Case C-479/22 P, Case C-604/22 and the limitation of the relative strategy of the definition of ‘private knowledge’ by the ECJ. – European Regulation Weblog – Cyber Tech

Blogpost 20/2024

On 7 March 2024, the ECJ launched two essential selections on the extent of the definition of ‘private knowledge’ beneath EU knowledge safety regulation in circumstances C-479/22 P and C-604/22.

The latter case entails a Belgian non-profit organisation referred to as IAB Europe which designed a instrument, a framework referred to as TCF, with the aim of enabling web site suppliers and knowledge brokers to course of private knowledge lawfully (see Paragraph 20).

The preferences {that a} consumer choose through a consent administration platform (CMP) are subsequently encoded within the TCF string which is a mix of letters and characters. The CMP locations a cookie on the consumer’s machine in order that the cookie and the TCF string will be linked to the consumer’s IP handle (see Paragraph 25). The Courtroom was requested whether or not, on this context, a personality string containing the preferences of an online consumer could possibly be thought of private knowledge within the fingers of IAB Europe and whether or not IAB Europe could possibly be regarded on this state of affairs as a (joint) controller.

The previous case, which has already been mentioned right here, offers with a Greek researcher that was beneath investigation by the European Anti-Fraud Workplace (OLAF) for allegations regarding potential monetary misconduct following the attribution of fundings granted by European Analysis Council Govt Company (ERCEA) to hold out a analysis challenge.

OLAF revealed a press launch regarding the ongoing investigation and its outcomes, which led to an identification of the researcher by journalists. The researcher thus seized the Normal Courtroom arguing that OLAF infringed Regulation 2018/1725, which is the regulation on the processing of non-public knowledge by the Union establishments, our bodies, places of work and companies and on the free motion of such knowledge (EUDPR), in addition to her proper to the presumption of innocence.

On this case – and with out digging into an excessive amount of element – the Normal Courtroom in case T-384/20 mainly held that the press launch couldn’t be seen as private knowledge for the reason that German journalist who re-identified the researcher was an investigative journalist with explicit information in that matter and couldn’t be seen as an “common reader” (“lecteur moyen” in French). The plaintiff appealed this determination, which gave rise to the choice of the ECJ in case C-479/22 P

Within the subsequent two sections we’ll focus on how these two judgments by the ECJ appear to restrict the relative strategy of what constitutes private knowledge because the Courtroom adopts a definition of the notion of non-public knowledge which is extra protecting for knowledge topics. Ultimately, within the final part it’s argued that these selections shouldn’t be overinterpreted since they restrict the relative strategy, with out actually ruling it off.

Case C-479/22 P and the limitation of the relative strategy

As beforehand talked about, the plaintiff appealed the Normal Courtroom’s determination on the bottom that the press launch did represent an info relating to an identifiable particular person and that the Courtroom misinterpreted the notion of the “means fairly doubtless for use” to determine an individual. In substance the plaintiff challenged the truth that the Courtroom held that the press launch was not private knowledge.

This judgment from the Normal Courtroom is consistent with  case SRB v EDPS mentioned right here (see additionally Spajic) the place the Normal Courtroom held that though when knowledge could possibly be thought of as pseudonymised (and thus private knowledge in response to the EDPS) one needed to think about whether or not the recipient of that knowledge might (fairly and lawfully) get the extra info wanted to re-identify them with the intention to qualify knowledge as private. Within the damaging, knowledge couldn’t be considered private knowledge and thus the precise to info wouldn’t apply.

Each circumstances display a sure development from the Normal Courtroom towards a relative strategy on what will be thought of “private knowledge” and a weakening of information safety, because it narrowed the extent of the idea of non-public knowledge. In accordance with this relative strategy, knowledge usually are not private or non-personal by nature. Their authorized qualification is dependent upon the flexibility of the organisations who maintain them to re-identify them. This strategy had been outlined in ECJ’s well-known Breyer case.

In Case C-479/22 P the ECJ had thus to find out whether or not, the Normal Courtroom’s judgment was correct in contemplating {that a} press launch containing info regarding potential fraud dedicated by a researcher was not private knowledge, although the stated researcher was subsequently re-identified by journalists. From a broader perspective, one of many foremost challenges of the choice was to contemplate whether or not the ECJ would uphold the reasoning of the Normal Courtroom with regard to the relative strategy of the definition of the notion of non-public knowledge.

