By Stephanie Rossello
Blogpost 10/2024
INTRODUCTION
For those looking for more guidance by the Court of Justice of the European Union (CJEU) on the meaning of “personal data” and, in particular, the notion of an “indirectly identifiable” natural person under article 4(1) GDPR, 2023 has been an exceptionally gratifying year. On 26 April 2023 the General Court ruled in the case T-557/20 (SRB v. EDPS) and, on 9 November 2023, the ECJ pronounced its judgment in the case C-319 /22 (Gesamtverband). This blogpost focuses on the Court’s ruling in Gesamtverband, specifically, its deeply puzzling use of the word “indirectly” in relation to “personal data”.
The case concerns a dispute between Scania, a manufacturer of commercial vehicles, on the one hand, and, on the other hand, the Gesamtverband Auto-Handel, a German trade association of independent wholesalers of vehicle parts. The Gesamtverband asked, inter alia, the referring court (the Regional Court, Cologne, Germany) to order Scania to provide it with access to vehicle repair and maintenance information, which it deemed necessary to ensure competition on the motor vehicle aftermarket, on the basis of article 61(1) Regulation 2018/858. According to this provision, “Manufacturers shall provide to independent operators unrestricted, standardised and non-discriminatory access to vehicle OBD information, diagnostic and other equipment, tools including the complete references, and available downloads, of the applicable software and vehicle repair and maintenance information. […]”. The Gesamtverband claimed that this provision obliged Scania to provide all independent operators (also those that are not entrusted by a customer with the actual repair of a vehicle) with access to a list of the vehicles’ unique identifying numbers (i.e. Vehicle Identification Numbers or VINs), instead of limiting access to such VINs to repairers.
Consequently, the referring court asked several questions to the CJEU. For the purpose of this blogpost, the following question is relevant: “Does article 61(1) of Regulation [2018/858] constitute, for vehicle manufacturers, a legal obligation within the meaning of article 6(1)(c) of the GDPR which justifies the disclosure of VINs or information linked to VINs to independent operators as other controllers within the meaning of point 7 of Article 4 of the GDPR?”.
As summarised by Advocate General Campos Sánchez-Bordona in his Opinion in the case, the parties argued as follows: Scania claimed that VINs were personal data with respect to manufacturers, hence, the GDPR would prohibit their disclosure to independent operators without a proper legal basis (AG Opinion, para. 30). The Gesamtverband submitted that VINs were not personal data with respect to manufacturers (AG Opinion, para. 30). It added that, even if they were, Scania would be authorized to make them available to independent operators, since article 61(1) Regulation 2018/858 constitutes a legal obligation that renders the disclosure lawful under article 6 (1) (c) GDPR (AG Opinion, para. 30).
FINDINGS
The Court first examines whether VINs are personal data within the meaning of article 4 (1) GDPR, i.e. “any information relating to an identified or identifiable natural person” (para. 44). It states that information is to be regarded as personal when, “by reason of its content, purpose and effect” it is linked to a particular person (para. 45). This is generally consistent with the Court’s findings in Nowak, where it clarified the meaning of “relating to” an identified or identifiable natural person. Next, the Court focuses on the meaning of “identifiable”. By reference to its landmark judgment, Breyer, it states that “in order to determine whether a natural person is identifiable, directly or indirectly, account should be taken of all the means likely reasonably to be used either by the controller […] or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity” (para. 45).
The Court then proceeds with applying these principles to the facts of the case. It states that, since VINs are assigned to a vehicle to ensure the latter’s proper identification, they are not – as such – personal data (para. 46). They may, however, become personal data as regards someone who reasonably has the means to link the VIN to a specific person (para. 46). The Court further specifies that VINs must appear on the registration certificate of a vehicle (para. 47). As required by law, this certificate must also mention the name and address of persons that may be natural persons, i.e. the vehicle’s owner or the person that can use the vehicle other than the owner (para. 47). As specified by the Advocate General (AG Opinion, para. 40), registration certificates may therefore constitute one of the means allowing to link VINs to natural persons. Consequently, according to the Court, the VIN constitutes personal data of the natural persons referred to in the registration certificate, “in so far as the person who has access to it may have means enabling him to use it to identify” the vehicle’s owner or the vehicle’s user other than the owner (para. 48). The Court, therefore, holds that:
“where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person, which it is for the referring court to examine, that VIN constitutes personal data for them, within the meaning of article 4(1) GDPR, and, indirectly for the vehicle manufacturers making it available, even if the VIN is not, in itself, personal data for them, and is not personal data for them in particular where the vehicle to which the VIN has been assigned does not belong to a natural person” (para. 49, emphasis added).
