JUDGMENT OF THE GENERAL COURT (Eighth Chamber, Extended Composition)
26 April 2023 (*)
(Protection of personal data – Procedure for granting compensation to shareholders and creditors following the resolution of a bank – Decision of the EDPS in which it found that the SRB failed to fulfil its obligations concerning the processing of personal data – Article 15(1)(d) of Regulation (EU) 2018/1725 – Concept of personal data – Article 3(1) of Regulation 2018/1725 – Right of access to the file)
In Case T‑557/20,
Single Resolution Board (SRB), represented by H. Ehlers, M. Fernández Rupérez, A. Lapresta Bienz, acting as Agents, and by H.‑G. Kamann, M. Braun, F. Louis, and L. Hesse, lawyers,
applicant,
v
European Data Protection Supervisor (EDPS), represented by P. Candellier, X. Lareo and T. Zerdick, acting as Agents,
defendant,
THE GENERAL COURT (Eighth Chamber, Extended Composition),
composed of A. Kornezov, President, G. De Baere (Rapporteur), D. Petrlík, K. Kecsmár and S. Kingston, Judges,
Registrar: I. Kurme, Administrator,
having regard to the written part of the procedure,
further to the hearing on 1 December 2022,
gives the following
Judgment
1 By its action based on Article 263 TFEU, the Single Resolution Board (SRB) seeks, first, annulment of the revised decision of the European Data Protection Supervisor (EDPS) of 24 November 2020 adopted following the SRB’s request for review of the decision of the EDPS of 24 June 2020 concerning five complaints submitted by several complainants (Cases 2019-947, 2019-998, 2019-999, 2019-1000 and 2019-1122) (‘the revised decision’) and, second, a declaration that the decision of the EDPS of 24 June 2020 (‘the original decision’) is illegal.
Background to the dispute
2 On 7 June 2017, the SRB, in its executive session, adopted Decision SRB/EES/2017/08 concerning a resolution scheme in respect of Banco Popular Español, SA (‘the resolution scheme’) on the basis of Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010 (OJ 2014 L 225, p. 1).
3 On the same day, the European Commission adopted Decision (EU) 2017/1246 endorsing the resolution scheme (OJ 2017 L 178, p. 15).
4 In the resolution scheme, the SRB, considering that the conditions laid down by Article 18(1) of Regulation No 806/2014 were satisfied, decided to place Banco Popular Español (‘Banco Popular’) under resolution. The SRB decided to write down and convert Banco Popular’s capital instruments pursuant to Article 21 of Regulation No 806/2014 and to apply the sale of business tool under Article 24 of Regulation No 806/2014 by transferring the shares to a purchaser.
5 Following the resolution of Banco Popular, on 14 June 2018, Deloitte sent to the SRB the valuation of difference in treatment, provided for in Article 20(16) to (18) of Regulation No 806/2014, carried out in order to determine whether the shareholders and creditors would have received better treatment if Banco Popular had entered into normal insolvency proceedings (‘Valuation 3’).
6 On 6 August 2018, the SRB published on its website its Notice of 2 August 2018 regarding its preliminary decision on whether compensation needs to be granted to the shareholders and creditors in respect of which the resolution actions concerning Banco Popular have been effected and the launching of the right to be heard process (SRB/EES/2018/132) (‘the preliminary decision’), and a non-confidential version of Valuation 3. On 7 August 2018, an announcement with regard to the SRB Notice was published in the Official Journal of the European Union (OJ 2018 C 277 I, p. 1).
7 In the preliminary decision, the SRB stated that, in order for it to be able to take its final decision on whether the shareholders and creditors affected by the resolution of Banco Popular should be granted compensation in accordance with Article 76(1)(e) of Regulation No 806/2014, it was inviting the affected shareholders and creditors to express their interest in exercising their right to be heard pursuant to Article 41(2)(a) of the Charter of Fundamental Rights of the European Union (‘the Charter’).
The right to be heard process
8 The SRB indicated in the preliminary decision that the right to be heard process would take place in two phases. In the first phase (‘the registration phase’), the affected shareholders and creditors were invited to express their interest in exercising their right to be heard, using an online registration form by 14 September 2018. The SRB then had to verify whether each party that had expressed an interest did in fact qualify as an affected shareholder or creditor. In the second phase (‘the consultation phase’), the affected shareholders and creditors whose status had been verified by the SRB were able to submit their comments on the preliminary decision, to which Valuation 3 was annexed.
