Should “private information” at all times be “relative”? · European Legislation Weblog – Cyber Tech

I. Introduction

On 6 February 2025, Advocate Common (AG) Spielmann issued his Opinion on the continuing enchantment in EDPS v. SRB (C- 413/23 P). Whereas the case itself delves into problems with pseudonymisation, a focal point lies in how this Opinion, removed from departing from precedent, really entrenches how the CJEU has proceeded to view “private information” as an entirely relative idea.

On this regard, this put up builds upon the Opinion of the AG, in an effort in direction of understanding whether or not the idea of relative private information is doctrinally sound and according to the wording of the Common Knowledge Safety Regulation (GDPR). I might argue that viewing private information as relative, whereas being seemingly pragmatic and real looking, stems from a conceptual inconsistency relationship again to the judgment of the CJEU in Breyer (C-582/14).

II. EDPS v. SRB: Background

The temporary information are as follows: the Single Decision Board (SRB) adopted a decision scheme in favour of a agency, and entrusted Deloitte with the duty of analysing information referring to feedback acquired from contributors throughout a session. Whereas passing on the knowledge to Deloitte, SRB filtered, collated and aggregated the knowledge and added an alphanumeric code, in order that SRB might afterward hyperlink the info with the person contributors. Deloitte, on its half, was not supplied with the identifiers and was not able to hyperlink the info factors acquired from SRB with the person contributors.

The European Knowledge Safety Supervisor (EDPS) however opined that the info handed on to Deloitte, though pseudonymised, constituted private information. In consequence, SRB was held to have infringed the suitable of the info topic to be notified of the recipients of her private information on the time of assortment, by not disclosing Deloitte as a recipient of the info topics’ private information in its privateness coverage.

Earlier than the Common Court docket, one of many main points revolved round whether or not the info acquired by Deloitte constituted “private information”. The Court docket held that the EDPS erred in viewing the info solely from the attitude of SRB, in whose arms it was undoubtedly “private information”, however utterly ignoring the attitude of Deloitte. In different phrases, whereas the info collected and saved by SRB was “private information”, the info handed on by SRB to Deloitte might not be so. The implication, to generalise past the information, was merely this: the identical information will be “private” within the arms of 1 controller, and never “private” within the arms of one other.

Such a relative understanding has been adopted, albeit with extra nuance, by the AG in his Opinion within the enchantment filed earlier than the CJEU. Within the first place, the AG accepted the truth that the feedback acquired throughout the session part “associated to” a pure individual, in that they expressed their “logic and reasoning”, and following the dictum in Nowak (C- 434/16) essentially pertained to the “subjective opinion” of the individuals involved (para. 33). In consequence, the info within the arms of SRB was “private information”.

Nevertheless, and fairly importantly, the Opinion doesn’t reply whether or not the pseudonymised information was “private information” within the arms of Deloitte, and whether or not Deloitte must be burdened with the tasks of a controller. As a substitute, the AG deftly factors out that pseudonymisation, though not akin to anonymisation, doesn’t rule out the potential of the pseudonymised information as not being thought of private information (para. 52). The consequence appears to be the identical as that hinted by the Common Court docket: information that’s “private” within the arms of SRB, could not essentially be “private” within the arms of Deloitte. Merely put, the willpower of a knowledge level as being “private” or not can’t be considered objectively primarily based on the character of the info, however would differ from controller to controller.

III. Private Knowledge beneath the GDPR: Absolute or Relative?

Article 4(1) of the GDPR defines “private information” as “any info referring to an recognized or identifiable pure individual”. Whereas this definition by itself doesn’t decide the query of whether or not private information is an absolute or relative idea, Recital 26 is instructive on this level. As per that Recital, the check of identifiability depends on the query of whether or not a knowledge topic will be recognized by making an allowance for “all of the means fairly doubtless for use….. both by the controller or by one other individual to establish the pure individual immediately or not directly.” It’s value noting that the phrase “or by one other individual” refers as to whether “one other individual” has the means fairly doubtless for use to establish the pure individual, and never whether or not extra info wanted by the controller to establish her is offered within the arms of “one other individual”.

