BACK TO RESOURCES

Redefining Personal Data: Understanding the EU General Court’s Ruling on Pseudonymized Data

By Protegrity
Jun 5, 2023

Summary

1 min read
  • On April 26, 2023, the General Court of the European Union (EU) ruled that organizations within the EU can share pseudonymized data with third parties
  • This ruling, called T-557/20, SRB v EDPS, discussed the use of pseudonymized data for businesses transferring data across borders
  • Protegrity’s Borderless Data™ Solution can provide an arsenal of tools to help you meet regulatory compliance requirements as policies change

In a ruling made on April 26, 2023, the General Court of the European Union (EU) made a groundbreaking decision changing the definition of personal data that has been in place since the adoption of the General Data Protection Regulation (GDPR). This ruling has significant data-sharing implications for organizations within the EU and enables them to share data with third parties more easily, as long as it’s appropriately de-identified. Furthermore, the ruling underscores the evolving global landscape of data privacy regulations. 

The case that sparked this ruling was T-557/20, SRB v EDPS, discussing the use of pseudonymized data. The General Court made a crucial distinction, stating that pseudonymized data doesn’t qualify as personal data if a data recipient can’t re-identify the data subjects. It does not matter if the original sender can re-identify this data.  This means that organizations within the EU can share pseudonymized data with third parties without having to comply with all of the requirements of the GDPR, such as obtaining consent from the data subjects. 

Use Case: Failure to Comply

On May 22, 2023, Meta, formerly known as Facebook, was fined €1.2 billion (US$1.3 billion) by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR):  

  • Failure to Comply: The fine was for Meta’s failure to comply with the GDPR by transferring personal data from the European Union to the United States without adequate technical safeguards in place.  
  • A Red Herring: Meta had attempted to use standard contractual clauses (SCCs) to comply with the GDPR, but the SCCs were not sufficient.   

Pseudonymize Your Sensitive Data with the Protegrity Borderless Data ™ Solution 

The Protegrity Borderless Data Solution enables organizations to de-identify sensitive data within its original jurisdiction while preserving its type, length, and format through look table-lookup mechanisms, such as tokenization. Users outside the original jurisdiction cannot re-identify the protected data, which means they cannot see the protected fields. Thanks to the recent ruling by the General Court of the EU, data protected and shared with the Protegrity Borderless Data Solution has been found by the General Court of the EU to be compliant with the GDPR. court’s standards, Protegrity ensures data compliance and privacy, empowering organizations to transfer data across any borders and leverage the full potential of data analytics. 

Contact us today to learn more about how Protegrity can ensure the compliance and privacy of your data. 

Recommended Next Read