I. Introduction
On 6 February 2025, Advocate Normal (AG) Spielmann issued his Opinion on the continued enchantment in EDPS v. SRB (C- 413/23 P). Whereas the case itself delves into problems with pseudonymisation, a focal point lies in how this Opinion, removed from departing from precedent, truly entrenches how the CJEU has proceeded to view “private information” as an entirely relative idea.
On this regard, this publish builds upon the Opinion of the AG, in an effort in the direction of understanding whether or not the idea of relative private information is doctrinally sound and in step with the wording of the Normal Knowledge Safety Regulation (GDPR). I might argue that viewing private information as relative, whereas being seemingly pragmatic and life like, stems from a conceptual inconsistency courting again to the judgment of the CJEU in Breyer (C-582/14).
II. EDPS v. SRB: Background
The transient info are as follows: the Single Decision Board (SRB) adopted a decision scheme in favour of a agency, and entrusted Deloitte with the duty of analysing information regarding feedback obtained from members throughout a session. Whereas passing on the data to Deloitte, SRB filtered, collated and aggregated the data and added an alphanumeric code, in order that SRB may in a while hyperlink the info with the person members. Deloitte, on its half, was not supplied with the identifiers and was not able to hyperlink the info factors obtained from SRB with the person members.
The European Knowledge Safety Supervisor (EDPS) however opined that the info handed on to Deloitte, though pseudonymised, constituted private information. In consequence, SRB was held to have infringed the fitting of the info topic to be notified of the recipients of her private information on the time of assortment, by not disclosing Deloitte as a recipient of the info topics’ private information in its privateness coverage.
Earlier than the Normal Court docket, one of many major points revolved round whether or not the info obtained by Deloitte constituted “private information”. The Court docket held that the EDPS erred in viewing the info solely from the attitude of SRB, in whose arms it was undoubtedly “private information”, however fully ignoring the attitude of Deloitte. In different phrases, whereas the info collected and saved by SRB was “private information”, the info handed on by SRB to Deloitte will not be so. The implication, to generalise past the info, was merely this: the identical information might be “private” within the arms of 1 controller, and never “private” within the arms of one other.
Such a relative understanding has been adopted, albeit with extra nuance, by the AG in his Opinion within the enchantment filed earlier than the CJEU. Within the first place, the AG accepted the truth that the feedback obtained through the session section “associated to” a pure particular person, in that they expressed their “logic and reasoning”, and following the dictum in Nowak (C- 434/16) essentially pertained to the “subjective opinion” of the individuals involved (para. 33). In consequence, the info within the arms of SRB was “private information”.
Nevertheless, and fairly importantly, the Opinion doesn’t reply whether or not the pseudonymised information was “private information” within the arms of Deloitte, and whether or not Deloitte must be burdened with the duties of a controller. As an alternative, the AG deftly factors out that pseudonymisation, though not akin to anonymisation, doesn’t rule out the potential of the pseudonymised information as not being thought-about private information (para. 52). The consequence appears to be the identical as that hinted by the Normal Court docket: information that’s “private” within the arms of SRB, could not essentially be “private” within the arms of Deloitte. Merely put, the dedication of a knowledge level as being “private” or not can’t be considered objectively based mostly on the character of the info, however would differ from controller to controller.
III. Private Knowledge underneath the GDPR: Absolute or Relative?
Article 4(1) of the GDPR defines “private information” as “any data regarding an recognized or identifiable pure particular person”. Whereas this definition by itself doesn’t decide the query of whether or not private information is an absolute or relative idea, Recital 26 is instructive on this level. As per that Recital, the check of identifiability depends on the query of whether or not a knowledge topic might be recognized by considering “all of the means moderately seemingly for use….. both by the controller or by one other particular person to establish the pure particular person straight or not directly.” It’s price noting that the phrase “or by one other particular person” refers as to whether “one other particular person” has the means moderately seemingly for use to establish the pure particular person, and never whether or not extra data wanted by the controller to establish her is offered within the arms of “one other particular person”.