9 In the registration phase, the affected shareholders and creditors wishing to exercise their right to be heard had to provide the SRB with supporting documentation proving that on the resolution date they owned one or more of the capital instruments of Banco Popular that were written down or converted and transferred to Banco Santander, SA in the context of the resolution. The supporting documentation to be provided included proof of identity and proof of ownership of one of those capital instruments on 6 June 2017.
10 On 6 August 2018, the first day of the registration phase, the SRB also published, on the web page for registering for the right to be heard process and on its website, a privacy statement concerning the processing of personal data in the context of the right to be heard process (‘the privacy statement’).
11 On 16 October 2018, the SRB announced on its website that from 6 November 2018 the eligible shareholders and creditors would be invited to submit their written comments on the preliminary decision during the consultation phase.
12 On 6 November 2018, the SRB sent the eligible shareholders and creditors by email a unique personal link to an online form (‘the form’). The form contained seven questions, with limited space for answering, enabling the affected shareholders and creditors to submit comments on the preliminary decision and on the non-confidential version of Valuation 3 by 26 November 2018.
13 The SRB examined the relevant comments from affected shareholders and creditors with regard to the preliminary decision. It asked Deloitte, in its capacity as independent valuer, to assess the relevant comments relating to Valuation 3, to provide it with a document containing its assessment, and to examine whether Valuation 3 was still valid in the light of those comments.
The processing of data collected by the SRB in the context of the right to be heard process
14 The data collected during the registration phase, that is to say, proof of the participants’ identity and of ownership of written down or converted and transferred capital instruments of Banco Popular, were accessible to a limited number of SRB staff tasked with processing those data in order to determine the participants’ eligibility.
15 Those data were not visible to the SRB staff tasked with processing the comments received in the consultation phase, during which those staff members only received comments identified by reference to an alphanumeric code allocated to each individual comment submitted using the form. The alphanumeric code consisted of a 33-digit globally unique identifier randomly generated at the time the responses to the form were received.
16 In a first step, the SRB automatically filtered 23 822 comments, each of which was allocated a unique alphanumeric code, submitted by 2 855 participants in the process. Two algorithms identified 20 101 comments as being identical. The comment submitted first was considered the original comment and was assessed in the analysis phase, and the identical comments received subsequently were identified as duplicates.
17 In a second step, the analysis phase, the SRB examined the comments with the aim of ensuring consistency in terms of assessing their relevance and of categorising (or grouping) them into defined themes. The SRB identified similar but not identical comments based on the same sources available on the Internet.
18 The SRB staff responsible for analysing the comments had access neither to the data collected in the registration phase – with the result that the comments were separated from the personal information of the persons who submitted them – nor to the data key or to information by which the identity of the participants could be traced by reference to the unique alphanumeric code assigned to each individual comment.
19 During that analysis phase, the SRB compared all the comments submitted and classified them according to which question on the form they answered. The comments were then assessed in terms of their relevance and divided into, on the one hand, those falling within the scope of the right to be heard process because they could influence the preliminary decision or Valuation 3 and, on the other hand, those falling outside that scope because they related to other aspects of the resolution of Banco Popular.
20 A comment falling within the scope of the process was then assigned to 1 of the 15 themes predefined by the SRB. Depending on the theme to which they related, the comments were divided into those to be examined by the SRB because they related to the preliminary decision and those to be examined by Deloitte because they related to Valuation 3. Among the comments that had to be examined, the SRB did not distinguish between comments that had been submitted on only one occasion and those that had duplicates.
21 At the end of the analysis phase, the SRB had identified 3 730 individual comments classified according to their relevance and theme.
22 In a third step, the review phase, the comments relating to the preliminary decision were handled by the SRB while those relating to Valuation 3, that is to say, 1 104 comments, were transferred to Deloitte on 17 June 2019, using a secure SRB-dedicated virtual data server. The SRB uploaded the files to be shared with Deloitte to the virtual server and granted access to those files to a limited and controlled number of Deloitte staff who were directly involved in the project.
23 The comments transferred to Deloitte were filtered, categorised and aggregated. Where the comments were duplicates of earlier comments, only one version was transmitted to Deloitte. This meant that individual comments that had been duplicated could not be distinguished within a single theme, and Deloitte was unaware whether a comment had been made by one or more participants in the process.
24 The comments transferred to Deloitte were solely those that were received during the consultation phase and that bore an alphanumeric code. On account of that code, only the SRB could link the comments to the data received in the registration phase. The alphanumeric code was developed for audit purposes to verify, and if necessary to demonstrate subsequently, that each comment had been handled and duly considered. Deloitte had, and still has, no access to the database of data collected during the registration phase.
