I. Introduction
On 6 February 2025, Advocate Common (AG) Spielmann issued his Opinion on the continuing enchantment in EDPS v. SRB (C- 413/23 P). Whereas the case itself delves into problems with pseudonymisation, a focal point lies in how this Opinion, removed from departing from precedent, truly entrenches how the CJEU has proceeded to view “private information” as a completely relative idea.
On this regard, this publish builds upon the Opinion of the AG, in an effort in the direction of understanding whether or not the idea of relative private information is doctrinally sound and in step with the wording of the Common Knowledge Safety Regulation (GDPR). I’d argue that viewing private information as relative, whereas being seemingly pragmatic and life like, stems from a conceptual inconsistency relationship again to the judgment of the CJEU in Breyer (C-582/14).
II. EDPS v. SRB: Background
The temporary details are as follows: the Single Decision Board (SRB) adopted a decision scheme in favour of a agency, and entrusted Deloitte with the duty of analysing information regarding feedback acquired from contributors throughout a session. Whereas passing on the data to Deloitte, SRB filtered, collated and aggregated the data and added an alphanumeric code, in order that SRB may afterward hyperlink the info with the person contributors. Deloitte, on its half, was not supplied with the identifiers and was not ready to hyperlink the info factors acquired from SRB with the person contributors.
The European Knowledge Safety Supervisor (EDPS) however opined that the info handed on to Deloitte, though pseudonymised, constituted private information. Consequently, SRB was held to have infringed the appropriate of the info topic to be notified of the recipients of her private information on the time of assortment, by not disclosing Deloitte as a recipient of the info topics’ private information in its privateness coverage.
Earlier than the Common Courtroom, one of many major points revolved round whether or not the info acquired by Deloitte constituted “private information”. The Courtroom held that the EDPS erred in viewing the info solely from the attitude of SRB, in whose arms it was undoubtedly “private information”, however utterly ignoring the attitude of Deloitte. In different phrases, whereas the info collected and saved by SRB was “private information”, the info handed on by SRB to Deloitte will not be so. The implication, to generalise past the details, was merely this: the identical information could be “private” within the arms of 1 controller, and never “private” within the arms of one other.
Such a relative understanding has been adopted, albeit with extra nuance, by the AG in his Opinion within the enchantment filed earlier than the CJEU. Within the first place, the AG accepted the truth that the feedback acquired in the course of the session section “associated to” a pure particular person, in that they expressed their “logic and reasoning”, and following the dictum in Nowak (C- 434/16) essentially pertained to the “subjective opinion” of the individuals involved (para. 33). Consequently, the info within the arms of SRB was “private information”.
Nonetheless, and fairly importantly, the Opinion doesn’t reply whether or not the pseudonymised information was “private information” within the arms of Deloitte, and whether or not Deloitte should be burdened with the duties of a controller. As a substitute, the AG deftly factors out that pseudonymisation, though not akin to anonymisation, doesn’t rule out the potential of the pseudonymised information as not being thought of private information (para. 52). The consequence appears to be the identical as that hinted by the Common Courtroom: information that’s “private” within the arms of SRB, could not essentially be “private” within the arms of Deloitte. Merely put, the dedication of a knowledge level as being “private” or not can’t be considered objectively based mostly on the character of the info, however would differ from controller to controller.
III. Private Knowledge underneath the GDPR: Absolute or Relative?
Article 4(1) of the GDPR defines “private information” as “any data regarding an recognized or identifiable pure particular person”. Whereas this definition by itself doesn’t decide the query of whether or not private information is an absolute or relative idea, Recital 26 is instructive on this level. As per that Recital, the check of identifiability depends on the query of whether or not a knowledge topic could be recognized by making an allowance for “all of the means moderately probably for use….. both by the controller or by one other particular person to establish the pure particular person immediately or not directly.” It’s price noting that the phrase “or by one other particular person” refers as to if “one other particular person” has the means moderately probably for use to establish the pure particular person, and never whether or not further data wanted by the controller to establish her is on the market within the arms of “one other particular person”.
