By Alexandre Lodie
Blogpost 20/2024
On 7 March 2024, the ECJ launched two crucial selections on the extent of the definition of ‘private knowledge’ below EU knowledge safety regulation in instances C-479/22 P and C-604/22.
The latter case includes a Belgian non-profit organisation referred to as IAB Europe which designed a instrument, a framework referred to as TCF, with the aim of enabling web site suppliers and knowledge brokers to course of private knowledge lawfully (see Paragraph 20).
The preferences {that a} consumer choose through a consent administration platform (CMP) are subsequently encoded within the TCF string which is a mixture of letters and characters. The CMP locations a cookie on the consumer’s system in order that the cookie and the TCF string might be linked to the consumer’s IP handle (see Paragraph 25). The Courtroom was requested whether or not, on this context, a personality string containing the preferences of an online consumer could possibly be thought-about private knowledge within the fingers of IAB Europe and whether or not IAB Europe could possibly be regarded on this state of affairs as a (joint) controller.
The previous case, which has already been mentioned right here, offers with a Greek researcher that was below investigation by the European Anti-Fraud Workplace (OLAF) for allegations regarding potential monetary misconduct following the attribution of fundings granted by European Analysis Council Government Company (ERCEA) to hold out a analysis venture.
OLAF revealed a press launch regarding the ongoing investigation and its outcomes, which led to an identification of the researcher by journalists. The researcher thus seized the Common Courtroom arguing that OLAF infringed Regulation 2018/1725, which is the regulation on the processing of non-public knowledge by the Union establishments, our bodies, places of work and businesses and on the free motion of such knowledge (EUDPR), in addition to her proper to the presumption of innocence.
On this case – and with out digging into an excessive amount of element – the Common Courtroom in case T-384/20 mainly held that the press launch couldn’t be seen as private knowledge because the German journalist who re-identified the researcher was an investigative journalist with specific data in that matter and couldn’t be seen as an “common reader” (“lecteur moyen” in French). The plaintiff appealed this determination, which gave rise to the choice of the ECJ in case C-479/22 P
Within the subsequent two sections we are going to talk about how these two judgments by the ECJ appear to restrict the relative strategy of what constitutes private knowledge because the Courtroom adopts a definition of the notion of non-public knowledge which is extra protecting for knowledge topics. Ultimately, within the final part it’s argued that these selections shouldn’t be overinterpreted since they restrict the relative strategy, with out actually ruling it off.
Case C-479/22 P and the limitation of the relative strategy
As beforehand talked about, the plaintiff appealed the Common Courtroom’s determination on the bottom that the press launch did represent an info concerning an identifiable individual and that the Courtroom misinterpreted the notion of the “means fairly seemingly for use” to determine an individual. In substance the plaintiff challenged the truth that the Courtroom held that the press launch was not private knowledge.
This judgment from the Common Courtroom is in keeping with case SRB v EDPS mentioned right here (see additionally Spajic) the place the Common Courtroom held that though when knowledge could possibly be thought-about as pseudonymised (and thus private knowledge in keeping with the EDPS) one needed to contemplate whether or not the recipient of that knowledge may (fairly and lawfully) get the extra info wanted to re-identify them with a purpose to qualify knowledge as private. Within the destructive, knowledge couldn’t be considered private knowledge and thus the fitting to info wouldn’t apply.
Each instances exhibit a sure development from the Common Courtroom towards a relative strategy on what might be thought-about “private knowledge” and a weakening of information safety, because it narrowed the extent of the idea of non-public knowledge. In response to this relative strategy, knowledge will not be private or non-personal by nature. Their authorized qualification relies on the flexibility of the organisations who maintain them to re-identify them. This strategy had been outlined in ECJ’s well-known Breyer case.
In Case C-479/22 P the ECJ had thus to find out whether or not, the Common Courtroom’s judgment was correct in contemplating {that a} press launch containing info regarding potential fraud dedicated by a researcher was not private knowledge, though the stated researcher was subsequently re-identified by journalists. From a broader perspective, one of many important challenges of the choice was to contemplate whether or not the ECJ would uphold the reasoning of the Common Courtroom with regard to the relative strategy of the definition of the notion of non-public knowledge.
