The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
Pseudonymization and the GDPR
Pseudonymisation is a term from the GDPR that causes a lot of confusion. Is this personal data, and therefore does the GDPR apply to it, or not? As is so often the case, the answer from lawyers is: it depends. That’s because pseudonymous data is not a category or type of data. Pseudonymisation is only listed in the GDPR as a technique: Article 4(5) states: “Pseudonymisation” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
Simply put, pseudonymization means replacing “Antoinette Vlieger” with, for example, the number “1973.” The difference with anonymization is that there’s still a key or list that allows you to determine that number 1973 is Vlieger. In medical science, you almost always want to pseudonymize rather than anonymize. This allows findings to be relayed back to the treating physician if necessary, or additional information can be requested if it later proves necessary for the research.
But keep in mind that there’s always a difference between everyday language and legalese (like lawyers explaining at parties: this wasn’t murder but manslaughter, while for everyone around them it was murder). In everyday language, pseudonymization is therefore the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information. However, the GDPR adds another component: “provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” It must also be recorded who has (exclusive) access to the key.
Does the GDPR apply to pseudonymous data?
So does the GDPR apply to such data or not? That depends on whether it is “personal data,” and the term “personal data” is a relative term. The GDPR applies when someone’s privacy is at stake, because the data can be traced back to a specific person. If an academic hospital is conducting research on patient number 1973, and they themselves have the list indicating that this concerns Vlieger, then that data is personal data for that hospital. If they provide this data (to train an AI tool) to mathematicians who do not have the list, then it is not personal data for those mathematicians; the GDPR does not apply. If the same set of data is given to Statistics Netherlands (CBS)—which also does not have the list, but can combine the data with its own data, making it clear who the data concerns—then the data is personal data for CBS. And even more complicated: if the mathematicians, for whom the data is not personal data, post the data on a public website, allowing Statistics Netherlands (CBS) to access it (for whom the data is personal data), then when it is made public it is again personal data and therefore the GDPR does apply; this also applies to the mathematicians.
The GDPR therefore applies to personal data; held by specific individuals and in a specific context. Pseudonymous data is sometimes personal data, and sometimes not. And you should be equally careful with the concept of anonymous data. Absolutely anonymous data is anonymous to everyone. This is not personal data, and the GDPR does not apply to it. But there is also relatively anonymous data; anonymous to me, but not to Statistics Netherlands (CBS). To avoid confusion, it is better to refer to only absolutely anonymous data as anonymous. The GDPR does not apply to this anyway. However, with regard to relatively anonymous data and pseudonymous data, the applicability of the GDPR must be assessed each time.
Is this confirmed in case law?
Many people are eager to know if the European courts have confirmed the above. However, there’s no case law on the concept of pseudonymization itself. While there is case law that does address pseudonymized data, it consistently applies the case law on the concept of “personal data.”
The judgment in SRB/EDPS (CJEU, 26 April 2023, T-557/20, ECLI:EU:T:2023:219) clearly illustrates how the European Court of Justice addresses this issue. The EDPS states that the data the SRB shared with Deloitte were pseudonymized and therefore personal data (paragraph 32). The SRB argues that, for the recipient, Deloitte, the data are not pseudonymous but anonymous, since the SRB did not share with Deloitte the information that could be used to re-identify the data (paragraph 76). It is striking that the judges in the judgment do not address whether the data were pseudonymous or anonymous, but only whether they were personal data. And that is the end of the matter. The case is now on appeal and the Advocate General makes a clear statement on this (6 February 2025, C-413/23P, ECLI:EU:C:2025:59) in recital 52: It is not the case that pseudonymised data are automatically not personal data, because “under certain conditions” they are personal data; but not always.
EDPB Directive 01/2025 on pseudonymisation, of 16 January 2025, similarly states (recital 22): If pseudonymised data and additional information may be combined taking into account the means reasonably used by the controller or by another person, the pseudonymised data constitute personal data.
Is pseudonymization always mandatory?
So, sometimes the GDPR applies to pseudonymous data, sometimes not. But if you haven’t yet done so, is it mandatory under the GDPR? The legal answer to that, too, is: sometimes yes, sometimes no. The short answer is: if it’s possible, it must be done (and as quickly as possible), but if it’s not possible, you can still use the data, depending on the circumstances; for a compelling purpose and provided it’s very well secured.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?