The procedure before the EDPS
25 On 19, 26 and 28 October, and 5 December 2019, affected shareholders and creditors who had responded to the form submitted five complaints to the EDPS (cases 2019-947, 2019-998, 2019-999, 2019-1000 and 2019-1122) (‘the five complaints’) under Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ 2018 L 295, p. 39).
26 Those five complainants (‘the complainants’) relied on the fact that the SRB had failed to inform them that the data collected through the responses on the forms would be transmitted to third parties, namely Deloitte and Banco Santander, in breach of the terms of the privacy statement. They claimed that, by doing so, the SRB had infringed Article 15(1)(d) of Regulation 2018/1725, according to which, ‘where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with … information [concerning] the recipients or categories of recipients of the personal data, if any’.
27 On 12 December 2019, the EDPS informed the SRB that he had received five complaints, and requested it to submit comments.
28 On 24 June 2020, following a procedure in which the SRB provided various explanations at the request of the EDPS and the complainants submitted observations, the EDPS adopted the original decision. The EDPS found that the SRB had infringed Article 15 of Regulation 2018/1725 because it had failed to inform the complainants, in its privacy statement, that their personal data might be disclosed to Deloitte. As a result, he issued the SRB with a reprimand for that infringement, under Article 58(2)(b) of Regulation 2018/1725.
29 On 22 July 2020, the SRB requested the EDPS to review the original decision under Article 18(1) of the Decision of the EDPS of 15 May 2020 adopting the Rules of Procedure of the EDPS (OJ 2020 L 204, p. 49). The SRB provided, inter alia, a detailed description of the right to be heard process and of how the comments submitted by the four identified complainants during the consultation phase had been analysed. It argued that the information transmitted to Deloitte did not constitute personal data within the meaning of Article 3(1) of Regulation 2018/1725.
30 On 5 August 2020, the EDPS informed the SRB that, in the light of new information provided, he had decided to re-examine the original decision and would adopt a decision replacing it.
31 On 24 November 2020, following the review procedure, during which the complainants submitted observations and the SRB provided additional information at the request of the EDPS, the latter adopted the revised decision.
32 The EDPS decided to revise the original decision in the following terms:
‘1. The EDPS finds that the data the SRB shared with Deloitte were pseudonymous data, both because the comments in [the consultation phase] were personal data and because the SRB shared the alphanumeric code that allows linking the replies given in [the registration phase] with the ones given in [the consultation phase] – notwithstanding the fact that the data provided by the participants to identify themselves in [the registration phase] were not disclosed to Deloitte.
2. The EDPS finds that Deloitte was a recipient of the complainants’ personal data under Article 3(13) of [Regulation 2018/1725]. The fact that Deloitte was not mentioned in SRB’s [privacy statement] as a potential recipient of the personal data collected and processed by the SRB as the controller in the context of the [right to be heard] process constitutes an infringement of the information obligations laid down in Article 15(1)(d) [of Regulation 2018/1725].
3. In light of all the technical and organisational measures set up by the SRB to mitigate the risks for the individuals’ right to data protection in the context of the [right to be heard] process, the EDPS decides not to exercise any of his corrective powers laid down in Article 58(2) of [Regulation 2018/1725].
4. The EDPS nevertheless recommends the SRB to ensure that the data protection notice in future [right to be heard] processes covers the processing of personal data in both the registration phase and the consultation phase, and includes all potential recipients of the information collected, in order to fully comply with the obligation to inform data subjects in accordance with Article 15 [of Regulation 2018/1725].’
Forms of order sought
33 The SRB claims, after modification of the form of order sought, that the General Court should:
– annul the revised decision;
– declare the original decision illegal;
– order the EDPS to pay the costs.
34 The EDPS contends that the General Court should:
– dismiss the action;
– order the SRB to pay the costs.
Law
The second head of claim, requesting the General Court to ‘declare the original decision illegal’
35 In the present case, it is common ground between the parties that the revised decision repealed and replaced the original decision.
36 The EDPS argues that, as a result, the head of claim concerning the original decision is inadmissible.
37 The SRB contends that it retains an interest in establishing the procedural irregularities that led to the adoption of the original decision, namely infringements of its rights of defence and of its right of access to the file, so that they do not recur in future procedures. It stated, in its reply to a measure of organisation of procedure, that, by its second head of claim, it was not seeking the annulment of the original decision, which had been repealed and replaced by the revised decision with ex tunc effect, but rather a declaration of its illegality.