But, in Breyer, the CJEU seemingly conflates the 2. In a sentence that has been broadly cited in subsequent instances, the CJEU interpreted the language within the recital as follows:

“…for info to be handled as ‘private information’………it’s not required that every one the knowledge enabling the identification of the info topic have to be within the arms of 1 individual.” (Breyer, para. 43)

In Breyer, the Court docket employed such an interpretation to carry that though on-line media service suppliers couldn’t establish people primarily based on dynamic IP addresses, they constituted private information “in relation to that supplier”, since within the case of a cyberattack, the web media service suppliers might method the competent authority and ask for extra info from Web service suppliers for identification (Breyer, paras. 47 and 49). This, in response to the CJEU, constituted “means fairly doubtless for use” by the web media service supplier to establish a pure individual.

The implications of such an interpretation are far-reaching. In its authentic sense, Recital 26 implies that in deciding whether or not any info is private information, one must account for the “means doubtless fairly for use” for identification by both the controller possessing the knowledge, or by another individual. In different phrases, if a pure individual is identifiable by “means doubtless fairly for use” by any individual globally, such info would represent private information. In consequence, an absolute view of non-public information must be taken.

However, if the dictum in Breyer is accepted, then the knowledge could be private information provided that the controller itself can establish the person, utilizing extra info that’s possessed both by itself or by one other individual. This primarily connotes that what’s private information for one controller might not be so for one more: the notion of what’s private information then turns into relative.

Earlier than Breyer, in its Opinion 05/2014 (p. 9), the Article 29 Working Social gathering, utilizing a factual matrix just like the SRB case, had argued that if identifiers are eliminated and handed on to a 3rd get together, the info continues to stay private information. Borgesius (p. 263) additionally accepts that Recital 26, interpreted actually, factors in direction of an absolute interpretation of non-public information. Nevertheless, commenting on the choice of the Common Court docket in SRB, Alexandre Lodie has argued that the relative mannequin has knowledgeable the judicial method since Breyer, probably in an try to restrict the scope of non-public information.

This pattern is obvious within the case regulation of the CJEU. In Scania (C- 319/22), the Court docket was known as upon to find out whether or not Automobile Identification Numbers (VIN) represent private information. Within the phrases of the Court docket, “the place impartial operators could fairly have at their disposal the means enabling them to hyperlink a VIN to an recognized or identifiable pure individual,…..that VIN constitutes private information for them” (Scania, para. 49).

A harder case arose in IAB Europe (C-604/22). Right here, the CJEU decided {that a} string of letters and characters denoting the person’s preferences whereas offering consent on a consent administration platform would represent private information, so long as it might fairly be used along side identifiers like IP addresses for identification. This was even if IAB Europe, which possessed the string, couldn’t mix the string with different identifiers with out “exterior contribution”. On the face of it, this case appears to assist the “absolute” or “goal” studying of Recital 26: even when controller X can’t fairly use a knowledge level to establish an individual, it constitutes private information if “another individual” can fairly use it for identification. Nevertheless, as Alexandre Lodie rightly factors out, the Court docket chooses a relative method on this case as nicely. Because the Court docket notes, “the members of IAB Europe are required to supply that organisation, at its request, with all the knowledge permitting it to establish the customers whose information are the topic of a TC String” (IAB Europe, para. 48). In consequence, the info was held to be “private” as a result of IAB Europe itself had the “means doubtless fairly for use” to establish the info topic, and never that it might be “private information” regardless that IAB Europe couldn’t fairly establish the info topic.

Subsequently, it may be stated that though Recital 26 factors in direction of an absolute method in direction of deciphering private information, case regulation of the CJEU since Breyer has constantly adopted a relative method. What’s worrying, nevertheless, is that this method is rooted in a possible inconsistency by the CJEU in deciphering Recital 26 in Breyer, which has been adopted with out query in later instances.

