Last year, the General Court of the Court of Justice ("General Court") issued a ruling with potentially very significant impact on practice (1). The ruling addresses an issue that has been debated for decades: the scope of the concept of personal data.
The central question is whether data that a party cannot itself trace back to individuals still qualify as personal data for that party. Should this assessment be made from the perspective of the party holding personal data, or should it be made from a broader perspective? According to the Court, the former applies: whether data qualify as personal data must be assessed from the perspective of the party who has the personal data. This is a narrower interpretation than that adhered to by European privacy regulators, with a potentially significant impact on practice. If certain data are deemed to no longer qualify as personal data, then the AVG does not apply to them. And what complications does that bring? To properly reflect that, in this blog we first briefly explain what this case is about again. Then we will discuss the impact for practice.
The SRB (Single Resolution Board) is the European authority charged with the orderly resolution of bank failures. After such a process, the SRB assesses whether a normal insolvency process would have been more advantageous for shareholders and creditors. For that assessment, potentially affected shareholders and creditors are allowed to submit comments via a form (2). However, all of these comments were not reviewed by the SRB itself, but by a party the SRB had engaged for that purpose: Deloitte. Some of the submissions from potentially affected shareholders and creditors were therefore shared with Deloitte. Each comment was provided with a unique identifier. However, Deloitte received no information about which comment(s) code belonged to which potentially affected party. The question that then arises in the case is: Are those comments with unique codes personal information to Deloitte? Five of the potentially affected parties argued that they were: they filed a complaint with the relevant privacy regulator, the EDPS. They argued that the SRB had shared their personal data with Deloitte, among others, without informing them in line with the AVG. According to the EDPS, the SRB had failed on this point. However, the SRB disagreed and asked the General Court to annul the revised EDPS decision (3).
Whether a party can trace data to a natural person can be assessed in several ways. The recitals to the AVG state that account must be taken of "any means likely reasonably to be used by the controller or by any other person [...]." In practice, the issue often revolves around the last phrase: how should we interpret it? Should any "other person" be taken into account, including, for example, Big Tech parties? That approach falls under the objective doctrine. Or should data with another person only be taken into account to the extent that the controller is entitled to request it? Here, the perspective of one party is taken for the assessment. We call this the relative doctrine. The Court does not name the objective and relative doctrine as such in this case, but does refer to the Breyer judgment. In that judgment, the Court and the Advocate General do explicitly name it (4).
In the Breyer ruling, the Court applied the so-called relative doctrine: whether a dynamic IP address qualified as personal data was assessed from the perspective of the party who possessed it. However, the so-called objective doctrine was not explicitly rejected. It also mattered less in that case because both routes led to the same conclusion: personal data was involved. In the SRB/EDPS case, however, the Court completely ignores the fact that the objective doctrine could possibly also be applied. The Court applies "by default" the relative doctrine, citing the Breyer ruling. The unique identifier could not be used by Deloitte to find out the identity of the questioner. Therefore, with this new SRB/EDPS case, it seems that the option of applying the objective doctrine has been definitively discarded.
What is the impact of this ruling on negotiations of processor agreements?
In the situation where X shares encrypted data to Y, without providing the key, is a processor agreement required and what is the impact on negotiating this? The data sharing is personal data processing for X anyway, but not for Y. Should Y then enter into a processor agreement with X? If X is a data controller under the AVG, X is in breach if written agreements are not made when personal data is shared with a processor. From X's perspective, it is therefore likely to be required to enter into a processor agreement even if it can be argued that the data does not qualify as personal data for Y. For Y, the situation is different.
Since the data are not personal data for Y, the AVG does not apply to Y. There is then no obligation on Y to enter into a processor agreement. In practice, however, one usually takes a safe approach, also taking into account the position of X. If a processor agreement is concluded in such a situation, there are certain points of attention. It is then advisable to think carefully about the definition of the term personal data and its implications. If reference is simply made to the AVG for this purpose, this may create ambiguity. What if the processor then states that for the processor it is not personal data? And that therefore, for example, the obligation to report a data breach to the controller did not apply?
