Dr Paul Ogendi is a lecturer at the University of Nairobi, Faculty of Law-Kisumu Campus. He is also an Advocate of the High Court of Kenya.
Background
On 26 April 2023, the European Union (EU) General Court made an important decision about the applicable test relating to pseudonymous data. On 7 June 2017, the Single Resolution Board (SRB) approved a resolution scheme in respect of Banco Popular Español, SA (BPE). To determine compensation for shareholders and creditors, it engaged Deloitte to undertake an independent valuation (Valuation 3) to determine whether they would have received better treatment under normal insolvency. On 14 June 2018, Deloitte sent its report to SRB.
On 6 August 2018, SRB published a non-confidential version of the report (Valuation 3) on its website. It also published its preliminary decision expressing its intention not to compensate. Before making a final decision to compensate, it was required by Article 41(2)(a) of the Charter of Fundamental Rights of the European Union that the shareholders and creditors exercise their right to be heard. A privacy statement on processing of personal data was published on the same date.
The SRB’s right-to-be-heard process had two separate phases that were calculated to ensure that personal data could be kept separate, or at least the identity of those commenting could be hidden, using carefully controlled alphanumeric codes, from comments received at a later phase. Phase one required online registration of shareholders and creditors and supporting documents proving identity and ownership of one or more capital instruments with BPE were to be uploaded.
Thereafter, phase two, launched on 6 November 2018, required eligible shareholders and creditors to email their written comments on Valuation 3 and the preliminary decision of SRB by using a unique personal link to an online form. The comments were to be submitted by 26 November 2018. In terms of processing the data, SRB using a separate group of staff who had no access to the registration details to thematically analyse the comments. The comments that could affect Valuation 3 were then, via a secure SRB-dedicated virtual data server, submitted to Deloitte for assessment to help validate their report before a final decision on compensation could be made by SRB. Deloitte only received comments during the consultation phase that had been pseudonymised using alphanumeric codes. They had no access to the personal data received during the registration phase.
On various dates between October and December 2019, five complaints were submitted to the European Data Protection Supervisor (EDPS) pursuant to regulation (EU) 2018/1725 of the European Parliament and of the Council of Europe of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices, and agencies, and on the free movement of such data. The complaints were about the fact that the privacy statement published by SRB did not disclose that the data being collected would be shared with third parties, Deloitte, and Banco Santander. This was in breach of Article 15(1)(d) of regulation 2018/1725 that required data controllers to inform data subjects in advance at the time of collecting their data – who the recipient(s) would be.
The original decision of EDPS
On 24 June 2020, the EDPS in its original decision issued a reprimand of SRB for the failure to provide the said information to the data subject. On 22 July 2020, the SRB requested a review of the original decision by, among other things, elaborating the measures it had employed relating to the right-to-be-heard process. It noted that Deloitte did not receive personal data within the meaning of Article 3(1) of Regulation 2018/1725. The complainants were also given an opportunity to submit their observations.
The revised decision of EDPS
On 24 November 2020, the EDPS adopted a revised decision. Among other things, it found that, notwithstanding the measures put in place including the use of alphanumeric codes which pseudonymised the data shared with Deloitte, the data shared was still personal data and the failure to mention Deloitte in the privacy statement was an infringement of the information obligations laid down under Article 15(1)(d) of regulation 2018/1725 (despite the fact that the registration phase data was not shared with Deloitte).
General Court’s decision
SRB, aggrieved by this decision, approached the General Court to, among other things, annul the revised decision and declare the original decision illegal. The latter request was declared admissible while the former was not since it had effectively been replaced by the revised decision.
On substance, the General Court examined the claim that the data shared to Deloitte was personal data. It noted that personal data must meet two cumulative conditions in that it should relate to a ‘natural person’ and, secondly, the person should be ‘identified’ or ‘identifiable’. The General Court did not delve deeply into the issue of whether the complainants were ‘natural persons’. Elsewhere, I have argued that legal persons do not fall within the ambit of data protection legislation because they are not natural persons (see critique of the Allen Waiyaki Gichuhi S.C. v DPC case here: https://www.datalaw.africa/2023/05/29/90-day-dpc-kenya/).
The General Court shifted its focus from whether the data shared with Deloitte related to ‘identified’ or ‘identifiable’ natural persons. On the former, the Court dealt with it as a preliminary point and found that the mechanism put in place by SRB meant that Deloitte did not receive information relating to ‘identified’ persons.
