Scania doctrine: Judgment EDPS vs SRB, Scania, IAB Europe, OC/Commission (II) Reidentification of the pseudonymized dataset. Transparency
No one said it was going to be easy
This is the second post in a series that started last week, exactly here:
Scania Doctrine: Cases EDPS vs SRB, Scania, IAB Europe, OC/Comisión. (I)
On 4 September, the CJEU published its judgment in Case C‑413/23 P (SRB vs EDPS).
You are reading ZERO PARTY DATA. The newsletter on current affairs, technopolies and law by Jorge García Herrero and Darío López Rincón.
In the spare time this newsletter gives us, we like to solve complicated issues in personal data protection. If you have one of those, wave your hand like this. Or contact us by email at jgh(at)jorgegarciaherrero.com
Thanks for reading Zero Party Data! Sign up!
Reidentification of the pseudonymized dataset: The GDPR wasn’t dead: it was partying
The dataset seemed non‑personal when it got to the dry cleaner, but the sharp shop assistant, quite a boss, has managed to indirectly identify the thieves.
In legal terms, when the dataset changed hands the GDPR did not apply, but hours, days, months later or whatever, it becomes applicable again.
Dramatic, huh?
This fact, this “liquid quality” of pseudonymized data is the issue one needs to deal with: the dataset can be non‑personal on Tuesday and personal on Thursday.
Pseudonymization vs anonymization
By way of comparison, when we anonymize a dataset, we have made an effort so that no one can reidentify the original data‑subjects.
We all know that nowadays no anonymization can be considered invulnerable (especially if it contains fine geolocation data).
But by definition, the risk of reidentification is, in general and in the abstract, lower (and with it, normally also the usefulness of the dataset) than in the case of pseudonymization.
Because in pseudonymization, somewhere there exists a correlation table or another piece of information that serves precisely to reidentify all the data subjects in the dataset.
These two assertions of the EDPB, read in its (controversial) 2024 guidelines on pseudonymization are only true with nuances in view of the Scania doctrine.
Doctrine which voluntarily and consciously was ignored by the supreme sanhedrin of European data protection.
The guidelines are pending being published in their definitive version.
Because of previous ego clashes between EDPB and CJEU (see Schrems II), this bald fellow doesn’t expect substantial changes: this is Europe, friend!!
In this respect, it is appropriate to remember that the AEPD (which also doesn’t seem very happy with Scania) must follow the interpretation that the EDPB makes of the GDPR (although on certain issues it very naturally goes its own way), but the Audiencia Nacional, which reviews (and annuls) the sanctions of the AEPD, must follow the CJEU.
White.
In bottle.
Milk.
If you are looking for a data protection officer who has been working on this issue for years and is ready to go, reach out!!
If we conclude that the recipient does not have the capacity to reidentify the dataset… Is it even mandatory to sign a DPA (Data Processing Agreement) or include data protection regulation in the main contract?
This question has earned a thousand answers, each more delulu than the last.
This is mine.
The data controller has a general obligation to comply with and demonstrate compliance with the GDPR (accountability). And many other particular ones (lawfulness, security, etc…).
Well then, one does not need to dissect things too finely to conclude that the application of the Scania doctrine must be done carefully.
The CJEU has opened stupendous paths to compliance for situations that had become (or always had been, depending on how you look at it) unnecessarily complicated.
Now then, it is fully the responsibility of the Controller to evaluate and verify, to the extent of its capabilities, the circumstances of the planned processing and the reidentification capabilities of the recipient, before giving them free and unregulated access to its pseudonymized dataset.
· That the test of identifiability of the dataset in the hands of the recipient has to be documented, you don’t have to ask the CJEU.
· That the “transfer of pseudonymized data” must be documented in writing, neither.
· That as soon as you think about it, a bunch of obligations as “basic content” to include in that transfer are going to occur to you, I take them for granted.
I have thought of a few (and several means to effectively mitigate the reidentification risk), after all I have been fighting with colleagues and companies about this issue for years.
But there are two key things I share here because it is about making things as good as possible together… “Privacy is a team sport” as Dr. Cavoukian said.
The pseudonymization measures should be the most effective in each case to prevent reidentification of the dataset by the third‑party recipient. Because the accountability of the Controller also goes that far. One thing is to take advantage of the opportunities life gives you and another very different thing is to flat‑out ignore everything.
What is signed must take into account that what today is not personal data, tomorrow can be. Again, to learn more, check out my training.
Does the Scania doctrine apply differently to those who would be processors and those who would be controllers if the dataset had been personal instead of pseudonymized?
In my opinion, yes.
The role that the third party plays (processor if they act on behalf of the controller or controller if acting for their own purposes, or even co‑controller) if the dataset “becomes personal” determines what must be signed.
It seems absurd to me to defend that if the third party is a processor nothing needs to be signed, and in any other case, yes.
The famous transparency obligation
Much has been said about the CJEU’s declaration of the obligation to inform the data subjects of the future transferees of their data, before the transmission (paragraph 112).
Not to dwell too much:
As Robert Bateman and Darth Craddock have correctly pointed out, that whole part is “contaminated” by the references to a “consent of the data subjects” that nobody sees anywhere.
Because no one asks consent from the data subject to give access to their data to a processor (Deloitte: and if the third party is a controller, they are one for regulatory reasons, not because they are not providing a service).
But I believe that the essence of this issue has not been captured. The court punctuates those statements with references to “in the present matter”.
I think the key paragraph is 100, which links to Breyer:
“According to … Breyer (C‑582/14, EU:C:2016:779), … the relevant perspective to assess the identifiability of the data subject depends essentially on the circumstances that characterise the processing of data in each concrete case.”
Privacy (and the Scania doctrine) are furiously contextual.
It is seen better with two different examples:
Case 1
If my organization had provided access in July 2025 to a pseudonymized dataset to a third party who reasonably could not reidentify the data subjects… Should I today, in view of this doctrine, inform afterwards those data subjects of this “transfer”?
My opinion: no, because this “transfer” does not fall under the GDPR. And also it was clear, before the CJEU re‑ratified it.
Case 2
I’m thinking of doing a carefully worked pseudonymization of my datasets so as to apply Scania and maybe give access to carefully selected third parties, for narrow purposes and with zero possibility of reidentifying my users.
Do I have to inform today, when I don’t even know who the transferees will be nor the final circumstances of the move, to my users?
No.
All that is a processing in itself considered; when we reach that river, we will cross that bridge, we will inform of the pseudonymization processing for Scania, we will provide right of objection.
Will I have to inform of each “transferee” as I give access in turn?
No.
If someone thinks yes, I am all ears. But with good arguments, and warning that a bad argument will not be repeating paragraph 112 of SRB vs EDPS, a declaration of the CJEU made for a case that has nothing to do with the one I present here.
Have a very good week.
To be continued.
Jorge García Herrero
External Freepik DPO