SRB v EDPS - facts, context, high-level impacts & remaining questions

SRB is the Single Resolution Board. It represents the central resolution authority within the European Banking Union. The SRB and the national resolution authorities of the participating Member States form the Single Resolution Mechanism ('SRM') (see Regulation (EU) 806/2014 (SRM-R).

The SRB is an institution of the European Union. In this respect, Regulation (EU) 2018/1725 (‘EUDPR’) applies. Nevertheless, this decision will have an impact on the day-to-day application of the General Data Protection Regulation, (EU) 2016/679, (‘GDPR’).

The EUDPR and the GDPR are almost identical in terms of their substantive requirements. With regard to key terms and principles, the provisions are also identical to those of the previous Data Protection Directive, (EU) 94/46, ('DPD'). In this respect, the ECJ's position is obvious, namely that consistent application and interpretation of the law must be ensured.

For example, para. 52 of the judgment states: “In order to ensure uniform and consistent application of EU law, it is therefore necessary to ensure that Article 3(1) of Regulation 2018/1725, Article 4(1) of the GDPR and Article 2(a) of Directive 95/46 are interpreted in the same way […]” (ECJ, C-413/23 P)

This principle is and can therefore also be applied in the other direction: insofar as the (interpretation of) the EUDPR is specified by case law and supervisory authority decisions, this can and must also be used to interpret the corresponding provisions of the GDPR in accordance with the ECJ.

In principle, the SRB v EDPS proceedings could have been settled quickly. As a result of processing a handful of complaints, the EDPS's conclusion and action remained only a formal warning to the SRB regarding an incorrect privacy statement during a formal hearing procedure conducted by the SRB. The EDPS criticised the fact that the SRB's privacy statement did not mention the transfer of certain information to an external service provider.

Noteworthy: Although the SRB's hearing procedure involved more than 3,500 parties, the EDPS expressly did not criticise

• the transfer of information to an external service provider as such. 
• other formal errors, such as missing contractual agreements or other insufficient technical and organisational measures in handling the information concerned.

In this respect, the outcome of the EDPS's first decision was extremely positive (Decisions of the EDPS). A formal reprimand is the mildest sanction in the event of an established infringement, Art. 58.2 lit. b) EUDPR.

Subsequently, the EDPS even softened the decision after the SRB requested a review (Decisions of the EDPS). Ultimately, the violation was established (without an explicit warning or reprimand), remedial measures pursuant to Art. 58.2 EUDPR were expressly waived, and it was merely “recommended” that the privacy statement be reworded in the future.

The SRB's submission in the respective appeals shifted the focus to very fundamental questions. From the SRB's point of view, there could be no violation of the transparency requirement, as the SRB considered that no personal data had been transferred to the recipient. 

In other words, from the SRB's point of view, the focus shifted to the question of identifiability. Precisely, under data protection law, is there any obligation to be transparent about the transfer and processing of information if this information is irrelevant to the recipient under data protection law? 

The SRB took the view that such an obligation would be contrary to the system. In order to assess whether the data is relevant to the recipient under data protection law, the SRB considered it necessary to to take due notice of cases where pseudonymisation has been designed in a sufficiently complex manner from a technical and organisational point of view so that identifiability can be ruled out for the recipient. The fact that such a contextualised and dynamic approach is possible is a consequence of the recognised relativity of personal data ("relativer Personenbezug").

This put the SRB in conflict with the EDPS, but at the same time, the SRB's interpretation was well within the acceptable range. Ultimately, the General Court concluded in favour of the SRB, agreeing that identifiability depended on the recipient's perspective and that the EDPS had not conducted a sufficient analysis of the facts (EGC T-557/20, para. 100 et seq.). The ECJ has now had the final say on the matter. The consequences must be examined.

The comprehensive and specific facts of the case can be found in the respective decisions and relevant documents of the proceedings themselves (see above Section 1). At the same time, key elements are necessary in order to understand the reasoning and perspective in the individual sections. The following are the essential aspects of the proceedings: 

In accordance with competences and procedures provided by the SRM, the SRB decided to resolve a bank. The resolution was to be carried out in accordance with Articles 21 and 24 of the SRM Regulation. The resolution procedure was approved by the European Commission on the same day. Specifically, this meant that the capital instruments of the bank to be resolved ('the bank to be resolved') were written down or transferred to a defined acquiring bank (group of banks) ('the acquiring bank') (in accordance with Art. 20 para. 16 et seq.).

In accordance with the provisions of the SRM Regulation, it was necessary to determine whether the chosen resolution procedure would potentially disadvantage the shareholders and creditors of the bank to be resolved. To this end, an external auditing and consulting firm ('ACF') was commissioned to assess and evaluate the consequences of applying the regular insolvency procedure. 

After receiving the ACF's expert assessment, the SRB conducted a hearing procedure. The SRB published its preliminary decision ('SRB draft') on whether shareholders or creditors would be entitled to compensation. The hearing proceeded in two phases: 

1. Identification of potential claimants ('parties involved') by submitting key data, essentially proof of identity and ownership, and
2. Identification of the specific submissions of the interested parties using a guided, web-based questionnaire, statistical and content analysis of the submissions and determination of any impact on the SRB draft. 

In phase 2, neither explicit nor implicit information that directly identified the parties involved was required from the parties involved. 