38 The Court must therefore hold that, by its second head of claim, the SRB seeks to obtain a declaratory judgment and not the annulment of an act.
39 However, it is sufficient to note that, according to settled case-law, the Court, in the context of a review of legality based on Article 263 TFEU, does not have jurisdiction to give declaratory judgments (see judgments of 4 February 2009, Omya v Commission, T‑145/06, EU:T:2009:27, paragraph 23 and the case-law cited, and of 13 September 2018, DenizBank v Council, T‑798/14, EU:T:2018:546, paragraph 135 and the case-law cited).
40 It follows that the SRB’s second head of claim, requesting the Court to ‘declare the original decision illegal’, must be rejected on the ground that the Court has no jurisdiction to hear and determine it.
Admissibility of the first head of claim, seeking annulment of the revised decision
41 The admissibility of actions is an absolute bar to proceeding that can be raised by the EU Courts of their own motion at any time (see judgment of 16 March 2022, MEKH and FGSZ v ACER, T‑684/19 and T‑704/19, EU:T:2022:138, paragraph 29 and the case-law cited; see also, to that effect, judgment of 24 March 1993, CIRFS and Others v Commission, C‑313/90, EU:C:1993:111, paragraph 23). In the context of a measure of organisation of procedure, the General Court asked the parties, inter alia, whether the revised decision constituted an act open to challenge under Article 263 TFEU.
42 In his reply to that question, the EDPS states that the fact that the revised decision contains its final position and a finding of infringement is not sufficient for it to constitute a reviewable act. It is necessary that that position brings about a change in the legal situation of the SRB. Since the EDPS did not make use, in the revised decision, of his corrective powers provided for in Article 58 of Regulation 2018/1725, that decision can be considered not to produce legal effects for the purposes of being open to review under Article 263 TFEU.
43 The SRB, in its reply to that question, argues that the revised decision has legal effects capable of affecting its interests.
44 It follows from case-law that, under the fourth paragraph of Article 263 TFEU, a natural or legal person may challenge only measures the legal effects of which are binding on, and capable of affecting the interests of, that person by bringing about a distinct change in his or her legal position. Thus, it is in principle those measures which definitively determine the position of an institution, body, office or agency of the European Union upon the conclusion of an administrative procedure, and which are intended to have legal effects capable of affecting the interests of the complainant, that constitute acts open to challenge, and not intermediate measures whose purpose is to prepare for the final decision, which do not have those effects (see judgments of 25 June 2020, SatCen v KF, C‑14/19 P, EU:C:2020:492, paragraphs 69 and 70 and the case-law cited, and of 6 May 2021, and ABLV Bank and Others v ECB, C‑551/19 P and C‑552/19 P, EU:C:2021:369, paragraph 39 and the case-law cited).
45 In order to determine whether the contested act produces such effects, it is necessary to examine the substance of that act and to assess those effects on the basis of objective criteria, such as the content of that act, taking into account, as appropriate, the context in which it was adopted and the powers of the EU institution, body, office or agency which adopted the act (judgments of 22 April 2021, thyssenkrupp Electrical Steel and thyssenkrupp Electrical Steel Ugo v Commission, C‑572/18 P, EU:C:2021:317, paragraph 48 and the case-law cited; of 6 May 2021, ABLV Bank and Others v ECB, C‑551/19 P and C‑552/19 P, EU:C:2021:369, paragraph 41 and the case-law cited; and of 6 October 2021, Tognoli and Others v Parliament, C‑431/20 P, EU:C:2021:807, paragraph 34 and the case-law cited).
46 In the first place, the Court notes that the revised decision was adopted by the EDPS following a request from the SRB for revision of the original decision. The revised decision, adopted following an adversarial administrative procedure, repeals and replaces the original decision and constitutes a decision definitively laying down the position of the EDPS on the five complaints.
47 Article 64(2) of Regulation 2018/1725, relating to the right to an effective judicial remedy, provides that actions against decisions of the EDPS are to be brought before the Court of Justice of the European Union.
48 In particular, Article 18 of the Rules of Procedure of the EDPS, on the basis of which the revised decision was adopted, provides, inter alia, in paragraph 3 thereof:
‘Where following a request that it review its decision on a complaint, the EDPS issues a new, revised decision, the EDPS shall inform the complainant and the institution concerned that they may challenge this new decision before the Court of Justice of the European Union in accordance with Article 263 [TFEU].’