Truly, the ECJ adopted a way more ‘protecting’ stance than that of the Normal Courtroom. Certainly, it recalled that, for knowledge to be thought of private knowledge, it’s not essential that individuals be recognized immediately from the data contained within the press launch. Fairly the alternative, extra info should be taken under consideration as nicely (see Paragraph 53).

From this background, the ECJ concluded that “it’s inherent within the ‘oblique identification’ of an individual that extra info should be mixed with the info at challenge for the needs of figuring out the particular person involved. It additionally follows that the truth that that extra info comes from an individual or supply apart from that of the controller of the info in query on no account guidelines out the identifiable nature of an individual“ (Paragraph 55, emphasis added).

This assertion is paramount to know how the Courtroom limits the scope of the relative strategy. Right here, the Courtroom considers that irrespective of who holds the extra info essential to re-identify an information topic, so far as such info exists, knowledge should be thought of as private.

Because of this, in the identical line of thought, the Courtroom additionally underlines that “Regulation 2018/1725 doesn’t lay down any circumstances as regards the individuals able to figuring out the particular person to whom an merchandise of knowledge is linked, since recital 16 of that regulation refers not solely to the controller but additionally to ‘one other particular person’“ (Paragraph 56).

This marks an enormous distinction vis-à-vis the dictum of the Normal Courtroom, not solely on this case, but additionally within the SRB v. EDPS case the place the Courtroom held that the evaluation of the chance to re-identify knowledge needed to be carried out from the info recipient’s perspective and never in an summary and absolute style.

Within the current case, the logic of the Courtroom is actually that regardless of the investigative journalists having private (and explicit) information that an “common reader” doesn’t have, knowledge should nonetheless be thought of private for the reason that means deployed to re-identify the researcher weren’t unreasonably doubtless for use.

This determination should be learn in relation with one other determination launched the exact same day by the ECJ, within the case regarding IAB Europe.

Case C‑604/22: Towards a extra goal strategy of the notion of non-public knowledge?

This case primarily offers with the difficulty of whether or not IAB Europe – in that it offers its members with a framework enabling them to adjust to the GDPR – could possibly be thought of a (joint) controller. Nevertheless, earlier than contemplating this challenge, the Courtroom needed to determine whether or not the TCF String, as a mix of letters and characters, could possibly be thought of private knowledge. To take action, the Courtroom needed to assess whether or not the mix of the TCF String with extra knowledge akin to IP handle might make re-identification doable.

It’s price underlining right here that IAB Europe doesn’t have these items of knowledge and thus can’t immediately mix these knowledge. On this challenge, the Courtroom acknowledged that “[i]n as far as associating a string composed of a mix of letters and characters, such because the TC String, with extra knowledge, inter alia with the IP handle of a consumer’s machine or with different identifiers, permits that consumer to be recognized, it should be thought of that the TC String accommodates info regarding an identifiable consumer and due to this fact constitutes private knowledge […]  That interpretation can’t be referred to as into query by the mere indisputable fact that IAB Europe can’t itself mix the TC String with the IP handle of a consumer’s machine and doesn’t have the potential for immediately accessing the info processed by its members within the context of the TCF” (See paragraphs 45 and 46).

Apparently, the Courtroom concludes that, though IAB Europe shouldn’t be ready to mix the TC String with the IP handle and don’t have entry to knowledge processed by its members, TCF strings nonetheless include private knowledge and should be handled as such. The Courtroom appears to qualify TCF String as private knowledge per se, with out additional consideration as as to if IAB Europe is, in observe, in a position to re-identify knowledge.

In different phrases, it might be argued that the Courtroom adopts a extra goal view on what constitutes private knowledge. It should be recalled that in Breyer, the Courtroom acknowledged that it was the flexibility for an entity to get entry to the extra info essential to the re-identification of information topics that decided whether or not stated entity processed private knowledge. Right here, conversely, the Courtroom tends to contemplate that even within the state of affairs the place IAB Europe can’t immediately entry knowledge nor mix them, knowledge stay private.

Regardless of this distancing of the ECJ from the Normal court docket, the scope and curiosity of those two selections shouldn’t be overestimated, as it’s mentioned within the subsequent part.

Why is the relative strategy nonetheless related?

In case C-479/22 P, it’s undisputable that the ECJ has accomplished a path in direction of a extra protecting view on what constitutes private knowledge. As talked about beforehand, it held that irrespective of who will get the extra info wanted to re-identify knowledge topics, knowledge ought to be thought of as private so long as this info exists.

