In 2023, the EU General Court overruled the European Data Protection Supervisor and ruled that pseudonymized data will not be classified as personal data under the of EU data protection law when transferred to a recipient who is unable to identify individuals. Businesses are now taking a closer look at their data anonymization processes, as well as the opportunities this new ruling may offer when transferring and accessing data across borders.. Here are some frequently asked questions regarding the ruling, found below:
What Is the EU General Court’s Ruling on Pseudonymized Data?
- Pseudonymized data is not personal data if the recipient of the data does not have the means to re-identify individuals.
- Businesses can share pseudonymized data with third parties without having to comply with all of the requirements of the GDPR, such as obtaining consent from the data subjects.
Potential Implications of Data Protection Regulation Non-Compliance
- Failure to comply can result in financial penalties, reputational damage, and legal liabilities.
- Regulatory authorities, such as the European Data Protection Board (EDPB), have the authority to impose fines.
- Organizations may face legal actions from individuals whose data privacy rights have been violated.
- Non-compliance can erode customer trust, leading to loss of business opportunities and damaged relationships with partners and stakeholders.
It is crucial for organizations to prioritize data protection compliance to mitigate these risks and ensure the security and privacy of personal data.
What Consequence Did Meta Face for Violating the GDPR in 2023?
- May 22, 2023: The Irish Data Protection Commission (DPC) fined Meta, formerly known as Facebook, €1.2 billion (US$1.3 billion) for violating GDPR requirements.
- Meta’s failure to comply with the GDPR by transferring personal data from the European Union to the United States without adequate technical safeguards in place resulted in this fine.
- Meta had attempted to use standard contractual clauses (SCCs) to comply with the GDPR, but the SCCs were not sufficient.