But, in Breyer, the CJEU seemingly conflates the 2. In a sentence that has been broadly cited in subsequent circumstances, the CJEU interpreted the language within the recital as follows:
“…for data to be handled as ‘private information’………it’s not required that every one the data enabling the identification of the info topic should be within the arms of 1 particular person.” (Breyer, para. 43)
In Breyer, the Courtroom employed such an interpretation to carry that though on-line media service suppliers couldn’t establish people based mostly on dynamic IP addresses, they constituted private information “in relation to that supplier”, since within the case of a cyberattack, the web media service suppliers may method the competent authority and ask for added data from Web service suppliers for identification (Breyer, paras. 47 and 49). This, in accordance with the CJEU, constituted “means moderately probably for use” by the web media service supplier to establish a pure particular person.
The implications of such an interpretation are far-reaching. In its authentic sense, Recital 26 implies that in deciding whether or not any data is private information, one must account for the “means probably moderately for use” for identification by both the controller possessing the data, or by another particular person. In different phrases, if a pure particular person is identifiable by “means probably moderately for use” by any particular person globally, such data would represent private information. Consequently, an absolute view of non-public information must be taken.
Alternatively, if the dictum in Breyer is accepted, then the data could be private information provided that the controller itself can establish the person, utilizing further data that’s possessed both by itself or by one other particular person. This basically connotes that what’s private information for one controller will not be so for one more: the notion of what’s private information then turns into relative.
Earlier than Breyer, in its Opinion 05/2014 (p. 9), the Article 29 Working Celebration, utilizing a factual matrix just like the SRB case, had argued that if identifiers are eliminated and handed on to a 3rd get together, the info continues to stay private information. Borgesius (p. 263) additionally accepts that Recital 26, interpreted actually, factors in the direction of an absolute interpretation of non-public information. Nonetheless, commenting on the choice of the Common Courtroom in SRB, Alexandre Lodie has argued that the relative mannequin has knowledgeable the judicial method since Breyer, probably in an try to restrict the scope of non-public information.
This development is obvious within the case legislation of the CJEU. In Scania (C- 319/22), the Courtroom was known as upon to find out whether or not Car Identification Numbers (VIN) represent private information. Within the phrases of the Courtroom, “the place impartial operators could moderately have at their disposal the means enabling them to hyperlink a VIN to an recognized or identifiable pure particular person,…..that VIN constitutes private information for them” (Scania, para. 49).
A tougher case arose in IAB Europe (C-604/22). Right here, the CJEU decided {that a} string of letters and characters denoting the consumer’s preferences whereas offering consent on a consent administration platform would represent private information, so long as it may moderately be used at the side of identifiers like IP addresses for identification. This was even if IAB Europe, which possessed the string, couldn’t mix the string with different identifiers with out “exterior contribution”. On the face of it, this case appears to help the “absolute” or “goal” studying of Recital 26: even when controller X can’t moderately use a knowledge level to establish an individual, it constitutes private information if “another particular person” can moderately use it for identification. Nonetheless, as Alexandre Lodie rightly factors out, the Courtroom chooses a relative method on this case as nicely. Because the Courtroom notes, “the members of IAB Europe are required to supply that organisation, at its request, with all the data permitting it to establish the customers whose information are the topic of a TC String” (IAB Europe, para. 48). Consequently, the info was held to be “private” as a result of IAB Europe itself had the “means probably moderately for use” to establish the info topic, and never that it could possibly be “private information” although IAB Europe couldn’t moderately establish the info topic.
Subsequently, it may be stated that though Recital 26 factors in the direction of an absolute method in the direction of deciphering private information, case legislation of the CJEU since Breyer has constantly adopted a relative method. What’s worrying, nevertheless, is that this method is rooted in a possible inconsistency by the CJEU in deciphering Recital 26 in Breyer, which has been adopted with out query in later circumstances.
