CJEU - C‑479/22 P - OC v Commission

From GDPRhub
Revision as of 12:09, 19 October 2024 by ManTechnologist (talk | contribs) (url case number)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑479/22 P OC v Commission
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
2018/1725
Decided: 07.03.2024
Parties: OC
European Commission
Case Number/Name: C‑479/22 P OC v Commission
European Case Law Identifier: ECLI:EU:C:2024:215
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: so.h


The CJEU held that the definition of personal data depends on whether the controller has reasonable means to identify the data subject, and not on whether identification is possible for an 'average reader'.

English Summary

Facts

This is an appeal of the earlier case T‑384/20 - OC v European Commission.

The claimant (OC) appealed the general court’s decision on three grounds. That the General Court had legally misinterpreted the definition of personal data and had failed to observe proper administrative procedures when making its judgement (right to a presumption of innocence and the right to good administration under the Charter of Fundamental Rights).

On the concept of personal data, the claimant argued that the general court had legally misinterpreted the concept of an ‘identifiable natural person’. They used two points to make this argument:

1) Identifiability is not tied to whether an “average reader” can identify you. The case law states that identifiability depends on whether an individual holds ‘additional factors...necessary for identification... [these factors] can be available to a person other than the controller’ (see C-582/14 at para 39 and 41). The General Court’s use of an average reader does not analyse the factors that the specific reader in the case holds. Thus, contrary to the case law, it does not test whether a person has the additional factors needed for identification. The General Court’s novel use of this test was therefore erroneous.

2) The General Court had erred in arguing that the ‘means reasonably likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited. Rather, the court should have looked at the costs and time required for the identification of the claimant to determine whether the claimant could be identified using ‘reasonable means’. This would be in line with what recital 25 GDPR actually states.

Holding

The Court held that the General Court had made several errors of law and that the first ground of appeal must be upheld.

First, the Court noted that the EUDPR (Regulation 2018/1725) - the piece of legislation applicable at the case at issue - and the GDPR share the same definition of personal data. Given that the legislator (at recital 4 and 5 of 2018/1725) intended to establish an equivalent law to the GDPR, both regimes must be read in the same way.

Second, identifiability is defined by Article 3(1) 2018/1725 (Article 4(1) GDPR). The use of the word ‘indirectly’ in these Articles means that it is not necessary for information alone to be the factor that identifies someone. It is not required that all the information enabling the identification be in the hand of one person. The fact that additional information is necessary to identify a data subject does not mean that the data cannot be classified a personal.

Third, it is ‘reasonably likely’ that combining OLAF’s press report with additional information would be used as a way to identify the claimant. The General Court had been wrong to limit this ‘reasonable means’ test by confusing it with liability. Article 3(1) 2018/1725 states that only acts attributable to an EU Institution can give rise to liability on part of the European Union. However, the court took this to mean that the identification of the claimant must only have resulted from the press release alone. The Court made clear that liability and identification are separate. The fact that additional information is needed and that it comes from a source other than the controller does not rule out the identifiable nature of the claimant and thus, the personal nature of the data. This is supported by the fact that recital 16 (recital 26 GDPR) makes specific that identification can come from ‘any other person’.

Fourth, the Court rejected the General Court’s invention of an ‘average reader’. The General Court had invented this test and used it for the first time in T‑384/20 - OC v European Commission. The fact that the reader of the press release is a journalist, cannot lead to the conclusion that data is not personal.

Last, the Court looked at the facts of the case and determined that the fact that the press release contained the claimant’s gender, nationality, father’s occupation, grant amount for a scientific project and the geographical location of the entity hosting that project, would together allow the Claimant to be identifiable. Furthermore, the Court applied the ‘reasonable means’ test and determined that identification could occur without a disproportionate effort in terms of time, cost and labour. There is no obligation on the claimant to prove that they had actually been identified by the time of the case as no such condition is contained in Article 3(1) 2018/1725 (Article 4(1) GDPR). It follows that the General Court erred in finding that the claimant was not identifiable and that therefore, the data was not personal.

The court also upheld the second ground of appeal (presumption of innocence) and partially upheld the third ground of appeal (right to good administration). The Court sent the case back to the General Court to be decided again.

Comment

This a potentially landmark case. The Court has gone the furthest since Breyer in scoping out what identifiability means as well as how the test of ‘reasonable means’ (recital 26 GDPR) relates to it.

Further Resources

Share blogs or news articles here!