The Court’s reasoning in paragraph 49 follows the one presented by the Advocate General in his opinion (AG Opinion, para. 41).
Second, the Court examines whether, by disclosing VINs to independent operators, Scania would be “processing” personal data as defined under article 4(2) GDPR. It holds that this would be the case (para. 51). As a third and final step, the Court ascertains whether Regulation 2018/858 imposes a legal obligation on Scania to disclose the VINs of its vehicles to independent operators, in the meaning of article 6 (1) (c) GDPR (para. 55-61). The answer to this question is also affirmative (para. 62).
CRITICAL REMARKS
The general finding that VINs can be personal data to the party that has the reasonably likely means to link VINs to an identified or identifiable natural person does not come as a surprise. It confirms the approach to “identifiability” set forth in recital 26 GDPR and already adopted by the Court in Breyer. What is, I argue, problematic, in particular in relation to paragraph 49 of the judgment, is the following. First, the Court seems to have coined a new notion of “indirect personal data”. Second, the Court appears to have misapplied the Breyer standard to the facts of the case. These two issues are further analysed below.
(1) A new concept of “indirect personal data”?
As mentioned above, in paragraph 49 of the judgment, the Court states that the VIN could “indirectly” constitute “personal data” for the vehicle manufacturers. The notion of indirect personal data is new and cannot be found in the text of the GDPR, nor in earlier CJEU case-law on the matter. Article 4 (1) GDPR mentions “indirectly” in relation to “an identifiable natural person”. Similarly, recital 26 GDPR talks about “means reasonably likely to be used” to identify a natural person “directly or indirectly”. In the GDPR, the terms “directly” and “indirectly” hence refer to “identifiability”, i.e. a component of the definition of personal data. The data can qualify as personal both if it allows direct and indirect identification of the individual. The Court illustrated this in Breyer and, implicitly, in SRB v EDPS. In Breyer, the CJEU held that a dynamic IP address – which, as such, did not reveal the user’s identity – related “indirectly” to an “identifiable” user, if it could be combined with “additional information” that allowed the user’s identification (emphasis added) (Breyer, para. 41). Similarly, in SRB v. EDPS, the General Court ruled that an alphanumeric code – which, as such, did not reveal the identity of the data subjects at issue – was not information relating to “an identified natural person” because it “did not make it possible directly to reveal the identity” of the data subjects (emphasis added) (SRB v. EDPS, para. 99). Like the CJEU in Breyer, it further held that it was necessary to examine whether the alphanumeric code could, nevertheless, be coupled with additional information that would allow the identification of the data subjects (SRB v. EDPS, para.104). In Gesamtverband, by using the word “indirectly” in relation to personal data (not identifiability), the Court appears to be introducing a new dimension along which to classify personal data, i.e. direct versus indirect, which is unheard of.
(2) Indirectly identifiable data ‘by assumption’?
Given the novelty of the concept of “indirect personal data” – and the fact that neither the Advocate General nor the Court provide any further explanation on how it should be interpreted – it is possible, as argued by some commentators, that the term “indirectly” and “personal data” in relation to vehicle manufacturers, should be replaced with “information relating to an indirectly identifiable natural person”. Consequently, we could paraphrase paragraph 49 as follows:
- since independent operators may have the means reasonably likely to link the VINs to additional information identifying a natural person, VINs can constitute personal data for the operators;
- therefore, VINs are also information relating to an (albeit “indirectly”) identifiable individual (and, hence, constitute personal data) for the vehicle manufacturers.
