I. Introduction
On 6 February 2025, Advocate Basic (AG) Spielmann issued his Opinion on the continued enchantment in EDPS v. SRB (C- 413/23 P). Whereas the case itself delves into problems with pseudonymisation, a focal point lies in how this Opinion, removed from departing from precedent, truly entrenches how the CJEU has proceeded to view “private information” as an entirely relative idea.
On this regard, this put up builds upon the Opinion of the AG, in an effort in direction of understanding whether or not the idea of relative private information is doctrinally sound and in line with the wording of the Basic Information Safety Regulation (GDPR). I might argue that viewing private information as relative, whereas being seemingly pragmatic and life like, stems from a conceptual inconsistency relationship again to the judgment of the CJEU in Breyer (C-582/14).
II. EDPS v. SRB: Background
The temporary details are as follows: the Single Decision Board (SRB) adopted a decision scheme in favour of a agency, and entrusted Deloitte with the duty of analysing information referring to feedback acquired from individuals throughout a session. Whereas passing on the knowledge to Deloitte, SRB filtered, collated and aggregated the knowledge and added an alphanumeric code, in order that SRB might afterward hyperlink the information with the person individuals. Deloitte, on its half, was not supplied with the identifiers and was not able to hyperlink the information factors acquired from SRB with the person individuals.
The European Information Safety Supervisor (EDPS) however opined that the information handed on to Deloitte, though pseudonymised, constituted private information. In consequence, SRB was held to have infringed the precise of the information topic to be notified of the recipients of her private information on the time of assortment, by not disclosing Deloitte as a recipient of the information topics’ private information in its privateness coverage.
Earlier than the Basic Courtroom, one of many main points revolved round whether or not the information acquired by Deloitte constituted “private information”. The Courtroom held that the EDPS erred in viewing the information solely from the attitude of SRB, in whose arms it was undoubtedly “private information”, however fully ignoring the attitude of Deloitte. In different phrases, whereas the information collected and saved by SRB was “private information”, the information handed on by SRB to Deloitte will not be so. The implication, to generalise past the details, was merely this: the identical information will be “private” within the arms of 1 controller, and never “private” within the arms of one other.
Such a relative understanding has been adopted, albeit with extra nuance, by the AG in his Opinion within the enchantment filed earlier than the CJEU. Within the first place, the AG accepted the truth that the feedback acquired through the session part “associated to” a pure individual, in that they expressed their “logic and reasoning”, and following the dictum in Nowak (C- 434/16) essentially pertained to the “subjective opinion” of the individuals involved (para. 33). In consequence, the information within the arms of SRB was “private information”.
Nevertheless, and fairly importantly, the Opinion doesn’t reply whether or not the pseudonymised information was “private information” within the arms of Deloitte, and whether or not Deloitte must be burdened with the obligations of a controller. As a substitute, the AG deftly factors out that pseudonymisation, though not akin to anonymisation, doesn’t rule out the potential of the pseudonymised information as not being thought-about private information (para. 52). The consequence appears to be the identical as that hinted by the Basic Courtroom: information that’s “private” within the arms of SRB, might not essentially be “private” within the arms of Deloitte. Merely put, the willpower of an information level as being “private” or not can’t be considered objectively primarily based on the character of the information, however would differ from controller to controller.
III. Private Information below the GDPR: Absolute or Relative?
Article 4(1) of the GDPR defines “private information” as “any data referring to an recognized or identifiable pure individual”. Whereas this definition by itself doesn’t decide the query of whether or not private information is an absolute or relative idea, Recital 26 is instructive on this level. As per that Recital, the check of identifiability depends on the query of whether or not an information topic will be recognized by taking into consideration “all of the means fairly probably for use….. both by the controller or by one other individual to establish the pure individual immediately or not directly.” It’s price noting that the phrase “or by one other individual” refers as to if “one other individual” has the means fairly probably for use to establish the pure individual, and never whether or not further data wanted by the controller to establish her is offered within the arms of “one other individual”.
