber-security Agency” .
The term “Cyber-security” means “activities necessary to protect networks, information systems, computer services and electronic communications from cyber threats, ensuring their availability, confidentiality, integrity and resilience” (Art. 1, paragraph 1, letter a).
The Decree, which consists of 19 articles, institutionalises the “Interministerial Committee for cyber-security” (“CIC“). CIC performs advisory, proposal and supervisory functions in the field of cyber-security policies, including the protection of national security in cyberspace. In addition, CIC has the following tasks:
Among the Decree’s main features is the establishment of the “National Cyber-security Agency” (“NCA” or “Agency“). The Decree specifies its functions by clarifying its composition and organisation. A special regulation, to be approved within 120 days from the entry into force of the Decree, shall define the Agency’s functioning, which is composed of eight general management level offices and thirty non-general management level offices within the available resources (art. 12 paragraph 1).
The Agency is the main body in the cyber-security field, acting as a national authority and centralising the various expertise hitherto attributed to other bodies, including those of the Ministry of Economic Development. Its tasks include:
The Agency is supported by the “Cyber-security unit“, which supports the Prime Minister, for aspects relating to the prevention and preparation for possible crises and the activation of warning procedures. The main tasks entrusted to this body include:
◊◊◊◊
By 30 April of each year, the Prime Minister must report to Parliament on the Agency’s activity in the previous year. As an Italian National Coordination Centre, the Agency will interface with the “European Cyber-security Industrial, Technology and Research Competence Centre“, contributing to increasing the European strategic autonomy in the sector.
Other related insights:
Under the Law No. 81 of 22 May 2017 on “Measures for the protection of non-entrepreneurial self-employment and measures aimed to facilitate flexibility in regard to locations and times of subordinate work”, remote working has been recently regulated in the Italian legal regime for the first time. This is a flexible style of working, regulated within the employment relationship and characterised by the absence of time- and workplace constraints and by forms of organisation of work by stages, cycles and objectives.
When implementing remote working in their company, employers must take personal data protection regulations into account.
Regulation (EU) 2016/679 on the protection of personal data (the “GDPR”) introduced the principle of accountability, namely the requirement for the data controller (in our case the employer) to take proactive steps to show that concrete measures have been put in place to ensure the implementation of this Regulation. Essentially, the employer is obliged to identify and manage risks associated with the data processing carried out, in accordance with the principle of data protection “by design” (involving the protection of specific data processing operations) and “by default”.
This means that, in the case of remote working, the employer must carry out a proper risk assessment and, where necessary, an impact assessment in order to analyse all existing and potential risks and identify the technical and organisational data security measures that are required in order to guarantee secure data protection operations. The employer, accordingly, must adopt Regulations, Policies or Guidelines which set out the conduct that smart workers must adopt in order to ensure the confidentiality, integrity and availability of data processed in the course of their duties.
The employer must also ascertain and verify that remote controls are not invasive in nature, in contravention of Article 4 of Law 300/1970. This means that the systems that allow continuous monitoring of employees’ use of work tools and the company network must be subject to detailed scrutiny.
For this very reason, remote workers must receive detailed information on the various ways in which the employer exercises its power of control, and on what forms of conduct could potentially trigger or attract disciplinary sanctions.
Beyond this, the employer must train remote workers so that they are fully cognisant of and familiar with the tools available to them, the various risks, and the measures to be adopted while remote working.