49 In that regard, the covering letter for the revised decision sent to the SRB contains the following wording:
‘Please note that this Decision repeals and replaces the decision adopted on 24 June 2020. You may bring an action for annulment against this Decision before the Court of Justice of the European Union, within two months from the adoption of the present Decision and according to the conditions laid down in Article 263 TFEU.’
50 In the second place, as regards the substance of the revised decision, the Court notes, first, that the EDPS concluded that the SRB had infringed its obligation to provide information under Article 15(1)(d) of Regulation 2018/1725 and, second, that he advised the SRB, in essence, to ensure that such an infringement is not repeated in its privacy statements.
51 First, the Court finds that, pursuant to Article 65 of Regulation 2018/1725, such an infringement is capable of rendering the SRB liable, as controller of the data concerned, where the other conditions laid down in the Treaties are satisfied.
52 Second, pursuant to Article 66(1) of Regulation 2018/1725, when deciding whether to impose an administrative fine on an EU institution or body and deciding on the amount of the administrative fine, the EDPS is to give regard to, inter alia, any similar previous infringements by that institution or body. Therefore, if the SRB were to fail to follow the EDPS recommendation to amend its privacy statements in the future in right to be heard processes, a similar infringement of Article 15(1)(d) of Regulation 2018/1725 by the SRB could be found and a fine could be imposed.
53 It follows that the finding, in the revised decision, that the SRB infringed Article 15(1)(d) of Regulation 2018/1725 produces binding legal effects, even though the EDPS stated that he was waiving his right to exercise his corrective powers provided for in Article 58(2) of Regulation 2018/1725.
54 In the light of the foregoing, the revised decision is an EU act capable of affecting the interests of the person to whom that act is addressed by bringing about a distinct change in his or her legal position. It therefore constitutes an act open to challenge for the purpose of Article 263 TFEU.
55 Accordingly, it must be held that the first head of claim seeking annulment of the revised decision is admissible.
Substance
56 In support of its action, the SRB relies on two pleas in law. The first alleges infringement of Article 3(1) of Regulation 2018/1725 in so far as the information transmitted to Deloitte did not constitute personal data. The second plea alleges infringement of the right to good administration enshrined in Article 41 of the Charter.
57 By its first plea, the SRB argues that the EDPS infringed Article 3(1) of Regulation 2018/1725 by finding, in the revised decision, that the information transmitted to Deloitte constituted the complainants’ personal data.
58 Article 3(1) of Regulation 2018/1725 defines personal data as ‘any information relating to an identified or identifiable natural person [and states that] an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
59 It is apparent from that definition that information constitutes personal data, in particular, if two cumulative conditions are met, namely, first, that that information ‘relates’ to a natural person and, second, that that person is ‘identified or identifiable’.
The condition laid down in Article 3(1) of Regulation 2018/1725 that the information is to ‘relate’ to a natural person
60 The SRB argues that the comments received during the consultation phase and communicated to Deloitte did not relate to specific persons within the meaning of Article 3(1) of Regulation 2018/1725. It argues that the reasoning followed in the judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994), does not apply to the complainants’ comments. It submits that the information contained in the complainants’ comments was factual and legal information independent of the persons or personal qualities of the complainants and unrelated to their private life. It maintains that the purpose of the right to be heard process was to assess factual and legal arguments concerning the preliminary decision and Valuation 3 from a large number of interested parties, whose personality and identity were not relevant for the purposes of assessing their comments.
61 The EDPS argues that the content of the comments of the affected shareholders and creditors is information ‘relating to’ them, given that their responses contained and reflected their personal view, even if they relied on publicly available information. The responses on the form from the complainants and the other participants constitute personal data, irrespective of whether they are the expression of an original point of view or of a view shared with others and irrespective of whether the SRB regards them as information independent of the specific privacy rights of the affected shareholders and creditors.
62 The EDPS also contends that the comments constituted personal data by reason of their effect. The assessment of those comments, the purpose of which was to verify the validity of Valuation 3 and the legality of the preliminary decision, was liable to have an effect on the participants’ interests and rights regarding financial compensation. Lastly, the EDPS argues that the purpose of collecting those comments was to grant procedural rights to each party, in order to collect their individual viewpoints.
