By Karen Cruyt, 1st December 2023
Is personal data always personal? A key question when thinking about many forms of health data. That is the question that the HALL members tackled in their workshop on the 1st of December, in light of the Court of Justice of the European Union’s recent judgment “Scania” (C-319/22) and two older cases of the General Court, “SRB v. EDPS” and “OC v. European Commission”, which all touch upon the (potentially?) relative notion of personal data.
Whether or not information constitutes personal data goes to the core of data protection law in the EU, as the GDPR only applies to processing of personal data, which is “any information relating to an identified or identifiable natural person” (art. 4(1) GDPR). To determine whether this natural person is indeed identifiable, “account should be taken of all the means reasonably likely to be used … by the controller or by any other person to identify the natural person directly or indirectly” (recital 26 GDPR). This recital further clarifies that all objective factors must be considered, including available technology and technological developments. A delightfully vague provision, so further guidance needs to be sought in case law, in the absence of further guidelines on anonymity by the EDPB.
Case law of national data protection authorities shows a variety of approaches: where some authorities take a risk-based approach, others interpret the above-mentioned recital 26 more strictly and accept less risk, sometimes taking guidance from the Article 29 WP Opinion on Anonymisation Techniques (05/2014, adopted on 10 April 2014). But this document is just that, an opinion, and one that will soon celebrate its tenth anniversary. This is why the recent interpretation of the question by the CJEU in the Scania case was welcomed with open arms by the HALL researchers.
Case C-319/22 (9 November 2023)
Firstly, the facts of this case. Under Regulation 2018/858, vehicle manufacturers – such as Scania – and authorized dealers need to make certain information available to repairers and independent operators, to ensure fair competition on the vehicle repair and maintenance market. Scania provides this information through a website, where searches can be performed using the last seven figures of a vehicle’s unique registration number or its “Vehicle Identification Number” (VIN), which can be found on the vehicle itself. Scania does however not provide this VIN to independent operators, which caused one of their representatives, Gesamtverband Autoteile-Handel, to dispute that Scania fulfilled its information obligations under Regulation 2018/858. In this context, the referring court also questioned whether this information obligation must be interpreted as the imposition of a legal obligation to process personal data, and thereby creating a legal basis under GDPR to disclose these VINs and information linked to them to independent operators.
To answer this question, the Court first examined whether the VIN is personal data under the GDPR, using the test contained in recital 26 GDPR and reminding the Breyer judgment of 2016 which noted that not all information that enables the identification of the data subject needs to be held by the same, single entity. In other words, a VIN is in itself not personal data, but becomes personal data if the person who holds this piece of information can reasonably associate it with a specific natural person. This is the case when that person also has access to the registration certificate of a vehicle, which does not only contain the VIN but also the name and address of the person who is the owner or legal user of that vehicle, if this owner or user is a natural person. Just the fact that this registration certificate which enables the identification of a natural person through the VIN exists is not enough to qualify a VIN as personal data. The person holding this information also needs a non-theoretical way of accessing this certificate – or another way of identifying the potential natural person behind the VIN.
If an independent operator has access to this document, then the VIN is personal data, and Regulation 2018/858 indeed creates a legal obligation to process this personal data, which can in other words happen lawfully on the basis of article 6(1)(c) GDPR. The Court leaves it up to the referring court to decide whether the independent operator does or does not have means to reasonably identify the owner or legal user of the vehicle linked to the VIN. With this case, the CJEU confirms the test to determine the nature of a piece of data and poses that just a theoretical opportunity to identify a data subject does not suffice to qualify information as personal data.
Two cases of the General Court
The two cases of the General Court that were discussed during the workshop did not concern the GDPR, but Regulation 2018/1725, the “EU GDPR” applying specifically to EU institutions and bodies. The definition of personal data is however the same in both the GDPR and the ‘EU GDPR’, which also contains the same recital with the risk-based test to apply to determine whether a piece of information constitutes personal data. This concept was further interpreted by the General Court in two recent cases.