Another reason for organizations not to immediately stop entering into processor agreements is that the EDPS has appealed the General Court's decision (5). In doing so, the EDPS argues - in brief - inter alia that the General Court misinterpreted the concept of personal data.
Moreover, the EDPS' appeal on this point is unlikely to succeed. Indeed, on November 9, 2023, the Court held that a vehicle identification number (VIN) is personal data to the extent that the person who has access to the VIN may have the means to reasonably use the VIN to identify the owner of the vehicle (6). In this case, whether the VIN was personal data was assessed on an entity-by-entity basis. From the position of some recipients, the conclusion was that the VIN was not personal data (7).
Should international transfers be legitimized under Chapter V of the AVG?
The Court's ruling did not address transfer to a third country outside the EEA. But what if it does? What are the consequences of applying the relative doctrine then? If the importer cannot trace the data under the relative doctrine, then the importer does not have to comply with Chapter V of the AVG. This is different for the exporter, for whom the data do count as personal data. In that case, the exporter will still have to ensure that the requirements for transfer under the AVG are met. The EDPB Guidance on Additional Measures makes clear that even if technical measures are taken so that the importer will not be able to trace the personal data, a transfer mechanism is still required (8).
How does one explain the impact of this case internally?
How to explain this in the workplace? Since the entry into force of the AVG, many organizations have worked feverishly on compliance. The compliance work has often been done from the objective doctrine, in line with the guidance documents of the European privacy regulators. However, this General Court ruling provides room to apply the relative doctrine, which can lead to internal discussions. How to deal with this?
If personal data are pseudonymized within the organization, they might be more easily shared with third parties who do not have the key. Since this does not seem to clash with the guidelines on the subject from European privacy regulators, this does pose risks (9). For enforcement, the objective doctrine can be applied.
For the sake of safety, therefore, most organizations still apply the objective doctrine. This choice is often also inspired by practical considerations: assessment based on the objective doctrine is less complex. If employees start out on their own about applying the relative doctrine, then pointing out the risks and practical disadvantages can steer them back toward the objective doctrine. Since this "catch-all approach" naturally carries disadvantages, there are also organizations that choose the best of both worlds. They use the objective doctrine as a starting point, but on a case-by-case basis they then deviate from it under circumstances.
CJEU April 26, 2023, T-557/20, ECLI:EU:T:2023:219, cf. V.I. Laan, para. 16.
The SRB offers potentially affected shareholders and creditors the opportunity to be heard. See r.o. 8 et seq. for a further description of this procedure.
General Court ECJ 26 April 2023, T-557/20, ECLI:EU:T:2023:219, para. 33.
ECJ EU 19 October 2016, C-582/14, ECLI:EU:C:2016:779 (Breyer v. Bundesrepublik Deutschland), para. 25; Concl. A-G 12 May 2016, C-582/14, ECLI:EU:C:2016:339, Opinion at ECJ EU 19 October 2016, C-582/14, ECLI:EU:C:2016:779 (Breyer v. Bundesrepublik Deutschland), para. 53
ECJ EU Nov. 9, 2023, C-319/22, ECLI:EU:C:2023:837, para. 48.
ECJ EU Nov. 9, 2023, C-319/22, ECLI:EU:C:2023:837, para. 49.
EDPB June 18, 2021, Recommendation 01/2020 on measures complementary to onward transfer instruments to ensure compliance with the level of protection of personal data in the Union, p. 28 et seq.
ECJ EU 26 April 2023, T-557/20, ECLI:EU:T:2023:219, cf. V.I. Laan, para. 15; see Article 29 Working Party, Opinion 4/2007 on the concept of personal data (WP 136), adopted June 20, 2007, and Opinion 5/2014 on anonymization techniques (WP 216), adopted April 10, 2014.