63 In the revised decision, the EDPS stated that the responses received during the consultation phase constituted personal data of the complainants, as they contained their personal views and were thus information relating to them, even if they relied on publicly available information to express their views. It claimed that the fact that the complainants expressed similar, though not identical, views to those of other participants did not mean that their responses did not reflect their own views. Consequently, the EDPS maintained that the responses provided in the free text fields by the complainants and other participants must all be considered personal data, whether those responses are the expression of an original and unique view or a view shared with others or inspired by or taken from publicly available information. It added that that conclusion was not contradicted by the judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994), where the Court of Justice did not make a distinction between responses entirely elaborated by the respondents and responses taken from other sources of knowledge.
64 The Court must examine whether the EDPS was entitled to conclude that the information transmitted to Deloitte ‘related’ to a natural person within the meaning of Article 3(1) of Regulation 2018/1725.
65 As a preliminary point, it should be noted that, in the revised decision, the EDPS classified as personal data all the comments made by the affected shareholders and creditors in the context of the consultation phase and did not limit his assessment solely to the information transmitted to Deloitte.
66 In so far as the infringement of Article 15(1)(d) of Regulation 2018/1725 found in the revised decision concerned only the fact that the SRB did not mention, in the privacy statement, that Deloitte was a potential recipient of certain data, it is appropriate for the Court to limit its examination to whether the information transmitted to Deloitte was personal data within the meaning of Article 3(1) of Regulation 2018/1725.
67 In that regard, Article 3(13) of Regulation 2018/1725 defines ‘recipient’ as ‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not’.
68 According to case-law, the use of the expression ‘any information’ in the definition of the concept of ‘personal data’, within Article 3(1) of Directive 2018/1725, reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject (see, by analogy, judgment of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 34).
69 As regards the latter condition, the Court of Justice has held that it is satisfied where the information, by reason of its content, purpose or effect, is linked to a particular person (see judgment of 20 December 2017, Nowak, C‑434/16, EU:C:2017:994, paragraph 35).
70 However, in the revised decision, the EDPS did not examine the content, the purpose or the effect of the information transmitted to Deloitte.
71 It merely stated that the comments produced by the complainants during the consultation phase reflected their opinions or views and concluded, on that basis alone, that they constituted information relating to the complainants, which was sufficient to classify them as personal data.
72 At the hearing, the EDPS confirmed that, according to him, any personal opinion constituted personal data. He also acknowledged that he had not examined the content of the comments submitted by the complainants during the consultation phase.
73 Admittedly, it cannot be ruled out that personal views or opinions may constitute personal data. However, it is apparent from paragraphs 34 and 35 of the judgment of 20 December 2017, Nowak (C‑434/16, EU:C:2017:994), cited in paragraphs 68 and 69 above, that such a conclusion cannot be based on a presumption such as the one described in paragraphs 71 and 72 above, but must be based on the examination of whether, by its content, purpose or effect, a view is linked to a particular person.
74 It follows that, since the EDPS did not carry out such an examination, he could not conclude that the information transmitted to Deloitte constituted information ‘relating’ to a natural person within the meaning of Article 3(1) of Regulation 2018/1725.
75 The General Court will move on to examine the EDPS’s assessment of whether the information transmitted to Deloitte related to an ‘identified or identifiable’ natural person.
The condition laid down in Article 3(1) of Regulation 2018/1725 that the information is to relate to an ‘identified or identifiable’ natural person
76 The SRB argues that, contrary to what the EDPS found, sharing the alphanumeric code with Deloitte did not make the data ‘pseudonymous’. They remained anonymous, because the SRB did not share with Deloitte the information allowing re-identification of the author of those comments.
77 The SRB submits that the data are rendered anonymous for a third party, even if the information allowing re-identification is not irrevocably eliminated and resides with the original processor, as long as the form in which the data are shared with that third party does not allow re-identification anymore or where re-identification is not reasonably likely. The SRB argues that, contrary to what the EDPS found in the revised decision, Regulation 2018/1725 and the case-law of the Court of Justice require an assessment of the risk of re-identification.
78 Specifically, the SRB claims that the conditions laid down by the case-law of the Court of Justice concerning whether there is a risk of re-identification where the information that could identify the data subject is not all held by one person, but by more than one party, are not satisfied in the present case. First, the alphanumeric code assigned to the individual comments does not enable Deloitte to re-identify the data subjects who submitted comments. The additional information referred to in Article 3(6) of Regulation 2018/1725 corresponds to the decoding database, to which only the SRB has access. Second, with respect to the test relating to a reasonable likelihood that the information would be combined, Deloitte did not have and still does not have any lawful means of gaining access to the additional, identifying information.