The first case, case T-557/20 of 26 April 2023 (SRB v. EDPS), handled an alleged breach of information obligations to data subjects when transferring their data to a third party. The Single Resolution Board (SRB) had performed a valuation of a bank, Banco Popular Español, after it was placed under resolution, as per Regulation 806/2014, to verify whether creditors and shareholders would have received a better treatment with normal insolvency procedures. This valuation was consequently sent to an independent third party, Deloitte, for assessment. This process also contained a procedure for affected parties to exercise their right to be heard, in two phases. In a first phase, the registration phase, they had to provide documentation to prove that they are indeed affected by this resolution. Those who were deemed to have been affected got a chance to submit comments through an online form during the second phase, the consultation phase. SRB employees who processed the comments of this second phase received them corresponding to an alphanumeric code, without access to the data from the first phase, which had been handled by different SRB employees, or to the key to de-pseudonymise the data.
Comments that related to the valuation were passed on to Deloitte through a secure virtual data server and it is this transfer that gave rise to complaints of five data subjects, and eventually a reprimand of the EDPS. The SRB however argued that, although a key indeed existed, Deloitte had no way of accessing this key without breaking the law, nor was there any other practically feasible way to re-identify the data subjects, meaning that this transfer did not constitute a transfer of personal data. The Court annulled the decision of the EDPS, because the EDPS had failed to investigate the possibility of re-identification from the perspective of Deloitte. With this decision, the Court confirms that these data could be anonymous data from the perspective of Deloitte, even though it was pseudonymized data from the perspective of (some employees of the) SRB. The analysis whether information is pseudonymous or anonymous must depart from the perspective of the data holder.
The last case discussed, T‑384/20 of 4 May 2022 (OC v European Commission), handled a complaint about a press release of the European Anti-Fraud Office (OLAF), where the complainant stated that OLAF had breached data protection laws by publishing information from which she could be identified. As the press release was about a successful fraud investigation, you can imagine you would rather not be identified as the person who defrauded research funds. The press release contained the complainant’s nationality and gender, the fact that she was employed by a Greek university and that her father was also employed there, the entity that had funded the research and the approximate amount of the funding. Going to the website of the funder and filtering by host country, there were 70 potential projects that fit this brief. Someone who is motivated to find out who the fraudster is, would then have to open the project pages to find the funding and the gender of the project leader, which leaves three projects. A quick search on the websites of the three remaining projects quickly reveals about whom the press release is.
To the Court however, this constitutes unreasonable effort for an average reader of the press release, even if her identity was made public by a German journalist that same day, and by Greek journalists a few days later. It held that the complainant could not prove that the press release was the reason she was identified, and that the press release contained no personal data. And although we can appreciate a pragmatic approach, this is maybe taking it a bit too far, as in our eyes any motivated intruder with average computer skills reasonably had all the means necessary available to identify this researcher. But maybe the General Court was not feeling too sorry for the complainant, as the investigation of OLAF had revealed her defrauding funds that should have been used for scientific research?
That is not the end of the story, of course. Both mentioned cases of the General Court have an appeal pending – which is not surprising at all for the latter case. The appeal of the first case will be one to watch, as the EDPS does not agree that they should have evaluated the nature of the data from the perspective of its recipient, thereby adopting a more absolutist stance in the complicated pseudonymous versus anonymous data debate. Both the CJEU and the General Court are however showing a pragmatic, risk-based approach, aligning with the principles outlined in recital 26 of the GDPR, and will hopefully continue to do so in future cases. In the meantime, we are looking forward to guidance from the EDPB, which has the establishment of guidelines on anonymisation and on pseudonymisation on their current work programme.
The ongoing debate between pseudonymous and anonymous data is very much alive, and our approach when tackling the issue in our projects is grounded in pragmatism. We delve into a thorough analysis of the case at hand, considering the most recent developments in both law and technology. A constructive approach that partners can move forward with is more useful than the absolute position that there can be no risk of re-identification whatsoever, because zero risk simply does not exist. However, the decision on how much risk to accept ultimately rests with the partner who is taking the risk – thereby keeping in mind that the primary objective is always to ensure the highest protection of the fundamental rights of data subjects. Striking a balance between innovation and safeguarding privacy is a difficult exercise that we undertake in our analysis so that our project partners can make informed choices, and the decisions that we discussed are helpful for this analysis, as they confirm a risk-based approach to the matter.