But, in Breyer, the CJEU seemingly conflates the 2. In a sentence that has been broadly cited in subsequent instances, the CJEU interpreted the language within the recital as follows:
“…for data to be handled as ‘private information’………it’s not required that each one the knowledge enabling the identification of the information topic have to be within the arms of 1 individual.” (Breyer, para. 43)
In Breyer, the Courtroom employed such an interpretation to carry that though on-line media service suppliers couldn’t establish people primarily based on dynamic IP addresses, they constituted private information “in relation to that supplier”, since within the case of a cyberattack, the net media service suppliers might method the competent authority and ask for extra data from Web service suppliers for identification (Breyer, paras. 47 and 49). This, in response to the CJEU, constituted “means fairly probably for use” by the net media service supplier to establish a pure individual.
The implications of such an interpretation are far-reaching. In its unique sense, Recital 26 implies that in deciding whether or not any data is private information, one must account for the “means probably fairly for use” for identification by both the controller possessing the knowledge, or by every other individual. In different phrases, if a pure individual is identifiable via “means probably fairly for use” by any individual globally, such data would represent private information. In consequence, an absolute view of private information must be taken.
However, if the dictum in Breyer is accepted, then the knowledge can be private information provided that the controller itself can establish the person, utilizing further data that’s possessed both by itself or by one other individual. This primarily connotes that what’s private information for one controller will not be so for an additional: the notion of what’s private information then turns into relative.
Earlier than Breyer, in its Opinion 05/2014 (p. 9), the Article 29 Working Celebration, utilizing a factual matrix much like the SRB case, had argued that if identifiers are eliminated and handed on to a 3rd get together, the information continues to stay private information. Borgesius (p. 263) additionally accepts that Recital 26, interpreted actually, factors in direction of an absolute interpretation of private information. Nevertheless, commenting on the choice of the Basic Courtroom in SRB, Alexandre Lodie has argued that the relative mannequin has knowledgeable the judicial method since Breyer, presumably in an try to restrict the scope of private information.
This development is obvious within the case regulation of the CJEU. In Scania (C- 319/22), the Courtroom was known as upon to find out whether or not Car Identification Numbers (VIN) represent private information. Within the phrases of the Courtroom, “the place unbiased operators might fairly have at their disposal the means enabling them to hyperlink a VIN to an recognized or identifiable pure individual,…..that VIN constitutes private information for them” (Scania, para. 49).
A harder case arose in IAB Europe (C-604/22). Right here, the CJEU decided {that a} string of letters and characters denoting the consumer’s preferences whereas offering consent on a consent administration platform would represent private information, so long as it might fairly be used along side identifiers like IP addresses for identification. This was even though IAB Europe, which possessed the string, couldn’t mix the string with different identifiers with out “exterior contribution”. On the face of it, this case appears to help the “absolute” or “goal” studying of Recital 26: even when controller X can’t fairly use an information level to establish an individual, it constitutes private information if “every other individual” can fairly use it for identification. Nevertheless, as Alexandre Lodie rightly factors out, the Courtroom chooses a relative method on this case as effectively. Because the Courtroom notes, “the members of IAB Europe are required to supply that organisation, at its request, with all the knowledge permitting it to establish the customers whose information are the topic of a TC String” (IAB Europe, para. 48). In consequence, the information was held to be “private” as a result of IAB Europe itself had the “means probably fairly for use” to establish the information topic, and never that it may very well be “private information” though IAB Europe couldn’t fairly establish the information topic.
Subsequently, it may be mentioned that though Recital 26 factors in direction of an absolute method in direction of decoding private information, case regulation of the CJEU since Breyer has persistently adopted a relative method. What’s worrying, nonetheless, is that this method is rooted in a possible inconsistency by the CJEU in decoding Recital 26 in Breyer, which has been adopted with out query in later instances.