But, in Breyer, the CJEU seemingly conflates the 2. In a sentence that has been broadly cited in subsequent instances, the CJEU interpreted the language within the recital as follows:
“…for data to be handled as ‘private information’………it’s not required that each one the data enabling the identification of the info topic should be within the arms of 1 particular person.” (Breyer, para. 43)
In Breyer, the Court docket employed such an interpretation to carry that though on-line media service suppliers couldn’t establish people based mostly on dynamic IP addresses, they constituted private information “in relation to that supplier”, since within the case of a cyberattack, the web media service suppliers may strategy the competent authority and ask for extra data from Web service suppliers for identification (Breyer, paras. 47 and 49). This, in keeping with the CJEU, constituted “means moderately seemingly for use” by the web media service supplier to establish a pure particular person.
The implications of such an interpretation are far-reaching. In its unique sense, Recital 26 implies that in deciding whether or not any data is private information, one must account for the “means seemingly moderately for use” for identification by both the controller possessing the data, or by every other particular person. In different phrases, if a pure particular person is identifiable via “means seemingly moderately for use” by any particular person globally, such data would represent private information. In consequence, an absolute view of private information must be taken.
However, if the dictum in Breyer is accepted, then the data could be private information provided that the controller itself can establish the person, utilizing extra data that’s possessed both by itself or by one other particular person. This basically connotes that what’s private information for one controller will not be so for an additional: the notion of what’s private information then turns into relative.
Earlier than Breyer, in its Opinion 05/2014 (p. 9), the Article 29 Working Celebration, utilizing a factual matrix just like the SRB case, had argued that if identifiers are eliminated and handed on to a 3rd occasion, the info continues to stay private information. Borgesius (p. 263) additionally accepts that Recital 26, interpreted actually, factors in the direction of an absolute interpretation of private information. Nevertheless, commenting on the choice of the Normal Court docket in SRB, Alexandre Lodie has argued that the relative mannequin has knowledgeable the judicial strategy since Breyer, presumably in an try to restrict the scope of private information.
This pattern is obvious within the case legislation of the CJEU. In Scania (C- 319/22), the Court docket was referred to as upon to find out whether or not Car Identification Numbers (VIN) represent private information. Within the phrases of the Court docket, “the place unbiased operators could moderately have at their disposal the means enabling them to hyperlink a VIN to an recognized or identifiable pure particular person,…..that VIN constitutes private information for them” (Scania, para. 49).
A harder case arose in IAB Europe (C-604/22). Right here, the CJEU decided {that a} string of letters and characters denoting the consumer’s preferences whereas offering consent on a consent administration platform would represent private information, so long as it may moderately be used along side identifiers like IP addresses for identification. This was even if IAB Europe, which possessed the string, couldn’t mix the string with different identifiers with out “exterior contribution”. On the face of it, this case appears to assist the “absolute” or “goal” studying of Recital 26: even when controller X can’t moderately use a knowledge level to establish an individual, it constitutes private information if “every other particular person” can moderately use it for identification. Nevertheless, as Alexandre Lodie rightly factors out, the Court docket chooses a relative strategy on this case as properly. Because the Court docket notes, “the members of IAB Europe are required to offer that organisation, at its request, with all the data permitting it to establish the customers whose information are the topic of a TC String” (IAB Europe, para. 48). In consequence, the info was held to be “private” as a result of IAB Europe itself had the “means seemingly moderately for use” to establish the info topic, and never that it could possibly be “private information” although IAB Europe couldn’t moderately establish the info topic.
Subsequently, it may be mentioned that though Recital 26 factors in the direction of an absolute strategy in the direction of decoding private information, case legislation of the CJEU since Breyer has persistently adopted a relative strategy. What’s worrying, nevertheless, is that this strategy is rooted in a possible inconsistency by the CJEU in decoding Recital 26 in Breyer, which has been adopted with out query in later instances.