Nevertheless, this dictum should not be overstated as a result of it is vitally context-dependent. Certainly within the core of its argumentation the Courtroom offers that “as is clear from paragraph 66 of the judgment beneath enchantment, the outline on the ERCEA web site of the 70 or so initiatives funded by that company, the host establishments of which had been situated in Greece, contained a number of key components enabling web customers to search out the data sought, such because the title of the challenge supervisor or the title of the host establishment and even the quantity of funding“ (Paragraph 62). The Courtroom subsenquently held that, with regard to this info, which was publicly out there, looking the outline of those 70 initiatives didn’t contain a “disproportionate” effort (Paragraph 63).

In different phrases, the Courtroom nonetheless stands for the relative strategy, and it solely states that re-identification via fundamental looking is an instance of an inexpensive means doubtless for use to re-identify knowledge. It can’t be deduced from this determination the place the bar between affordable and unreasonable means ought to be set. Reasoning in an summary style, one would ask whether or not the answer would have been the identical if the initiatives described had been a number of 1000’s. As soon as once more, it exhibits that the Courtroom’s reasoning nonetheless depends on the extra info out there, who holds them and who could have entry to them. Right here, as the realm of analysis was fairly slender (solely 70 initiatives) and on condition that any net consumer might have entry to the data wanted and browse to cross-check info, the Courtroom logically concludes that re-identification doesn’t contain disproportionate effort. Due to this fact, it shouldn’t be interpreted as a reversal of the Courtroom’s doctrine.

Moreover, in case C‑604/22, involving IAB Europe, the Courtroom used the identical reasoning it had in Breyer. Nevertheless, because it has been talked about beforehand, it appeared to open the door to a extra “goal“ strategy on private knowledge. This “protecting” strategy materialises by contemplating that irrespective of who holds extra knowledge, if knowledge are re-identifiable via the usage of extra info, knowledge should be thought of private knowledge.

As soon as once more, this conclusion ought to be regarded with warning. Certainly, the Courtroom argues that “it’s obvious from the paperwork earlier than the Courtroom, and specifically from the choice of two February 2022, that the members of IAB Europe are required to supply that organisation, at its request, with all the data permitting it to determine the customers whose knowledge are the topic of a TC String” (Paragraph 48). The truth that IAB Europe can require extra info from its members appears to be the decisive issue to contemplate knowledge processed by IAB Europe as private knowledge. The Courtroom concludes from this background that “[i]t due to this fact seems, topic to the verifications that are for the referring court docket to hold out in that regard, that IAB Europe has, […] affordable means permitting it to determine a specific pure particular person from a TC String” (Paragraph 49).

This judgement is thus completely consistent with Breyer. In Breyer the Courtroom thought of that there have been, beneath German regulation, authorized channels enabling a webservice supplier to get extra knowledge from web service suppliers to re-identify knowledge topics whose IP addresses belong to. Right here, IAB Europe can require extra info from its members in order that the entry to extra info in all fairness doubtless. It outcomes that these knowledge are private within the fingers of IAB Europe for the reason that organisation can re-identify them utilizing affordable efforts.

In each circumstances, the judgments appear to be knowledge subject-friendly at first look, and so they truly are, for the reason that final result is that knowledge controllers course of private knowledge and are thus topic to the GDPR. Nevertheless, it’s argued right here that these two judgments don’t query the definition of non-public knowledge nor the relative strategy adopted by each the Normal Courtroom and the ECJ. This relative strategy could result in nice authorized uncertainty for the reason that idea of non-public knowledge doesn’t depend on goal bases however, reasonably, on the capability of third events to re-identify knowledge. Such evaluation should be carried out on a case-by-case foundation, which may probably result in completely different options regardless of related info.

Conclusion

Though the ECJ appears to undertake a extra protecting view than that of the Normal Courtroom, it doesn’t basically rule out the relative strategy on private knowledge, which will be problematic, specifically within the case of worldwide switch of information (see as an example what knowledge safety authorities acknowledged with regard to the usage of Google Analyticsprior the adoption of the DPF) or processing of delicate knowledge, akin to well being knowledge.

These circumstances are a part of a broader debate on the extent of the definition of the idea of non-public knowledge. The forthcoming ECJ’s judgment following the enchantment lodged by the EDPS within the SRB v. EDPS case shall be with none doubt a milestone to raised perceive the scope of information safety regulation throughout the EU.