On August 6, 2018, the GAR published on its website the preliminary decision on whether to grant compensation to shareholders and creditors. It also announced the procedure to be heard. The right to be heard is a fundamental right provided by EU law for persons affected by an individual measure taken by an EU body. In this particular proceeding, a two-stage process was initiated. The first stage, called the "registration stage," involved the registration of interested shareholders and creditors through an online form, where they could provide supporting documentation. The second phase, called the "consultation phase," allowed verified shareholders and creditors to submit written comments on the preliminary resolution and the attached assessment.
At the beginning of the enrollment phase, the GAR published a privacy statement on the registration website for the hearing process outlining the processing of personal data as part of the process. During the enrollment phase, only certain GAR staff had access to the data collected to assess the suitability of participants. These data were not visible to the GAR staff responsible for processing the comments received during the consultation phase. These staff received only comments identified by an alphanumeric code associated with each individual comment based on the submitted form.
After the comments were aggregated, automatically filtered and categorized, the GAR forwarded the comments on the conducted review to Deloitte. Only comments received during the consultation phase and provided with an alphanumeric code were provided to Deloitte. This code allowed only the GAR to link the comments to the data collected during the tender phase. Deloitte did not have access to the database of data collected during the enrollment phase.
Five complaints were filed with the EDPS, in which the complainants alleged that the GAR violated the privacy notice by transmitting data to Deloitte without their knowledge (2). Following a review request, the EDPS concluded that the GAR had indeed violated Regulation 2018/1725 (3). In response, the GAR appealed to the General Court of the European Union, seeking the annulment of the EDPS' revised decision. The General Court granted GAR's appeal and annulled the revised EDPS decision.
In this judgment, the Court further clarified the concept of personal data. To be considered personal data, two cumulative conditions must be met: first, the information must relate to a natural person, and second, that natural person must be "identified or identifiable." The General Court found that the EDPS did not examine thoroughly enough whether the information provided to Deloitte was in fact personal data. The General Court noted that the concept of personal data has a broad scope and is not limited to sensitive or personal information, but potentially extends to any kind of information, including objective and subjective information such as opinions and assessments, provided that it relates to the individual concerned.
The opinion of the EDPS that the written comments of the complainants during the consultation phase reflected their opinions or views and therefore had to be classified as personal data cannot be based on presumptions, but must be based on an investigation aimed at determining whether a viewpoint, in view of its content, purpose or effect, is affiliated to a particular person. Since the EDPS did not conduct such an inquiry, it could not be concluded that the information provided to Deloitte was personal data.
Second, the Court addressed whether the information provided to Deloitte related to an "identified or identifiable" natural person.
The Court noted that it was not disputed that the alphanumeric code, by itself, did not permit identification of the authors of the comments. Moreover, Deloitte did not have access to the identifying information received during the registration phase that the code would allow participants to link to their comments. Although the EDPS argues that the additional information, consisting of the alphanumeric code and the identification database, was necessary to identify the authors of the comments, it is clear from the Breyer ruling that it is up to Deloitte to assess whether the information provided to it relates to "identifiable individuals." Thus, the EDPS's task was to examine whether Deloitte had reasonably available means to identify the authors of the comments. Since the EDPS did not examine whether Deloitte had such resources and whether it could reasonably access the additional information, the EDPS could not conclude that the information provided to Deloitte concerned data about an "identifiable natural person" under Article 3(1) of Regulation 2018/1725. The Court therefore set aside the EDPS's revised decision.
This judgment of the Court emphasizes the need for the EDPS to carefully and thoroughly examine whether information should be considered personal data, especially when it comes to the question whether the information relates to a particular individual and whether this individual is identifiable. The Court emphasizes the obligation to look not (only) at the perspective of the data controller, but also at the perspective of the recipient of the information, in order to determine whether the information concerns data about an identifiable person. This ruling provides important guidance for the interpretation and application of data protection rules relating to personal data in the European Union.Top of Form
Roughly speaking, the judgment gives rise to two important observations. First, the Court held that in order to determine whether pseudonymized information transferred to a data recipient constitutes personal data, the perspective of the data recipient must be considered. It is not sufficient that the data recipient has the means to re-identify data subjects; the data recipient must also have additional information that allows it to re-identify data subjects and have legal means to access such information. If the data recipient does not have these capabilities, the information transferred may be considered anonymized to the recipient and thus not personal data. Second, the Court has ruled that personal views or opinions should not automatically be considered personal data. An assessment based on the specific circumstances is required to determine whether a view is linked to a particular person by its content, purpose or effect. This means that not all personal views or opinions should be treated as personal data, but that an analysis must take place to determine whether there is a direct link to an individual.
To determine whether a natural person is identifiable, according to recital 26 of the AVG, all means that could reasonably be used by the controller or by another person to identify the person directly or indirectly should be taken into account. Under the absolute approach, data is considered identifiable when a party, be it the controller or any unknown third party, is able to identify the data subject. Under this approach, data are more quickly qualified as personal data. The relative approach considers the means reasonably available to the data controller as legally relevant, keeping open the possibility that the data was first requested from a third party.
