Data Protection
CJEU clarifies edge cases of GDPR
On 7 March 2024, the Court of Justice of the European Union (CJEU) handed out two judgments on data processing with cases C-479/22 P and C-604/22. The cases clarified what constitutes personal data processing under the General Data Protection Regulation (GDPR), particularly in contexts involving the dissemination of information by public authorities and the management of consent in digital advertising. The second judgment also touched on the responsibilities of entities involved in such processing, defining under what circumstances an entity might be considered a controller or joint controller of personal data.
Case C-479/22 P – OLAF’s press release
Case C-479/22 P concerns an appeal by an individual against the dismissal of their claim for damages for alleged unlawful conduct by the European Anti-Fraud Office (OLAF). The controversy centered on OLAF’s press release related to research funding fraud in Greece, which the appellant claimed had processed her personal data unlawfully and disseminated false information about her. The core legal issue was whether the information disseminated constituted “personal data” within the meaning of EU data protection laws, and whether OLAF’s actions breached the principles underpinning the General Data Protection Regulation (GDPR), including the presumption of innocence and the right to good administration.
The case involved a grant to finance a research project for a Greek university. The grant was approved in 2008 and the project completed in 2013. However, following an ex-post financial audit, the European Research Council Executive Agency (ERCEA), the university’s co-contractor, concluded that staff costs amounting to over €245,000 were ineligible for payment and decided to claim reimbursement from the university instead with a debit note. The General Court found that the debit note seeking reimbursement from the university was unfounded up to 95% of the claim.
In 2015, OLAF decided to open an investigation concerning possible fraud in carrying out the project. In its press release, published in 5 May 2020, it summarised the potential fraud as through obfuscation the cheques were issued in the names of individual international researchers who were supposedly part of the project, but were then deposited into bank accounts with multiple beneficiaries. In addition, OLAF claimed that the cheques were personally deposited into the bank accounts by the lead scientist. Despite supposed attempts from the lead researcher to obstruct the investigation, OLAF claimed to prove fraud by the lead scientist.
The lead researcher brought a claim against OLAF, alleging that the press release had blatantly infringed the provisions of Regulation 2018/1725 relating to the protection of personal data, the principle of the presumption of innocence laid down in Article 48(1) of the Charter of Fundamental Rights of the European Union and in Article 9(1) of Regulation No 883/2013, the obligation to respect the confidentiality of investigations referred to in Article 10(5) of that regulation, the right to good administration referred to in Article 41 of the Charter and the principle of proportionality. The issue at hand concerned an investigative journalist who was able to decode, in part due to the OLAF press release, who the lead scientist (the claimant) was.
The General Court rejected all complaints raised by the appellant and dismissed the action in its entirety. The claimant decided to appeal this decision, alleging misinterpretation of the concept of ‘identifiable natural person’ within the meaning of Article 3, point 1, of Regulation 2018/1725; misinterpretation of Article 9(1) of Regulation No 883/2013 and Article 48(1) of the Charter, read in conjunction with Article 6(2) of ECHR, concerning the scope of the presumption of innocence, and distortion of the evidence relating to the infringement of Article 41 of the Charter on the right to good administration.
The appellant claimed that the General Court had erred when it concluded that a natural person to whom information relates is ‘identifiable’, within the meaning of Article 3, point 1, of Regulation 2018/1725, only if their identity can be established by an ‘average reader’ who is not himself or herself in possession of additional factors which enable that reader to establish the identity of the person to whom the information relates. The appellant claims that this provision covers any person other than the data controller.
The appellant also claimed that the General Court erred in law when it held that only means which are trivial or insignificant, capable of demonstrating easily and quickly the identity of the person to whom the information relates, are covered by the concept of ‘means reasonably likely to be used’ to identify the person to whom the personal data relate. Recital 16 of Regulation 2018/1725 states only that, in order to ascertain whether means are reasonably likely to be used to identify a person, account should be taken of the costs of and amount of time required for identification, without requiring those costs or that time to be minimal or insignificant.
The court did find that the fact that an investigating journalist has disseminated the identity of a person who is the subject of a press release cannot, alone, lead to the conclusion that the information contained in that press release must necessarily be classified as personal data within the meaning of Article 3, point 1, of Regulation 2018/1725 and exempt from the obligation to examine whether the person in question is identifiable. However, the press release did contain some information that can enable them to be identified, specifically their gender, nationality, profession, age and role in the project. In addition, the amount of the grant was stated, the awarding body and the country in which the grant was provided, in addition to references of the appellant’s father.
The Court, contrary to the General Court, did conclude that such additional information taken collectively can enable a person be identified through a press release. In addition, the ERCEA website contains several elements that enable a person to be identified, including the name of the project manager or the name of the host institution.
Case C-604/22 – online advertising and TC String
Case C-604/22 involved IAB Europe’s legal challenge against a decision by the Belgian Data Protection Authority (DPA) concerning the Transparency & Consent Framework (TCF), a set of rules aimed at ensuring GDPR compliance within the digital advertising sector. The Court was asked to determine if strings of characters that record internet users’ consent preferences (Transparency and Consent String, or TC String) constitute personal data under the GDPR. Additionally, the Court examined whether IAB Europe could be considered a “controller” or “joint controller” for the processing of these data strings.
Since 2019, the Belgian Data Protection Authority had received a number of complaints against IAB Europe, originating from both Belgium and from third countries, concerning the compliance of the TCF with the GDPR. By its decision of 2 February 2022, the Litigation Chamber of the DPA held that IAB Europe was acting as personal data controller as regards the recording of the consent signal, objections and preferences of individual users by means of a TC String, which, according to the Litigation Chamber of the DPA, is associated with an identifiable user.
The TC String stores three separate pieces of information:
- Metadata concerning the consent (version of the TC String, last update, version of the provider list, etc.)
- The purpose for which the providers may use the data.
- Which providers have received the user’s consent.
An example of a TC string would be “BOSSotLOSSotLAPABAENBc-AAAAgR7”. TC Strings are designed to record and convey a user’s consent preferences regarding the processing of personal data for advertising purposes in a structured and encoded format. Such a string enables the ecosystem of publishers, advertisers, and technology providers to understand and respect the user’s privacy choices as required under data protection regulations like the GDPR.
IAB Europe brought an action in the relevant court, disagreeing with the decision and alleging that only the other participants in the TCF could combine the TC String with an IP address to convert it into an item of personal data, that the TC String is not specific to a user and that IAB Europe does not have the possibility to access the data processed in that context by its members.
The Court noted that it has already held that it is not necessary that that information alone allows the data subject to be identified. Pursuant to settled case law, personal data which could be attributed to a natural person by the use of additional information must be considered to be information on an identifiable natural person. To determine whether a person is ‘identifiable’, account should be taken of ‘all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’.
The court found that the fact that IAB Europe cannot itself combine the TC String with the IP address of a user and does not have the possibility of directly accessing the data is irrelevant when classifying it as ‘personal data’. The court found that, within the context of Article 4(1) GDPR, a TC String constitutes personal data.
The court also found that, as the TCF aims to promote and enable the sale and purchase of online advertising space, IAB Europe exerts influence over the personal data processing operations for its own purposes. Given that the rules are set up by IAB Europe themselves and can enact disciplinary measures, such as exclusion, in cases of non-compliance, the Court found that IAB Europe must be regarded as exerting influence over the personal data processing operations at issue in the main proceedings, for its own purposes, and determines, as a result, jointly with its members, the means behind such operations. Therefore, such an organisation must be considered a “joint controller” under the GDPR.