Truly, the ECJ adopted a way more ‘protecting’ stance than that of the Common Courtroom. Certainly, it recalled that, for knowledge to be thought-about private knowledge, it isn’t mandatory that individuals be recognized immediately from the knowledge contained within the press launch. Fairly the other, further info should be taken into consideration as nicely (see Paragraph 53).
From this background, the ECJ concluded that “it’s inherent within the ‘oblique identification’ of an individual that further info should be mixed with the info at problem for the needs of figuring out the individual involved. It additionally follows that the truth that that further info comes from an individual or supply aside from that of the controller of the info in query under no circumstances guidelines out the identifiable nature of an individual“ (Paragraph 55, emphasis added).
This assertion is paramount to know how the Courtroom limits the scope of the relative strategy. Right here, the Courtroom considers that irrespective of who holds the extra info essential to re-identify a knowledge topic, so far as such info exists, knowledge should be thought-about as private.
This is the reason, in the identical line of thought, the Courtroom additionally underlines that “Regulation 2018/1725 doesn’t lay down any situations as regards the individuals able to figuring out the individual to whom an merchandise of data is linked, since recital 16 of that regulation refers not solely to the controller but additionally to ‘one other individual’“ (Paragraph 56).
This marks an enormous distinction vis-à-vis the dictum of the Common Courtroom, not solely on this case, but additionally within the SRB v. EDPS case the place the Courtroom held that the evaluation of the likelihood to re-identify knowledge needed to be carried out from the info recipient’s perspective and never in an summary and absolute trend.
Within the current case, the logic of the Courtroom is actually that regardless of the investigative journalists having private (and specific) data that an “common reader” doesn’t have, knowledge should nonetheless be thought-about private because the means deployed to re-identify the researcher weren’t unreasonably seemingly for use.
This determination should be learn in relation with one other determination launched the exact same day by the ECJ, within the case regarding IAB Europe.
Case C‑604/22: Towards a extra goal strategy of the notion of non-public knowledge?
This case primarily offers with the problem of whether or not IAB Europe – in that it gives its members with a framework enabling them to adjust to the GDPR – could possibly be thought-about a (joint) controller. Nevertheless, earlier than contemplating this problem, the Courtroom needed to determine whether or not the TCF String, as a mixture of letters and characters, could possibly be thought-about private knowledge. To take action, the Courtroom needed to assess whether or not the mixture of the TCF String with further knowledge resembling IP handle may make re-identification doable.
It’s price underlining right here that IAB Europe doesn’t have these items of data and thus can not immediately mix these knowledge. On this problem, the Courtroom said that “[i]n as far as associating a string composed of a mixture of letters and characters, such because the TC String, with further knowledge, inter alia with the IP handle of a consumer’s system or with different identifiers, permits that consumer to be recognized, it should be thought-about that the TC String incorporates info regarding an identifiable consumer and due to this fact constitutes private knowledge […] That interpretation can’t be referred to as into query by the mere incontrovertible fact that IAB Europe can not itself mix the TC String with the IP handle of a consumer’s system and doesn’t have the potential of immediately accessing the info processed by its members within the context of the TCF” (See paragraphs 45 and 46).
Curiously, the Courtroom concludes that, though IAB Europe just isn’t able to mix the TC String with the IP handle and wouldn’t have entry to knowledge processed by its members, TCF strings nonetheless comprise private knowledge and should be handled as such. The Courtroom appears to qualify TCF String as private knowledge per se, with out additional consideration as as to if IAB Europe is, in apply, in a position to re-identify knowledge.
In different phrases, it could be argued that the Courtroom adopts a extra goal view on what constitutes private knowledge. It should be recalled that in Breyer, the Courtroom said that it was the flexibility for an entity to get entry to the extra info essential to the re-identification of information topics that decided whether or not stated entity processed private knowledge. Right here, conversely, the Courtroom tends to contemplate that even within the state of affairs the place IAB Europe can not immediately entry knowledge nor mix them, knowledge stay private.
Regardless of this distancing of the ECJ from the Common courtroom, the scope and curiosity of those two selections shouldn’t be overestimated, as it’s mentioned within the subsequent part.
Why is the relative strategy nonetheless related?
In case C-479/22 P, it’s undisputable that the ECJ has accomplished a path in direction of a extra protecting view on what constitutes private knowledge. As talked about beforehand, it held that irrespective of who will get the extra info wanted to re-identify knowledge topics, knowledge needs to be thought-about as private so long as this info exists.