Therefore, the main issue to be determined by the General Court was whether the information transmitted to Deloitte related to an ‘identifiable’ natural person within the meaning of Article 3(1) of regulation 2018/1725. The regulation defined a natural person as ‘one who can be identified, directly or indirectly’. Referring to Recital 16 of Regulation 2018/1725, the General Court inferred that all information enabling identification of the data subject must not necessarily be in the hands of one person because the wordings used are that pseudonymous data will qualify as personal data if there are available ‘means likely reasonably to be used by both the controller and by any other person’. There is an inherent recognition that another person apart from the controller may have access to the data.
The General Court invoked the Breyer (C-582/14, EU:C:2016:779) case and noted that the test as to what it means to constitute ‘a means likely reasonable to be used to identify the data subject’ was found to be inapplicable ‘if the identification of the data subject had been prohibited by law or had been practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared in reality to be insignificant.’ In the SRB case, the General Court observed that ‘it is not disputed, first, that the alphanumeric code appearing on the information transmitted to Deloitte did not itself allow the authors of the comments to be identified and, second, that Deloitte did not have access to the identification data received during the registration phase that would have allowed the participants to be linked to their comments by virtue of the alphanumeric code.’
The issue to be resolved therefore concerned the interpretation given by the two parties regarding what is personal data. According to SRB, relying on the 20 December 2017 Nowak (C-434/16, EU: C:2017:994) case, the comments submitted to Deloitte were ‘factual and legal information independent of the persons or personal qualities of the complainants and unrelated to their private life’. The EDPS, on the other hand, insisted that the comments constituted information ‘relating to’ the affected shareholders and creditors and, to this extent, it constituted personal data. Furthermore, the EDPS argued that the effect of the comments made them personal data since it would be used to verify the validity of Valuation 3 and the legality of the preliminary decision which would affect the interests and rights of the participants in terms of their financial compensation. Bason on the above, the two bodies had different interpretations of the term ‘personal data’.
The General Court, relying on the Nowak case, reiterated the Court of Justice’s position that in relation to personal data one needs to be satisfied that the information by reason of its content, purpose or effect should be linked to a particular person. It noted that the EDPS unfortunately did not conduct such an examination but instead concluded that the data supplied to Deloitte was personal data because it ‘related to the complainants’. Commenting on this point, the General Court noted that whereas it is possible that personal views and opinions may constitute personal data, the Nowak case required an examination ‘of whether, by its content, purpose or effect, a view is linked to a particular person’. Furthermore, since the assessment was not conducted by EDPS, it was impossible to determine that the information in question constituted information ‘relating’ to a natural person within the meaning of the relevant law. In other words, the General Court required EDPS to engage in some sort of process before arriving at its conclusion on this matter.
The General Court then examined whether the data shared with Deloitte relates to an identifiable natural person. In this regard, using the Court of Justice 19 October 2016 Breyer (C-582/14, EU:C:2016:779) case, the General Court noted that ‘in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted to it relates to ‘identifiable’ persons’. It noted that the alleged infringement by SRB relates to ‘the transfer by the SRB of certain comments to Deloitte and not merely the fact that the SRB held those comments’.
The General Court then annulled the revised decision because ‘EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to reidentify the author of the comments’, and the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725. The General Court rejected EDPS objective test, which focused on the possibility of reidentifying the participants in general rather than from Deloitte’s point of view. The approach taken by the General Court is not whether any person including SRB would be able to reidentify the authors – i.e. an objective test – but rather whether the person receiving the data is capable of reidentifying the participants (a subjective test). This approach therefore meant that even though the data supplied to Deloitte was personal data in the hands of the SRB, it could not have a similar status in the hands of Deloitte because the data was pseudonymised and therefore was anonymous to everyone else.
Lessons for Kenya
Kenyan courts faced with a similar set of facts should take the approach of the General Court because a subjective test will allow for the better governance of personal data. For instance, it will promote secondary health research because data controllers holding crucial historical data in health facilities or biobanks can pseudonymise it and release it to third parties or even the public without having to worry about the regulations on personal data, because it will be anonymous data in their hands. The only obligation will be for data controllers to implement adequate technical and organisational measures to prevent those accessing the data from reidentifying the data subject(s). This can be done contractually and technically using appropriate technologies. Pursuant to the Breyer case, there are no expectations to prevent instances of illegal reidentification of a data subject and the means for reidentification should not require a disproportionate effort in terms of time, cost and manpower, which would significantly minimise the risk of identification.