79 The EDPS contends that the fact that Deloitte did not have access to the information held by the SRB that would enable re-identification does not mean that the ‘pseudonymised’ data transmitted to Deloitte became anonymous data. It is not necessary to determine whether the persons who provided the information transmitted to Deloitte were re-identifiable by Deloitte or whether re-identification by Deloitte was reasonably likely. ‘Pseudonymised’ data remain so even when transmitted to a third party that does not have additional information.
80 The EDPS argues that the use of the term ‘indirectly’ in Article 3(1) of Regulation 2018/1725 means that, for information to be classified as personal data, it is not necessary that that information alone allows the data subject to be identified. Furthermore, as regards the means reasonably likely to be used both by the controller and by any other person, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person.
81 In the revised decision, the EDPS found that the information transmitted to Deloitte was pseudonymised data. In that regard, he stated that the difference between pseudonymous and anonymous data is that, in the case of anonymous data, there was no ‘additional information’ that could be used to attribute the data to a specific data subject, whereas, in the case of pseudonymous data, there is such additional information. Therefore, in order to assess whether data are anonymous or pseudonymous, it is necessary to consider whether there is any ‘additional information’ that can be used to attribute the data to specific data subjects.
82 He noted that the SRB had transmitted to Deloitte not only certain comments from the affected shareholders and creditors, but also the corresponding alphanumeric code, and that Deloitte had not had access to the responses given during the registration phase. He stated that, as the SRB had explained, ‘it was impossible for Deloitte to trace the identity of any party using this code by reference to the hard data provided by the eligible parties as part of the registration phase (which was at all times retained by the SRB)’. However, the EDPS found that the data provided during the registration phase together with the unique identifier, namely the alphanumeric code attributed to each eligible participant, constituted a perfect example of ‘additional information’ within the meaning of Article 3(6) of Regulation 2018/1725, because it could be used by the SRB to attribute the data to a specific data subject.
83 The EDPS explained that Regulation 2018/1725 did not distinguish between those who kept pseudonymous data and those who held additional information and that the fact that they were different entities did not make pseudonymous data anonymous. It added that the fact that Deloitte was not in a position to attribute the comments singlehandedly to the registration-phase data did not alter the fact that the data it had received were ‘pseudonymised’. According to the EDPS, the data the SRB had shared with Deloitte were pseudonymous data, both because the comments received during the consultation phase were personal data and because the SRB shared the alphanumeric code that allowed the responses given in the registration phase to be linked with the ones given in the consultation phase – notwithstanding the fact that the data provided by the participants to identify themselves in the registration phase had not been disclosed to Deloitte. It concluded that the information transmitted to Deloitte constituted ‘pseudonymised’ data and, therefore, personal data within the meaning of Article 3(1) of Regulation 2018/1725.
84 As a preliminary point, the Court finds that, having regard to the mechanisms put in place by the SRB concerning the processing of data collected in the context of the right to be heard process, described in paragraphs 14 to 24 above, the information transmitted to Deloitte did not concern ‘identified’ persons.
85 The Court must therefore examine whether the EDPS was entitled to take the view that the information transmitted to Deloitte related to an ‘identifiable’ natural person within the meaning of Article 3(1) of Regulation 2018/1725.
86 According to that provision, an ‘identifiable natural person’ is one who can be identified, directly or indirectly.
87 Recital 16 of Regulation 2018/1725 reads as follows:
‘… Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. …’
88 The General Court notes that, in the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), the Court of Justice interpreted the concept of personal data within the meaning of Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), which contains a provision which is equivalent to Article 3(1) of Regulation 2018/1725.
89 That case raised the question whether a dynamic internet protocol address (‘IP address’) constituted personal data vis-à-vis the online media services provider which had registered it. The Court of Justice held that it was necessary to ascertain whether that IP address could be treated as information relating to an ‘identifiable natural person’, taking into account, first, that it did not, in itself, give that service provider the possibility to identify the user who had consulted that website and, second, the fact that the necessary additional information which, if combined with the IP address, would enable the user to be identified, was held by the internet service provider.
90 In so far as recital 16 of Regulation 2018/1725 refers to the means likely reasonably to be used by both the controller and by ‘any other person’, its wording suggests that, for information to be treated as ‘personal data’ within the meaning of Article 3(1) of Regulation 2018/1725, it is not required that all the information enabling the identification of the data subject must be in the hands of one person (see, by analogy, judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 43).
