CJEU: pseudonym for one may be anonymous for another, room for handling personal data
Resolution with external independent examination
The issue concerns a resolution scheme declared applicable to a Spanish bank by the Joint Resolution Board. This is complicated financial law matter and I will leave those financial aspects for the moment (thankfully). In the context of resolution, one of the issues to be assessed is whether the shareholders and creditors would have been better off if a normal insolvency procedure had been followed instead of the specific resolution procedure (freely translated: should the bank have been allowed to go bankrupt?). The shareholders and creditors concerned could come forward to be heard on this issue. They could then submit their comments in an online form. During the proceedings, many thousands of comments were received. After initial analysis, most of these turned out to be identical (i.e., apparently a standard text). After an initial filtering for such duplications, relevance and subject matter, nearly 4000 relevant comments eventually remain. Over 1100 of them are about whether one would have been better off with a normal bankruptcy. Those over 1100 comments are shared with the external auditor Deloitte for independent external advice. The comments are hereby stripped of personal data; only a unique alphanumeric code is still attached to them. Deloitte did not have the key to trace the alphanumeric code back to a person; that key was held only by the financial authority. Stakeholder complaints: insufficient transparency about sharing personal data Some of the shareholders and creditors complained to the European privacy supervisor (the EDPS) that it had not been made sufficiently clear beforehand that data would be shared with, among others, Deloitte. Privacy regulator: insufficiently transparent, but no enforcement The stakeholders' complaint eventually leads - after some procedural hassle - to the EDPS' decision that there was indeed insufficient transparency. The EDPS is of the opinion that the data shared with Deloitte qualify as (pseudonymized) personal data, that Deloitte was therefore a 'recipient' of these data, and that transparency should therefore have been respected. However, given all the safeguards already in place, the EDPS saw no reason to take formal enforcement action. Financial authority challenges the decision So although no enforcement action will be taken, the Joint Resolution Board is challenging the EDPS decision. This (matter of principle) thus ultimately ends up before the General Court of the Court of Justice. The issue before the General Court is whether the GA can appeal now that no enforcement action has been taken. The Court holds that it is, since the EDPS decision produces binding legal effects. Now that the EDPS has found that the GA violated privacy regulations, the G