IV. Pragmatism versus Doctrinal Coherence ?

It’s undoubtedly true that burdening an entity that can’t fairly establish a person with the tasks of a controller, could also be excessively onerous. In that sense, the relative interpretation of non-public information may appear to be a extra pragmatic option to take. Actually, this was the exact argument adopted by the AG within the Opinion in Breyer: “it could by no means be potential to rule out, with absolute certainty, the likelihood that there is no such thing as a third get together in possession of extra information which can be mixed with that info and are, due to this fact, able to revealing an individual’s identification” (para. 65). In consequence, an expansive interpretation of “private information” would make nearly each entity processing any information as a controller. Additional, as argued by Purtova, the concern that information safety regulation would find yourself turning into the “regulation of all the things”, may grow to be a actuality.

Considered critically, nevertheless, there are two factors value making. Firstly, even when an entity does find yourself turning into a controller, its tasks may differ primarily based on whether or not it is ready to establish the info topic. For instance, beneath Article 11(2) of the GDPR, a lot of the rights obtainable to the info topic are extinguished if the controller can show that it’s unable to establish the info topic. This provision additional underlines the truth that an entity can course of “private information” and therefore grow to be a “controller”, with out it having the ability to establish the info topic. This raises critical questions on whether or not the GDPR tilts in direction of an “absolute” studying of “private information” in spite of everything. Secondly, the dictum in Google Spain (C-131/12) gives a slender window for sure entities to course of “private information” with out being a “controller”. Because the Court docket notes, serps could be categorised as controllers solely

“inasmuch because the exercise of a search engine is due to this fact liable to have an effect on considerably, and moreover….the elemental rights to privateness and to the safety of non-public information” (Google Spain, para. 38).

The qualifiers underlined above, if generalised to entities past serps, may point out that it’s permissible, for sure entities to course of “private information” with out being labelled as “controllers”, so long as such processing doesn’t “considerably” have an effect on the rights of the info topic.

Even in any other case, I might argue that limiting the interpretation of “private information” by the use of a relative method provides no pragmatic benefits over an absolute method. Allow us to contemplate a hypothetical counterfactual mapped onto the SRB case. Below an “absolute” interpretation of non-public information, the info could be thought of “private” vis-à-vis Deloitte beneath all circumstances, as a result of though Deloitte can’t fairly establish the info topic, SRB can achieve this.

Nevertheless, and fairly surprisingly, we’d attain an similar conclusion even when we undertake a relative method that’s according to Breyer. It’s because, on the information of the SRB case, there’s a chance that on account of a cyberattack for which Deloitte isn’t accountable, the identifiers obtainable solely with SRB are made public, thus affording Deloitte a chance to hyperlink them with the info in its possession and establish the people. In consequence, Deloitte would, in all instances, have the “means doubtless fairly for use” to establish the person, since such identification utilizing publicly obtainable information by Deloitte is neither “prohibited by regulation” nor would it not contain “disproportionate effort by way of time, value and man-power, in order that the danger of identification seems in actuality to be insignificant” (Breyer, para. 46). Cautious readers could discover that the instance of a cyberattack used on this illustration is a deliberate alternative, because the CJEU in Breyer used the exact same instance in figuring out its “means doubtless fairly for use” check, and maintain that dynamic IP addresses constituted private information vis-à-vis on-line media service suppliers as nicely.

V. Conclusion

On this put up, I argue that the relative method in deciphering private information, as exemplified by the Opinion of the AG in SRB, might not be doctrinally coherent. As a substitute, this method flows from a potential inconsistency within the Breyer case. Additional, other than distinctive instances, there is no such thing as a pragmatic motive for favouring the relative method over an absolute interpretation of “private information”, the latter being extra in keeping with the scheme of the GDPR. Even in any other case, if a relative method is certainly discovered appropriate for sensible causes, it’s in all probability wiser to amend the authorized textual content itself fairly than depend on synthetic interpretational gymnastics to reach at an answer.

Nirmalya Chaudhuri is a authorized researcher primarily based in India. He holds an LLM from the College of Cambridge, which he pursued as a Cambridge Belief Scholar. He could also be reached at [email protected].