In the Breyer judgment, the Court did not explicitly choose between the absolute and relative approaches. According to the Court, a dynamic IP address is considered personal data for a website owner, provided that it has legal means to access identifying data from the Internet service provider (ISP). This was particularly true in situations where the German government was involved in cyber attacks. It can be inferred that the Court, without specifically referring to the relative approach, gives value to the question of who has access to additional information and can thus identify the data subject. However, it is important to assess whether it is reasonably possible to link a dynamic IP address to additional information held by the ISP in order to identify the individual in question. Advocate General Sánchez-Bordona, in paragraph 68 of his Opinion on the Breyer Judgment, had noted that this is not the case when the identification of the data subject is prohibited by law or impracticable. This may be the case, for example, when the time, cost and effort required are excessive, making the risk of identification seem negligible in reality. In doing so, the Solicitor General also seems to lean toward the relative approach.
The difference between this ruling and the Breyer ruling lies solely in the contextual circumstances. In short, the issue is whether or not there is legitimate, lawful access to a reference dataset containing additional information. In the Breyer ruling, the perspective of the website owner was decisive in determining whether the IP address was considered personal data. In the Breyer case, the German government had legitimate access to identifiers linked to IP addresses for cybersecurity investigations. By contrast, in the current case, Deloitte did not have legitimate access to identifiers linked to processed content.
In this case, however, the EDPS and the General Court have reached different conclusions regarding the use of the Breyer criteria. The General Court considered that the perspective of the recipient should always be considered when assessing the irreversibility of pseudonymization. In contrast, the EDPS argued that the data were personal data for the sender because pseudonymization was reversible from the sender's perspective.
The importance of a contextual approach, taking into account the perspective of the recipient when assessing personal data, is also evidenced by the recent considerations of Advocate General Sánchez-Bordona in his Opinion of May 4, 2023 (4). Here, the Advocate General addresses the issue of whether a vehicle identification number (VIN) should be considered personal data. Contrary to several data protection authorities, such as the Bavarian Data Protection Authority for the private sector and the Data Protection Authority of North Rhine-Westphalia in Germany, the Advocate General is of the opinion that the VIN cannot simply be considered personal data. The Advocate General considers that the qualification of a personal data depends on the perspective from which it is viewed, as well as the means of identification that can reasonably be employed by a given actor. It is therefore essential to examine the different means that can reasonably be employed by different actors for identification purposes. For example, public authorities will typically have more means at their disposal to identify a person than a commercial enterprise. Although the Tribunal has yet to decide this case, we are confident that, given its previous case law on similar issues, the Tribunal will support the Advocate General's findings.
By the way, it is important to note that in this ruling, the General Court did not conclude that the written comments were anonymized. The Court only concluded that the EDPS had not examined the content of the comments before considering them as personal data. GAR disputed that the written comments contained factual and legal information that was unrelated to the person or his personal characteristics, and was not related to the complainant's private life. Therefore, the written comments, when linked to codes, should not be considered personal data. However, the Court did not consider this specific argument, but used the reasoning in the Nowak case and held that opinions or views should not automatically be considered personal data. This assessment must be based on an examination of whether a comment, by its content, purpose or effect, is linked to a particular individual. In this case, the EDPS could not conclude that the data were personal data because the content of the comments had not been examined.
In May 2022, in a ruling, the Tribunal concluded that the content of a press release that included comments about a suspect had been anonymized (5). The press release stated that a female Greek academic was suspected of fraudulently claiming €245,525.43 in personal expenses. In her claim for damages against the EU before the General Court, she argued that a reader of the press release could identify several characteristics of her from the information it contained, such as the fact that she was a Greek woman, the amount of funding and the fact that her father worked at the same university. However, the Tribunal found that there was no personal data in the press release because the applicant was not identified and was not identifiable by reasonably foreseeable means. The Tribunal used an "average reader" assessment to determine whether the applicant was identifiable.
These rulings highlight the importance of carefully analyzing the context and content of data in determining their status as personal data and thus the substantive applicability of the AVG. It is essential to strike a balance between data protection and the free flow of information. Although case law is gradually developing, it is clear that European courts are adhering to a contextual, relative approach when assessing the legal status of data and personal data, taking into account the perspective of the recipient and the risk of re-identification.
As regulated by Article 20, paragraphs 16 to 18 of Regulation No. 806/2014
The decision relates to Regulation 2018/1725, the equivalent of the AVG for EU institutions, but the concepts and relevant data protection requirements are the same.
Specifically with respect to the AVG, the Court of Justice itself will revisit this issue in Case C-604/22.
The decision relates to Regulation 2018/1725, the equivalent of the AVG for EU institutions, but the concepts and relevant data protection requirements are the same.
Specifically with respect to the AVG, the General Court itself will revisit this issue in Case C-604/22.
(4) See: ECLI:EU:C:2023:385 (Gesamtverband Autoteile-Handel e.V. v Scania CV AB) (C-319/22)
(5) See: ECLI:EU:T:2022:273 (T-384/20)