This brings me to my second critical remark on paragraph 49 of the judgment. Gesamtverband seems to depart from the test set in recital 26 GDPR, as first clarified in Breyer, to determine whether data relate to an indirectly identifiable natural person. As mentioned above, recital 26 GDPR provides that “to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly”. In Breyer, the Court found, on the basis of recital 26 Directive 95/46/EC, that – by processing a dynamic IP address – a website provider was processing personal data, insofar as German law created, in certain cases, the possibility for the provider, to combine the IP address with the additional information leading to identification held by another person (the Internet Service provider) (Breyer, para. 48). Consequently, the Court held that the website provider had “the means reasonably likely be used to identify the data subject” (Breyer, para. 48). The General Court adopted the same approach in SRB v. EDPS. There, it found that, in order to ascertain whether the alphanumeric code was personal data for the recipient of the code (i.e. Deloitte), it had to be examined whether such recipient had the reasonably likely means to identify the persons to whom the code related, by combining the code with additional information that allowed identification and that was held by another person, i.e. the Single Resolution Board (SRB v. EDPS, para. 104). In paragraph 49 of Gesamtverband, the Court correctly requires the referring court to apply the “means reasonably likely to be used” test to establish whether VINs are personal for the independent operators. Surprisingly, however, it fails to do the same, when it comes to ascertaining whether VINs are indirectly identifiable data for the manufacturer. Rather, it appears to assume that, if independent operators have the means reasonably likely to identify the natural persons to which the VINs relate, so do the vehicle manufacturers. If there were some specific reasons for this assumption, justifying by-passing the application of the “means reasonably likely to be used” test to the vehicle manufacturers, one would have expected the Court (and the Advocate General) to mention them. In this case, however, no such reason is mentioned. We are, therefore, left to wonder why data that is indirectly identifiable to one party must, by assumption, also qualify as such for the other party.
This interpretation could (regrettably) signal a departure from the so-called relative approach to personal data, in favour of a more absolute one. As explained elsewhere, according to an absolute approach to personal data, “if anybody is able to identify a data subject on the basis of the data at issue, then that data qualifies as personal for every party that is processing that data”. Under the relative approach, “the likelihood of re-identification is assessed from the perspective of a more limited number of parties, i.e. the controller and a third party that is reasonably likely to be approached by or approach the controller”. The General Court’s judgment in SRB v. EDPS has been interpreted by Lodie, in an earlier poston this blog, as an endorsement of the relative approach and as part of a broader trend in the Court’s case law to restrict the notion of personal data. Specifically, in SRB v. EDPS, the General Court held that, to ascertain whether the disclosure of alphanumeric codes from the sharer (SRB) to the recipient (Deloitte) was a processing of personal data, it was not sufficient to examine whether the codes qualified as personal to the sharer. It (also) had to be examined whether the codes were indirectly identifiable, hence personal data, from the perspective of the recipient. This approach appears in contrast with the one taken by the Court in Gesamtverband, where the fact that the data is indirectly identifiable to the recipient (i.e. the independent operators), means that it is, automatically, also identifiable to the sharer (i.e. the vehicle manufacturer). Did the CJEU, thereby, intend to reverse the aforementioned trend to limit the concept of personal data, in favour of a broader interpretation of the notion? With regard to this, it is worth noting that the General Court’s judgment in SRB v. EDPS has been appealed by the EPDS and that the case is currently pending before the ECJ. This appeal may, therefore, provide the Court with the opportunity to clarify which approach it intends to follow.
Finally, and most paradoxically, the interpretation of paragraph 49 offered above can result in a party (in this case, the vehicle manufacturers) processing personal data and, therefore this processing falling under the scope of the GDPR, without even being aware of it. Indeed, as noticed by other commentators, one may ask how are vehicle manufacturers supposed to know (i) whether and (ii) which independent operators do have the means reasonably likely to be used to link VINs to a natural person and are, hence, processing personal data ? Would the Court expect the independent operators to notify the vehicle manufacturers on the matter? The GDPR itself is silent on this point.
As appears from the above, it is difficult to make sense of the Court’s finding in Gesamtverband that “[…] VINs are (indirectly) [personal data] for the vehicle manufacturers […]”. Hopefully, the Court will elucidate this notion in future case-law.
