The Single Resolution Board (SRB) is a European authority created in 2014 as part of the European Banking Union. Its objective is to contribute to financial stability by ensuring the orderly resolution of troubled banks and avoiding a systemic crisis. The CRU can be asked to take resolution measures for an ailing bank, such as restructuring, sale or liquidation, to protect depositors, investors and financial stability.
The CRU was asked to look after Banco Popular Español, which was in the throes of collapse.
Without going into the details of the mechanism, the following key points should be borne in mind:
- The bank’s shareholders have been involved in the procedure not only because they have to declare themselves as shareholders, but also because they can make comments at various stages of the bank’s resolution procedure;
- Shareholders can participate via the CRU website, where they will find a declaration on the processing of their personal data;
- For the purposes of the procedure, the CRU must at some point call in a third-party asset valuer. In this case, Deloitte performed this role;
- The declaration relating to the processing of personal data did not inform data subjects of a transfer of personal data to Deloitte.
Based on this observation, 5 shareholders lodged a complaint which ended up on the desk of the European Data Protection Supervisor (EDPS).
EDPS: the transfer of data was not indicated in the charter
At the end of the procedure before the EDPS, he considers the complaint to be well-founded:
- The data that the CRU shared with Deloitte was pseudonymised data;
- Deloitte was a recipient of the Claimants’ personal data and the fact that Deloitte was not mentioned in the CRU’s privacy statement as a potential recipient of the personal data collected and processed by the CRU, in its capacity as controller in the context of the right to be heard procedure, constitutes a breach of the information obligation provided for in Article 15(1)(d) of Regulation 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the institutions, bodies, offices and agencies of the Union and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
The CRU disagreed and took its case to the EU General Court, arguing that the data transferred to Deloitte was not personal data within the meaning of the Regulation, and that it was therefore not obliged to inform data subjects of the transfer.
The importance of organising your transfer
In the minds of the court and the parties, there can be little doubt that the data is, at the outset, personal: the names of the shareholders are given, together with their levels of shareholding in the bank and any objections or comments they may have.
There is also little doubt about the legitimacy of Deloitte’s intervention: the involvement of an external valuer is a step in the process and an important guarantee for aggrieved shareholders.
The court noted the care taken by the CRU in organising the transfer:
- Data collected during the registration phase, such as proof of identity and ownership of the bank’s capital instruments, was accessible only to a limited number of CRU staff to determine the eligibility of participants. This data was not accessible to CRU staff members responsible for processing comments received during the consultation phase.
- The CRU automatically filtered the comments received, using algorithms to identify duplicates, and reviewed the comments relevant to their categorisation. The CRU staff responsible for analysing the comments did not have access to the data collected during the registration phase, nor to the data key or to information enabling a participant’s identity to be traced.
- Comments were classified according to relevance and theme, and those relevant to the preliminary decision were dealt with by the CRU, while those relating to valuation were transferred to Deloitte for review.
- Comments transferred to Deloitte were filtered, categorised and aggregated, and duplicates were removed. Deloitte did not have access to the database collected during the registration phase and had no way of knowing whether a comment had been made by one or more participants in the process. An alphanumeric code was used to check that each comment had been taken into account.
For the CRU, it follows from all this that the comments received during the consultation phase and communicated to Deloitte did not relate to specific persons within the meaning of Article 3(1) of Regulation 2018/1725: “the information contained in the Claimants’ comments was factual and legal information independent of the Claimants’ persons or personal qualities and unrelated to their private lives. It considers that the purpose of the procedure relating to the right to be heard was to assess arguments of fact and law concerning the preliminary decision and the recovery […] from a large number of interested parties, whose personalities and identities were irrelevant for the purposes of assessing their comments”.
On the contrary, the EDPS argues that the content of the comments of the affected shareholders and creditors is information “concerning” them, as their responses contained and reflected their personal views.
Data can lose its “personal” character when transferred to a third party
First of all, the Court returned to the concept of personal data: the aim of the EU legislator is to give a broad meaning to this concept, which covers any information provided that it relates to an identified or identifiable person.
All very well! But when does data concern a person, and when is that person identifiable?
The court refers to Novak, in which the Court held that data relates to a person where, by reason of its content, purpose or effect, the information is linked to a specific person (judgment of 20 December 2017, Nowak, ‑C434/16, EU:C:2017:994, paragraph 35).
The CRU insists that it is not a question of knowing whether the data has been pseudonymised, but of verifying whether or not the data transferred to Deloitte is personal: we are in a situation where “all the information likely to allow identification is not held by a single person, but by several parties”.
According to the CRU, which invokes the Court’s case law, a concrete assessment of the risk of re-identification is required.
The court agreed and referred to the CJEU’s Breyer ruling on IP addresses.
In this ruling, the CJEU began by pointing out that it is not necessary for all the information enabling the data subject to be identified to be in the hands of a single person: personal data can therefore be obtained by cross-checking information held by several data controllers. However, the Court advocated a realistic approach: it must be determined whether the possibility of combining the information held by controller 1 with the additional information held by controller 2 can be “reasonably implemented” to identify the data subject. The Court indicated that this is not the case if the identification of the data subject is prohibited by law or unfeasible in practice, for example because it would have involved a disproportionate effort in terms of time, cost and manpower, so that the risk of identification appears in reality to be insignificant.
Returning to this case, the court emphasised that in the event of a transfer, it is necessary to put oneself in the shoes of the recipient in order to analyse whether means of re-identification can reasonably be implemented.
The Court therefore considers that the EDPS’s decision, which was based on a theoretical logic of overlap without taking account of concrete possibilities, should be annulled.