CJEU - C‑479/22 P - OC v Commission

From GDPRhub
Revision as of 22:35, 18 March 2024 by So.h (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑479/2 OC v Commission |ECLI=ECLI:EU:C:2024:215 |Opinion_Link= |Judgement_Link=https://curia.europa.eu/juris/document/document.jsf?text=&docid=283526&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=3322609 |Date_Decided=07.03.2024 |Year=2024 |GDPR_Article_1=Article 4(1) GDPR |GDPR_Article_Link_1=Article 4 GDPR#1 |GDPR_Article_2= |GDPR_Article_Link_2= |GDPR_Article_3= |GDPR_Article_Link_3= |EU_Law_Name_1=2018/1725 |EU_...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑479/2 OC v Commission
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
2018/1725
Decided: 07.03.2024
Parties: OC
European Commission
Case Number/Name: C‑479/2 OC v Commission
European Case Law Identifier: ECLI:EU:C:2024:215
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: so.h


The CJEU held that the definition of personal data does not depend on whether an 'average reader' can identify the data subject.

English Summary

Facts

This is an appeal of the earlier case T‑384/20 - OC v European Commission.

The claimant (OC) appealed the general court’s decision on three grounds. That the General Court had legally misinterpreted the definition of personal data and had failed to observe proper administrative procedures when making its judgement (right to a presumption of innocence and the right to good administration under the Charter of Fundamental Rights).

On the concept of personal data, the claimant argued that the general court had legally misinterpreted the concept of an ‘identifiable natural person’. They used two points to make this argument:

1) Identifiability is not tied to whether an “average reader” can identify you. The case law states that identifiability depends on whether an individual holds ‘additional factors...necessary for identification... [these factors] can be available to a person other than the controller’ (see C-582/14 at para 39 and 41). The General Court’s use of an average reader (at para 32) does not analyse the factors that the specific reader in the case holds. Thus, contra the case law, it does not test whether a person has the additional factors needed for identification. The General Court’s novel use of this test is therefore erroneous.

2) The General Court had erred in arguing that the ‘means reasonable likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited to only trivial means. Reasonable does not mean trivial. Rather, the court should have looked at the costs and time required for the identification of the claimant to determine whether the claimant could be identified using ‘reasonable means’. This would be in line with what the recital actually states (at para 33).

The Commission asked for these two points, and subsequently the crux of the first ground, to be declared inadmissible by the court (at para 34).

Holding

The Court held that the General Court had made several errors of law and that the grounds of appeal must be upheld. In doing so, they sent the case back to the General Court to be decided again.

First, the Court noted that the EUDPR (Regulation 2018/1725) and the GDPR share the same definition of personal data. Given that the legislator (at recital 4 and 5 of 2018/1725) intended to establish an equivalent law to the GDPR, both regimes must be read in the same way (at para 43).

Second, identifiability is defined by Article 3(1) 2018/1725 (Article 4(1) GDPR). The use of the word ‘indirectly’ in these Articles means that it is not necessary for information alone to be the factor that identifies someone (at para 47). It is not required that all the information enabling the identification be in the hand of one person (at para 48). The fact that additional information is necessary to identify a data subject does not mean that the data cannot be classified a personal (at para 44).

Third, it is ‘reasonably likely’ that combining OLAF’s press report with additional information would be used as a way to identify the claimant (at para 50). The General Court had been wrong to limit this ‘reasonable means’ test by confusing it with liability. Article 3(1) 2018/1725 states that only acts attributable to an EU Institution can give rise to liability on part of the European Union, it took this to mean that the identification of the claimant must only have resulted from the press release alone (at para 52). On the facts the German journalist who identified the claimant had specialist information and so the General Court ruled that these were not ‘reasonable means’ and that the claimant could not be identified (at para 53). The Court made clear that the liability and identification are separate (at para 54). The fact that additional information is needed and that it comes from a source other than the controller does not rule out the identifiable nature of the claimant (at para 55). This is supported by the fact that recital 16 (recital 26 GDPR) makes specific that identification can come from ‘any other person’.

Fourth, the Court rejected the General Court’s invention of an ‘average reader’. The General Court had invented this test and used it for the first time in T‑384/20 - OC v European Commission. The fact that the reader of the press release is a journalist, cannot lead to the conclusion that data is not personal (at para 58).

Last, the Court looked at the facts of the case and determined that the fact that the press release contained the claimant’s; gender, nationality, father’s occupation, grant amount for a scientific project and the geographical location of the entity hosting that project, would together allow the Claimant to be identifiable (at para 61). Furthermore, the Court applied the ‘reasonable means’ test and determined that identification could occur without a disproportionate effort in terms of time, cost and labour. There is no obligation on the claimant to prove that they had actually been identified by the time of the case as no such condition is contained in Article 3(1) 2018/1725 (Article 4(1) GDPR). It follows that the General Court erred in finding that the claimant was not identifiable and that therefore, the data was not personal.

Comment

This a potentially landmark case. The Court has gone the furthest since Breyer in scoping out what identifiability means as well as how the test of ‘reasonable means’ (recital 26 GDPR) relates to it.

Further Resources

Share blogs or news articles here!