91 However, the Court added that the fact that the additional information necessary to identify the user of a website was held not by the online media services provider, but by that user’s internet service provider did not appear to be such as to exclude that dynamic IP addresses registered by the online media services provider constituted personal data for that provider (judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 44).
92 The Court of Justice nevertheless held that it must be determined whether the possibility to combine a dynamic IP address with the additional information held by the internet service provider constituted a means likely reasonably to be used to identify the data subject (judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 45).
93 The Court of Justice stated that that would not have been the case if the identification of the data subject had been prohibited by law or had been practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared in reality to be insignificant (judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 46).
94 In the present case, it is not disputed, first, that the alphanumeric code appearing on the information transmitted to Deloitte did not in itself allow the authors of the comments to be identified and, second, that Deloitte did not have access to the identification data received during the registration phase that would have allowed the participants to be linked to their comments by virtue of the alphanumeric code.
95 The EDPS stated in the revised decision and confirmed at the hearing that the additional information necessary to identify the authors of the comments consisted of the alphanumeric code and the identification database.
96 It is true that, as the EDPS maintains, in the light of paragraph 43 of the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), cited in paragraph 90 above, the fact that the additional information necessary to identify the authors of the comments received during the consultation phase was held not by Deloitte, but by the SRB, does not appear such as to exclude a priori that the information transmitted to Deloitte constituted, for Deloitte, personal data.
97 However, it is also apparent from the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), that, in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted to it relates to ‘identifiable persons’.
98 The Court notes, first, that the infringement of Article 15(1)(d) of Regulation 2018/1725 found by the EDPS in the revised decision concerned the transfer by the SRB of certain comments to Deloitte and not merely the fact that the SRB held those comments.
99 Second, Deloitte’s situation can be compared to that of the online media services provider referred to in the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), given that it held information, namely the comments relating to Valuation 3, which did not constitute information relating to an ‘identified natural person’, in so far as the alphanumeric code appearing on each response did not make it possible directly to reveal the identity of the natural person who filled in the form. The SRB’s situation can also be compared to that of the internet service provider in that case, in so far as it is common ground that the SRB alone held additional information enabling the affected shareholders and creditors who responded on the form to be identified, namely the alphanumeric code and the identification database.
100 Therefore, pursuant to paragraph 44 of the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), cited in paragraph 91 above, it was for the EDPS to examine whether the comments transmitted to Deloitte constituted personal data for Deloitte.
101 Thus, the EDPS is incorrect to maintain that it was not necessary to ascertain whether the authors of the information transmitted to Deloitte were re-identifiable by Deloitte or whether such re-identification was reasonably possible.
102 It must be stated that, in the revised decision, the EDPS concluded that the fact that the SRB held additional information enabling the authors of the comments to be re-identified was sufficient to conclude that the information transmitted to Deloitte was personal data, while acknowledging that the identification data received during the registration phase had not been communicated to Deloitte.
103 Accordingly, it is apparent from the revised decision that the EDPS merely examined whether it was possible to re-identify the authors of the comments from the SRB’s perspective and not from Deloitte’s.
104 It is apparent from paragraph 45 of the judgment of 19 October 2016, Breyer (C‑582/14, EU:C:2016:779), cited in paragraph 92 above, that it was for the EDPS to determine whether the possibility of combining the information that had been transmitted to Deloitte with the additional information held by the SRB constituted a means likely reasonably to be used by Deloitte to identify the authors of the comments.
105 Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725.
106 It follows from all of the foregoing that the first plea in law must be upheld and, accordingly, the revised decision must be annulled, without it being necessary to examine the second plea in law.
Costs
107 Under Article 134(1) of the Rules of Procedure of the General Court, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings.
108 Since the EDPS has essentially been unsuccessful, he must be ordered to pay the costs, in accordance with the form of order sought by the SRB.
On those grounds,
THE GENERAL COURT (Eighth Chamber, Extended Composition)
hereby:
1. Annuls the revised decision of the European Data Protection Supervisor (EDPS) of 24 November 2020 adopted following the request from the Single Resolution Board (SRB) for review of the decision of the EDPS of 24 June 2020 concerning five complaints submitted by several complainants (Cases 2019-947, 2019-998, 2019-999, 2019-1000 and 2019-1122);
2. Dismisses the action as to the remainder;
3. Orders the EDPS to pay the costs.
Delivered in open court in Luxembourg on 26 April 2023.
E. Coulon | | M. van der Woude |