GC - T‑384/20 - OC v Commission

From GDPRhub
GC - T‑384/20 OC v Commission
Cjeulogo.png
Court: GC (European Union)
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
Article 3(1) Regulation 2018/1725
Decided: 04.05.2022
Published: 04.05.2022
Parties: OC
European Commission
National Case Number/Name: T‑384/20 OC v Commission
European Case Law Identifier: ECLI:EU:T:2022:273
Appeal from:
Appeal to:
Original Language(s): French
Original Source: Curia (in French)
Initial Contributor: n/a

The General Court ruled that a press release did not contain personal data because an 'average reader' would not be able to identify the data subject.

English Summary

Facts

An academic (the complainant) received EU funding for a research project and was discovered to have fraudulently claimed the money in personal expenses. OLAF recommended that the European Research Council Executive Agency (ERCEA) take appropriate measures to recover the sums and initiate proceedings for fraud and use of forgery. Within a year, OLAF issued a press release on the matter labelled No. 13/2020.

The complainant argued that the press release identified her and in doing so OLAF had infringed Regulation (EU) 2018/1725.[1] She agued that using the data contained in the press release, a reader could identify the fact that she was a Greek national woman, the amount of the funding, and the fact that her father worked at the same university. Moreover, a German Journalist had already identified her using the the press release and written an article about her.

For this perceived breach, the complainant requested €1.1 million in damages.

Holding

The General Court held that there was no personal data contained in the press release under Article 3(1) Regulation 2018/1725 (and 4(1) GDPR), because the applicant was not identified, and was not identifiable according to the 'means reasonably likely to be used' (Recital 16 Regulation 2018/1725 and Recital 26 GDPR).

The General Court decided that whether OLAF’s press release contained personal data is tied not only to the ‘means reasonably likely to be used’ to identify the applicant but also by the ‘average or likely reader’ of said press release (para 76). The General Court therefore, disregarded the actual identification of the complainant by the German journalist. It argued that this journalist could not be considered an average reader since he was a professional with wide qualifications and an insider’s perspective due to his information network. Furthermore, the journalist appeared to be a daily reader of OLAF’s publications, which the General Court considered to be unusual (para 80).

Since the General Court ruled that there was no breach, it did not go on to rule on damages.

Comment

This case falls out of line with other CJEU case law about the topic of identifiability. This has been broadly commented upon by academics both here https://europeanlawblog.eu/2022/10/17/t-384-20-oc-v-european-commission-the-general-court-falls-out-of-line-on-personal-data/ and here https://edpl.lexxion.eu/article/EDPL/2022/3/16.

The concept of an ‘average reader’, whilst widely used in consumer law for example, has never been used before by the ECJ in data protection case law. Had the general court arrived to the correct conclusion that the press release did contain personal data, it would have been forced to already answer the question over whether damage can arise soley from an infringement of data protection law (in this case, the possible unlawful disclosure of personal data).

This case is now on appeal, but given the recent judgement of https://gdprhub.eu/index.php?title=CJEU_-_C-300/21_-_%C3%96sterreichische_Post_AG it is unlikely that the claimant will receive damages even if the CJEU overturns the general court's decision. This is because the CJEU held that Article 82(1) GDPR must be interpreted as meaning that a mere ‘infringement’ of the GDPR itself is not sufficient to give rise to the right to compensation.

Further Resources

Share blogs or news articles here!

  1. The Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of individuals with regard to the processing of personal data by the institutions, bodies, offices and agencies of the Union and on the free movement of such data is the version of the GDPR applicable to EU institutions.