Scania Doctrine: Cases EDPS vs SRB, Scania, IAB Europe, OC/Comisión. (I)
I don´t think we´re in Kansas anymore, Toto
On 4 September, the CJEU published its judgment in Case C‑413/23 P (SRB vs EDPS).
In it, that court declared — once again — that pseudonymised data (for simplicity: strings of personal data from which the direct identifiers of the data subject have been removed/substituted) can be “non‑personal data” for a party that does not have access to those identifiers.
And for the first time (apparently, half of Europe expected that it would not) it declared that if the other party cannot re‑identify directly or indirectly the data subjects, the GDPR does not apply to its processing of those data.
I will call this “Scania doctrine” in reference to the Scania judgment C‑319/22 “Gesamtverband Scania” and because that is how I’ve been referring to this since I read it.
[Let us leave aside for now, so as not to confuse matters, other modalities like encryption, differential privacy, etc., which fit perfectly under the same doctrine.]
You’re reading ZERO PARTY DATA. The newsletter about the crazy crazy world news from a privacy law perspective by Jorge García Herrero and Darío López Rincón.
In the spare time this newsletter leaves us, we like to solve complicated issues about privacy, AI, Data Act and so on. If you’ve got one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.
No, Dorothy, my darling, we’re not in Kansas any more: a new world of many colors unfolds before our “privacy eyes”.
It becomes clearer with the example from Reservoir Dogs
In the legendary film Reservoir Dogs, Tarantino tells the story of a robbery that ends badly. Very badly.
What interests us here is that each of the robbers pseudonymises his identity before his fellow criminal goons by substituting their real name with a color: Mr. Pink, Mr. Orange, etc….
In this way, if one is arrested by the police, he cannot betray the others—even if he wanted to.
[As the Reservoir Dogs know and as the GDPR says, pseudonymisation is an effective security measure even among members or sections of the same organization.]
Pseudonymisation vis‑à‑vis third parties
Let us now imagine that after the heist, they decide to send their suits and shirts to the dry cleaner so that the erm, blood stains get washed, identifying each suit with the pseudonymous color of each robber.
And so, each could on their own go and pick up their clean suit by asking for Mr. Blue’s, Mr. Pink’s… whichever.
Fine.
Before the Breyer, Scania, IAB Europe and SRB / EDPS judgments, the contract to clean blood‑soaked suits would have required a classic DPA: a contract for processing by a third party (“data processing agreement”).
Even though the dry cleaner does not access first name or last name or ID numbers or anything like that.
It was understood, interpreting literally recital 26 of the GDPR, that personal data ceased to be non‑personal even if pseudonymised, if somewhere in the world, if anywhere in the world, inside or outside the reach of the dry cleaner, there existed a “correlation table” that would allow linking Mr. Pink with Steve Buscemi and Mr. White with Harvey Keitel.
The consequence of that interpretation was that, even if the dry cleaner had neither the intention nor the means to re‑identify our protagonists, the GDPR would apply to its processing of those data.
The novelty is that that is no longer so in all cases.
Can the same dataset be “personal” for Mr. Pink and “non‑personal” for the dry cleaner?
Of course yes.
According to the CJEU, the same pseudonymised dataset will be personal or not for each party depending on all the circumstances, and especially their capacity to re‑link the pseudonymised data to its subjects.
And if they do not have the capacity to do so, the GDPR will not apply to their processing of those data.
How is that capacity for re‑identification assessed: the “Identifiability Test”
The CJEU has already clarified this in another judgment published at the same time as Scania, the case C‑479/22 OC / Commission.
All objective factors must be taken into account, among them:
Not only the capacity of the recipient to combine the data in question with additional information at its disposal, but also, according to the Scania judgment …
The content, purpose and effect of the processing envisaged by that recipient, taking into account both the technology available at the time of the processing and technological advances.
Furthermore, negatively, the CJEU declared that a means is not considered reasonably usable to identify a data subject when such identification:
Is prohibited by law; or
Is practically impossible, for example because it involves an excessive effort in terms of (i) time, (ii) cost and (iii) human resources,
such that the risk of identification is in fact negligible.
It is very important that the CJEU does not propose three alternative requirements (so that any one of them suffices to discard a re‑identification means as practicable), but imposes an outcome (the third element: negligible risk of identification) derived from the first two.
To avoid any doubt on this point: paragraph 85 of September judgment EDPS vs SRB: “… whenever it cannot be ruled out that those third parties could reasonably attribute, by means such as cross-referencing with other data available to them, the pseudonymized data to the data subject, that person must be considered identifiable both with respect to that transmission and to any subsequent processing of those data by the said third parties”.
And I say this is very important, because one will find around popular experts saying that, if re‑identification in the case or for the specific purpose is prohibited (i) by law or even (ii) by your contract with the recipient, that is sufficient and there is nothing more to evaluate: GDPR does not apply for any effect.
This is the typical sneaky interpretation adopted by someone who had already been doing things badly before, because… well, because they consider — rightly — that a fluffy argument is better than no argument.
But here we are to play, and to impose criterion and rigor in a matter that affects fundamental rights.
And in which we are going to see fights like crazy. You’ll see.
Let us say for now that, if one embraces those interpretations, personal data (and with it the data subject’s right) would be more protected against legal re‑identification of their data, than against illegal re‑identification of the same.
Which would be absurd. And this is one of the most consolidated jurisprudential lines of the CJEU that has already served to decapitate a few delusional ideas in the early days of application of the GDPR.
But I already explained all this calmly here.
So then, what happens with the processing of data by the dry cleaner?
Let us do a home‑made identifiability test:
If the dry cleaner is an ordinary one, with no detective, big‑data (or, ahem, cinematographic) side activities, we might think that neither the purpose and effect of the processing, nor the usual means available in this kind of establishments would allow re‑identifying our bloodied robbers.
Yes, if they pay in cash, as any malefactor with at least some respect for themselves should do.
The problem with the Scania doctrine is that, if the anonymised data sets are susceptible to re‑identification attacks (as we all know they are), by definition pseudonymised datasets… even more so.
Stretching the analogy, we might think that a security camera that records Mr. Pink paying with his credit card would allow the clerk later to link the payment data with the person. Or the police with those images.
Let us think for a moment that the clerk of the dry cleaner (who, to adorn the story, has lost all his savings in the heist and has huge incentives to make the responsible parties get caught).
And succeeds in doing so.
Here lies the difficulty (and beauty) of the Scania doctrine.
Must the identifiability test be documented?
Does the risk of re‑identification include only total and perfect identification of the data subject or also the “singling out” from Recital 26?
If the identifiability test is negative, does one have to sign anything in data protection?
Is it relevant whether the recipient is a processor, controller or joint controller?
What happens if the recipient — or someone else — does manage to re‑identify the data set?
Ah, questions…
To be continued.
Jorge García Herrero
External DPO at Freepik