IV. Pragmatism versus Doctrinal Coherence ?
It’s undoubtedly true that burdening an entity that can’t moderately establish a person with the duties of a controller, could also be excessively onerous. In that sense, the relative interpretation of non-public information may appear to be a extra pragmatic option to take. In truth, this was the exact argument adopted by the AG within the Opinion in Breyer: “it might by no means be doable to rule out, with absolute certainty, the likelihood that there isn’t any third get together in possession of further information which can be mixed with that data and are, due to this fact, able to revealing an individual’s identification” (para. 65). Consequently, an expansive interpretation of “private information” would make virtually each entity processing any information as a controller. Additional, as argued by Purtova, the concern that information safety legislation would find yourself turning into the “legislation of all the pieces”, may turn out to be a actuality.
Seen critically, nevertheless, there are two factors price making. Firstly, even when an entity does find yourself turning into a controller, its duties may range based mostly on whether or not it is ready to establish the info topic. For instance, underneath Article 11(2) of the GDPR, many of the rights accessible to the info topic are extinguished if the controller can show that it’s unable to establish the info topic. This provision additional underlines the truth that an entity can course of “private information” and therefore turn out to be a “controller”, with out it with the ability to establish the info topic. This raises severe questions on whether or not the GDPR tilts in the direction of an “absolute” studying of “private information” in spite of everything. Secondly, the dictum in Google Spain (C-131/12) gives a slim window for sure entities to course of “private information” with out being a “controller”. Because the Courtroom notes, search engines like google could be labeled as controllers solely
“inasmuch because the exercise of a search engine is due to this fact liable to have an effect on considerably, and moreover….the elemental rights to privateness and to the safety of non-public information” (Google Spain, para. 38).
The qualifiers underlined above, if generalised to entities past search engines like google, may point out that it’s permissible, for sure entities to course of “private information” with out being labelled as “controllers”, so long as such processing doesn’t “considerably” have an effect on the rights of the info topic.
Even in any other case, I’d argue that proscribing the interpretation of “private information” by the use of a relative method provides no pragmatic benefits over an absolute method. Allow us to think about a hypothetical counterfactual mapped onto the SRB case. Underneath an “absolute” interpretation of non-public information, the info could be thought of “private” vis-à-vis Deloitte underneath all circumstances, as a result of though Deloitte can’t moderately establish the info topic, SRB can achieve this.
Nonetheless, and fairly surprisingly, we’d attain an equivalent conclusion even when we undertake a relative method that’s in step with Breyer. It’s because, on the details of the SRB case, there’s a chance that resulting from a cyberattack for which Deloitte just isn’t accountable, the identifiers accessible solely with SRB are made public, thus affording Deloitte a possibility to hyperlink them with the info in its possession and establish the people. Consequently, Deloitte would, in all circumstances, have the “means probably moderately for use” to establish the person, since such identification utilizing publicly accessible information by Deloitte is neither “prohibited by legislation” nor wouldn’t it contain “disproportionate effort when it comes to time, price and man-power, in order that the chance of identification seems in actuality to be insignificant” (Breyer, para. 46). Cautious readers could discover that the instance of a cyberattack used on this illustration is a deliberate alternative, for the reason that CJEU in Breyer used the exact same instance in figuring out its “means probably moderately for use” check, and maintain that dynamic IP addresses constituted private information vis-à-vis on-line media service suppliers as nicely.
V. Conclusion
On this publish, I argue that the relative method in deciphering private information, as exemplified by the Opinion of the AG in SRB, will not be doctrinally coherent. As a substitute, this method flows from a doable inconsistency within the Breyer case. Additional, other than distinctive circumstances, there isn’t any pragmatic motive for favouring the relative method over an absolute interpretation of “private information”, the latter being extra in step with the scheme of the GDPR. Even in any other case, if a relative method is certainly discovered appropriate for sensible causes, it’s most likely wiser to amend the authorized textual content itself moderately than depend on synthetic interpretational gymnastics to reach at an answer.
Nirmalya Chaudhuri is a authorized researcher based mostly in India. He holds an LLM from the College of Cambridge, which he pursued as a Cambridge Belief Scholar. He could also be reached at [email protected].