IV. Pragmatism versus Doctrinal Coherence ?
It’s undoubtedly true that burdening an entity that can’t moderately establish a person with the duties of a controller, could also be excessively onerous. In that sense, the relative interpretation of private information would possibly appear to be a extra pragmatic option to take. In actual fact, this was the exact argument adopted by the AG within the Opinion in Breyer: “it might by no means be doable to rule out, with absolute certainty, the chance that there isn’t any third occasion in possession of extra information which can be mixed with that data and are, due to this fact, able to revealing an individual’s id” (para. 65). In consequence, an expansive interpretation of “private information” would make virtually each entity processing any information as a controller. Additional, as argued by Purtova, the worry that information safety legislation would find yourself changing into the “legislation of every little thing”, would possibly turn into a actuality.
Considered critically, nevertheless, there are two factors price making. Firstly, even when an entity does find yourself changing into a controller, its duties would possibly range based mostly on whether or not it is ready to establish the info topic. For instance, underneath Article 11(2) of the GDPR, a lot of the rights out there to the info topic are extinguished if the controller can display that it’s unable to establish the info topic. This provision additional underlines the truth that an entity can course of “private information” and therefore turn into a “controller”, with out it with the ability to establish the info topic. This raises severe questions on whether or not the GDPR tilts in the direction of an “absolute” studying of “private information” in any case. Secondly, the dictum in Google Spain (C-131/12) gives a slender window for sure entities to course of “private information” with out being a “controller”. Because the Court docket notes, engines like google could be categorised as controllers solely
“inasmuch because the exercise of a search engine is due to this fact liable to have an effect on considerably, and moreover….the elemental rights to privateness and to the safety of private information” (Google Spain, para. 38).
The qualifiers underlined above, if generalised to entities past engines like google, would possibly point out that it’s permissible, for sure entities to course of “private information” with out being labelled as “controllers”, so long as such processing doesn’t “considerably” have an effect on the rights of the info topic.
Even in any other case, I might argue that limiting the interpretation of “private information” by the use of a relative strategy provides no pragmatic benefits over an absolute strategy. Allow us to take into account a hypothetical counterfactual mapped onto the SRB case. Underneath an “absolute” interpretation of private information, the info could be thought-about “private” vis-à-vis Deloitte underneath all circumstances, as a result of though Deloitte can’t moderately establish the info topic, SRB can achieve this.
Nevertheless, and fairly surprisingly, we’d attain an equivalent conclusion even when we undertake a relative strategy that’s in step with Breyer. It’s because, on the info of the SRB case, there’s a risk that as a consequence of a cyberattack for which Deloitte shouldn’t be accountable, the identifiers out there solely with SRB are made public, thus affording Deloitte a possibility to hyperlink them with the info in its possession and establish the people. In consequence, Deloitte would, in all instances, have the “means seemingly moderately for use” to establish the person, since such identification utilizing publicly out there information by Deloitte is neither “prohibited by legislation” nor wouldn’t it contain “disproportionate effort by way of time, value and man-power, in order that the chance of identification seems in actuality to be insignificant” (Breyer, para. 46). Cautious readers could discover that the instance of a cyberattack used on this illustration is a deliberate selection, for the reason that CJEU in Breyer used the exact same instance in figuring out its “means seemingly moderately for use” check, and maintain that dynamic IP addresses constituted private information vis-à-vis on-line media service suppliers as properly.
V. Conclusion
On this publish, I argue that the relative strategy in decoding private information, as exemplified by the Opinion of the AG in SRB, will not be doctrinally coherent. As an alternative, this strategy flows from a doable inconsistency within the Breyer case. Additional, other than distinctive instances, there isn’t any pragmatic cause for favouring the relative strategy over an absolute interpretation of “private information”, the latter being extra according to the scheme of the GDPR. Even in any other case, if a relative strategy is certainly discovered appropriate for sensible causes, it’s in all probability wiser to amend the authorized textual content itself moderately than depend on synthetic interpretational gymnastics to reach at an answer.
Nirmalya Chaudhuri is a authorized researcher based mostly in India. He holds an LLM from the College of Cambridge, which he pursued as a Cambridge Belief Scholar. He could also be reached at [email protected].