Nevertheless, this dictum should not be overstated as a result of it is extremely context-dependent. Certainly within the core of its argumentation the Courtroom gives that “as is obvious from paragraph 66 of the judgment below enchantment, the outline on the ERCEA web site of the 70 or so tasks funded by that company, the host establishments of which have been situated in Greece, contained a number of key elements enabling web customers to seek out the knowledge sought, such because the identify of the venture supervisor or the identify of the host establishment and even the quantity of funding“ (Paragraph 62). The Courtroom subsenquently held that, with regard to this info, which was publicly out there, looking the outline of those 70 tasks didn’t contain a “disproportionate” effort (Paragraph 63).
In different phrases, the Courtroom nonetheless stands for the relative strategy, and it solely states that re-identification via primary looking is an instance of an affordable means seemingly for use to re-identify knowledge. It can’t be deduced from this determination the place the bar between cheap and unreasonable means needs to be set. Reasoning in an summary trend, one would ask whether or not the answer would have been the identical if the tasks described have been a number of hundreds. As soon as once more, it reveals that the Courtroom’s reasoning nonetheless depends on the extra info out there, who holds them and who might have entry to them. Right here, as the realm of analysis was fairly slim (solely 70 tasks) and provided that any net consumer may have entry to the knowledge wanted and browse to cross-check info, the Courtroom logically concludes that re-identification doesn’t contain disproportionate effort. Subsequently, it shouldn’t be interpreted as a reversal of the Courtroom’s doctrine.
Moreover, in case C‑604/22, involving IAB Europe, the Courtroom used the identical reasoning it had in Breyer. Nevertheless, because it has been talked about beforehand, it appeared to open the door to a extra “goal“ strategy on private knowledge. This “protecting” strategy materialises by contemplating that irrespective of who holds further knowledge, if knowledge are re-identifiable via the usage of further info, knowledge should be thought-about private knowledge.
As soon as once more, this conclusion needs to be regarded with warning. Certainly, the Courtroom argues that “it’s obvious from the paperwork earlier than the Courtroom, and specifically from the choice of two February 2022, that the members of IAB Europe are required to supply that organisation, at its request, with all the knowledge permitting it to determine the customers whose knowledge are the topic of a TC String” (Paragraph 48). The truth that IAB Europe can require further info from its members appears to be the decisive issue to contemplate knowledge processed by IAB Europe as private knowledge. The Courtroom concludes from this background that “[i]t due to this fact seems, topic to the verifications that are for the referring courtroom to hold out in that regard, that IAB Europe has, […] cheap means permitting it to determine a specific pure individual from a TC String” (Paragraph 49).
This judgement is thus completely in keeping with Breyer. In Breyer the Courtroom thought-about that there have been, below German regulation, authorized channels enabling a webservice supplier to get further knowledge from web service suppliers to re-identify knowledge topics whose IP addresses belong to. Right here, IAB Europe can require further info from its members in order that the entry to further info within reason seemingly. It outcomes that these knowledge are private within the fingers of IAB Europe because the organisation can re-identify them utilizing cheap efforts.
In each instances, the judgments appear to be knowledge subject-friendly at first look, and so they truly are, because the final result is that knowledge controllers course of private knowledge and are thus topic to the GDPR. Nevertheless, it’s argued right here that these two judgments don’t query the definition of non-public knowledge nor the relative strategy adopted by each the Common Courtroom and the ECJ. This relative strategy might result in nice authorized uncertainty because the idea of non-public knowledge doesn’t depend on goal bases however, quite, on the capability of third events to re-identify knowledge. Such evaluation should be carried out on a case-by-case foundation, which may doubtlessly result in completely different options regardless of comparable information.
Conclusion
Though the ECJ appears to undertake a extra protecting view than that of the Common Courtroom, it doesn’t basically rule out the relative strategy on private knowledge, which might be problematic, specifically within the case of worldwide switch of information (see as an illustration what knowledge safety authorities said with regard to the usage of Google Analyticsprior the adoption of the DPF) or processing of delicate knowledge, resembling well being knowledge.
These instances are a part of a broader debate on the extent of the definition of the idea of non-public knowledge. The forthcoming ECJ’s judgment following the enchantment lodged by the EDPS within the SRB v. EDPS case will probably be with none doubt a milestone to raised perceive the scope of information safety regulation inside the EU.