Identification data from phase 1 was linked to the submissions from phase 2 using an alphanumeric code, although the respective data sets were processed completely separately from each other. This link was necessary to prove that the consultation process had been conducted properly. This applies in particular to the defence against the accusation that the rights of individual participants had not been sufficiently protected due to the failure to take individual submissions into account. 

The SRB itself evaluated the submissions of the parties involved with regard to the SRB draft. However, the SRB forwarded to the ACF the relevant excerpts from the submissions of the parties involved that could potentially influence the underlying expert assessment as such. The files do not reveal whether the SRB anticipated or could have anticipated such submissions in the context of the submissions. However, the five individual complaints concerned precisely this transmission of information relevant to the expert assessment to the ACF as the expert, on the basis of which the EDPS took action.

The SRB's privacy statement at issue (see above Section 1) made no explicit statement regarding this transfer. The most important passages at issue concern the listing of (categories of) recipients and the possible publication of personal data or submissions. 

The recipients and/or categories of recipients are:

• SRB’s Resolution Unit in charge of resolution planning for Banco Popular Español S.A.;
• SRB’s legal department;
• Other staff employed by the SRB and dedicated to the verification process of the right to be heard procedure; and
• EU Survey Support Staff

As well as 

Your personal data within the meaning of the Regulation will not be subject to any publication. However, the personal views and comments you may provide during the hearing procedure might be subject to publication in an anonymised and, as the case may be, aggregated format. The latter will be subject to inclusion in the motivation of the final SRB decision to be taken after the hearing procedure. 

The complainants learned of the transfer of the submission to the ACF from a report by the European Ombudsman. The complainants were of the opinion that the SRB's privacy statement did not communicate such a transfer in a sufficiently transparent manner.

EDPS's decisions show that the complainants' motivation was not exclusively related to data protection law. The EDPS's decisions also show that the underlying facts of the case were more complicated. However, these facts were divided up on the basis of competences and limited to the present proceedings. Specifically, it was criticised by the complainants that 

• the information was not only disclosed to the ACF, but, in the opinion of the complainants, was also unlawfully transferred to or between the banks, resulting in unlawful processing by the banks.
  • Whether and to what extent this initially required the SRB to transfer information to one of the banks, or whether this only concerns information that the banks themselves had already processed, cannot be determined from the files.
• the acquiring bank was consulted as part of the hearing procedure. 
  • The files do not indicate whether the SRB forwarded the submissions of the parties involved to the acquiring bank. In any case, this transmission was not relevant to the proceedings.
• the ACF and the acquiring bank could become potential opponents in future proceedings concerning any compensation claims by the parties involved, and the (partial) transmission of the submissions therefore was contrary to the principles of fair proceedings, as it gave the opponents inadmissible knowledge of any litigation strategies of the parties involved.

Despite these additional facts, the EDPS limited its proceedings solely to the transfer of data to ACF and, within this context, to possible violations of the transparency requirement.

ECJ’S judgment in SRB v EDPS will have significant impact on fundamental core aspects of the GDPR. It requires in depth-analysis if the ECJ continued its line of interpretation or whether the ECJ broke with previous judgments. 

For example, the judgment raises concerns whether the relativity of personal data still applies. GDPR defines personal data as both, any information regarding identified and identifiable natural persons. It is the concept of identifiability which might prevent undermining data protection on the one hand, but on the other may provide sufficient leeway to remain practically reasonable in everyday processing scenarios. Further analysis seems due to evaluate the practical impacts.

Against this vein it shall be noted that the judgment confirmed the relativity of personal data and concluded explicitly that pseudonymous data that qualify as personal data for one controller, does not automatically qualify as personal data to every recipient of such data in every scenario. In other words: pseudonymous data that is being transferred to a third party may also qualify as anonymous data. The assessment must be made on a case-by-case approach.

Despite the elements of legal interpretation, the proceedings in SRB v EDPS also highlight procedural challenges under GDPR. The original complaints were more complex than what the EDPS made subject to its proceedings. The EPDS is not to blame, as this appears a mandatory consequence under the current legal framework and related competencies. It shall be noted, though, that splitting up a comprehensive and coherent real life scenario in several proceedings for various sub-scenarios may result in inconsistent and incoherent findings. Each proceedings may be consistent within itself, yet the moment the conclusions of all proceedings will be reconnected, there is no guarantee that all puzzle pieces will fit. Each proceeding, authority and court has – within it competencies – original powers to weigh the given facts individually. By splitting up a comprehensive scenario, sub-proceedings may be forced to ignore or at best give limited regards to related facts.

The proceedings also give insights on potential abuse of data subject rights respectively on potential to further align individuals’ rights across different legal contexts. It is apparent from the proceedings that the primary concern of the complainants was about probable breach of the fundamental principle of fair proceedings. They were concerned that adversaries in court proceedings which took place in parallel may have had undue access to information to defend themselves in such court proceedings. While undoubtedly processing of personal data was at the core of SRB v EDPS, a feeling of unease remains. Shall it be a matter of data protection laws such as GDPR/EUDPR to affect procedural safeguards at court or shall it be rather a matter of such procedural laws to provide sufficient safeguards. While the first would affect any processing, the latter would allow for a contextualised and nuanced balancing of interests.

There is rumours that European data protection laws will be updated. Probably such updates will take note of SRB v EDPS.