IV. Pragmatism versus Doctrinal Coherence ?
It’s undoubtedly true that burdening an entity that can’t fairly establish a person with the obligations of a controller, could also be excessively onerous. In that sense, the relative interpretation of private information would possibly appear to be a extra pragmatic option to take. The truth is, this was the exact argument adopted by the AG within the Opinion in Breyer: “it will by no means be potential to rule out, with absolute certainty, the likelihood that there is no such thing as a third get together in possession of further information which can be mixed with that data and are, subsequently, able to revealing an individual’s id” (para. 65). In consequence, an expansive interpretation of “private information” would make nearly each entity processing any information as a controller. Additional, as argued by Purtova, the concern that information safety regulation would find yourself turning into the “regulation of all the things”, would possibly develop into a actuality.
Seen critically, nonetheless, there are two factors price making. Firstly, even when an entity does find yourself turning into a controller, its obligations would possibly fluctuate primarily based on whether or not it is ready to establish the information topic. For instance, below Article 11(2) of the GDPR, many of the rights out there to the information topic are extinguished if the controller can reveal that it’s unable to establish the information topic. This provision additional underlines the truth that an entity can course of “private information” and therefore develop into a “controller”, with out it with the ability to establish the information topic. This raises severe questions on whether or not the GDPR tilts in direction of an “absolute” studying of “private information” in any case. Secondly, the dictum in Google Spain (C-131/12) gives a slender window for sure entities to course of “private information” with out being a “controller”. Because the Courtroom notes, engines like google can be categorised as controllers solely
“inasmuch because the exercise of a search engine is subsequently liable to have an effect on considerably, and moreover….the basic rights to privateness and to the safety of private information” (Google Spain, para. 38).
The qualifiers underlined above, if generalised to entities past engines like google, would possibly point out that it’s permissible, for sure entities to course of “private information” with out being labelled as “controllers”, so long as such processing doesn’t “considerably” have an effect on the rights of the information topic.
Even in any other case, I might argue that proscribing the interpretation of “private information” by means of a relative method provides no pragmatic benefits over an absolute method. Allow us to contemplate a hypothetical counterfactual mapped onto the SRB case. Beneath an “absolute” interpretation of private information, the information can be thought-about “private” vis-à-vis Deloitte below all circumstances, as a result of though Deloitte can’t fairly establish the information topic, SRB can accomplish that.
Nevertheless, and fairly surprisingly, we might attain an similar conclusion even when we undertake a relative method that’s in line with Breyer. It’s because, on the details of the SRB case, there’s a risk that attributable to a cyberattack for which Deloitte will not be accountable, the identifiers out there solely with SRB are made public, thus affording Deloitte a possibility to hyperlink them with the information in its possession and establish the people. In consequence, Deloitte would, in all instances, have the “means probably fairly for use” to establish the person, since such identification utilizing publicly out there information by Deloitte is neither “prohibited by regulation” nor wouldn’t it contain “disproportionate effort when it comes to time, value and man-power, in order that the danger of identification seems in actuality to be insignificant” (Breyer, para. 46). Cautious readers might discover that the instance of a cyberattack used on this illustration is a deliberate selection, for the reason that CJEU in Breyer used the exact same instance in figuring out its “means probably fairly for use” check, and maintain that dynamic IP addresses constituted private information vis-à-vis on-line media service suppliers as effectively.
V. Conclusion
On this put up, I argue that the relative method in decoding private information, as exemplified by the Opinion of the AG in SRB, will not be doctrinally coherent. As a substitute, this method flows from a potential inconsistency within the Breyer case. Additional, aside from distinctive instances, there is no such thing as a pragmatic cause for favouring the relative method over an absolute interpretation of “private information”, the latter being extra consistent with the scheme of the GDPR. Even in any other case, if a relative method is certainly discovered appropriate for sensible causes, it’s in all probability wiser to amend the authorized textual content itself reasonably than depend on synthetic interpretational gymnastics to reach at an answer.
Nirmalya Chaudhuri is a authorized researcher primarily based in India. He holds an LLM from the College of Cambridge, which he pursued as a Cambridge Belief Scholar. He could also be reached at [email protected].
