Written by: Bart Van Buitenen

SRB is completely irrelevant for 95% of DPOs

“There, I said it.” Now that the dust has settled somewhat and the stream of LinkedIn posts dissecting the finer points of the definition of personal data has slowed down, it is time to reflect on what a DPO in practice can actually do with that judgment. Spoiler: not much.

As befits a clickbait title, the nuance follows one or two paragraphs later. In the broader context of interpreting the GDPR and the concept of personal data, the SRB case is of course interesting. That is why numerous academic articles and legal analyses have already been devoted to it, and why DPI also addresses this case during the Stay Tuned sessions. However, DPOs operate with their feet firmly in the mud of data protection, and for many of them that mud now seems only to have become thicker.

Why does SRB have little impact for the DPO?

What is too rarely mentioned about the SRB case is the very specific context in which the ruling was delivered. As we know from case law of the Court, any conclusions must always be interpreted within that specific context. SRB disclosed specific data, in a specific manner, and had implemented specific safeguards. It would be excessive to outline them all here, but it suffices to say that this specific context does not apply to many situations in which the SRB ruling is now eagerly invoked.

In various places, the following action points were mentioned in response to SRB:

• Identify recipients of pseudonymised data in your privacy notice
• Review your data sharing agreements concerning pseudonymised data
• Reassess your data flows

Are you an organisation that frequently exchanges complex pseudonymised or anonymised datasets? Then this may certainly be relevant to you. But again, 95% of DPOs do not work in such organisations and therefore need not be concerned.

One group of DPOs who do encounter this issue are those in healthcare. Several DPOs have indicated that they are now confronted with parties seeking access to data held by healthcare institutions. Often, the relevant physician or management is also interested, as such data exchanges may be accompanied by compensation. These parties were previously refused on the advice of the DPO but now return and refer to SRB.

The DPO, often already in a position of having to say ‘No’, now faces internal criticism: “But there is a ruling from the highest court stating that the data are anonymous!” Your straightforward reply as a DPO should be: “Can you demonstrate how the situation described in SRB applies to this proposed data transfer?” In other words, demonstrate that the data in this situation are effectively anonymous and remain so. Do not forget that last point: in today’s AI-driven world, data can be re-identified more easily, and the likelihood that complex datasets are truly anonymous has become even smaller.

Sometimes your best advice is that someone else should give advice

Since we are discussing anonymisation, DPOs in Belgium have an additional responsibility assigned under the Data Protection Act (also referred to as the Framework Act). Pursuant to Article 204:

Article 204. Where a data protection officer has been designated in accordance with Article 190, that officer shall provide advice on the use of different methods of pseudonymisation and anonymisation, in particular on their effectiveness in protecting data.

This is often interpreted as meaning that the DPO should confirm that data are sufficiently anonymised. I consider myself an experienced DPO, yet declaring complex datasets to be anonymous exceeds my expertise, as does advising on the appropriate anonymisation methods. I frequently state that a dataset is not anonymous; I am far more cautious about asserting the opposite.

This is where I return to a key principle: sometimes the best advice is that someone else should give advice. There are specialised parties, so-called trusted third parties (or ‘derde vertrouwenspersonen’ as referred to in Article 203 of the Framework Act), or other experts who can provide such an assessment. If the controller considers it sufficiently important, such expertise can and should be sought.