EU General Court has made an important decision for information used by those operating in online advertising and publishing.
CJEU rulings are binding within the EU and no longer in the UK (though UK organisations may need to adhere to them, when the extraterritorial provisions of the EU's GDPR apply).
The issue related to the condition laid down in Article 3(1) of Regulation 2018/1725 that the information is to "relate" to an 'identified or identifiable' natural person".
The first issue was whether the information was "related" or "linked" to a person " by its content, purpose or effect". On the fact the recipient of the information did not examine the content, purpose or the effect of the data transmitted.
The second issue involved sharing individual comments collected via a form linked to an alphanumeric code without sharing the means with which to reidentify people from that code. The court stated:
"90. In so far as recital 16 of Regulation 2018/1725 refers to the means likely reasonably to be used by both the controller and by 'any other person', its wording suggests that, for information to be treated as 'personal data' within the meaning of Article 3(1) of Regulation 2018/1725, it is not required that all the information enabling the identification of the data subject must be in the hands of one person (see, by analogy, judgment of 19 October 2016, Breyer, C-582/14, EU:C:2016:779, paragraph 43)."
In the Breyer case, the Court of Justice nevertheless held that the possibility of combining an IP address with additional information held by the internet service provider constituted "a means likely reasonably to be used to identify the data subject".
In the Breyer case CJEU also, and more importantly for publishing and advertising, held that the reasonable likelihood test would not have been met if prohibited by law or practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared in reality to be insignificant (judgment of 19 October 2016, Breyer, C-582/14, EU:C:2016:779, paragraph 46).
In the present case the court found that:
- in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte's position in order to determine whether the information transmitted to it relates to 'identifiable persons'.
- alphanumeric codes associated to individual comments did not in itself allow the authors of the comments to be identified, and, second, that Deloitte did not have plausible means to access to the identification data received that would have allowed the participants to be "linked to" their comments by virtue of the alphanumeric code.
The Court therefore decided that the alphanumeric code and the associated information transmitted to a data recipient, will not be considered personal data if the data recipient does not have "the reasonably likely legal means" to re-identify the data subjects.
The Court also clarified that an individual's declared data (text, comments or opinions in the SRB case ) cannot be assumed to be personal data. Instead, a case-by-case assessment is necessary to determine whether the information collected is "reasonably linkable" to a specific identifiable individual by the organization receiving the data
Thus, if non personal data is not reasonably likely to be linkable back to identify a single living individual by the recipient in whose hand the data is held it is not to be treated as personal data. Data in the hands of one organization can thus be safeguarded in alphanumeric code and it can be passed on in that form.
The requirement that it needs to be "reasonably linkable by the recipient" is important. The fact that the data sender has the means to re-identify data subjects is irrelevant to whether the information sent is automatically Personal Data in the hands of the recipient as they are independent parties.
So what?
Much depends on who holds the data. Google or Apple hold comprehensive users' data and that may include email addresses and bank card details and real world data about names addresses and telephone numbers. That data is all reasonably linkable in whatever form it is held and it is often linked together.
To use that data they need to rely on at least one lawful basis for processing (e.g. consent, contract performance, legitimate interest, etc. and clearly explain their users how and when they will use their personal data. Furthermore, they need to obtain express consent from the users to place cookies on the users' devices and collect their information (unless they are essential cookies). The cookie consent they obtain has to be meaningful – which means telling the consumer in plain and unvarnished terms what the choices are and giving them an unrestricted choice. Unvarnished and unrestricted choice is would not involve presenting a large green "click here" consent button around a desired outcome.
By comparison those in the ad supply chain that just require identifiers to place their ads but do not have access to the user information, do not have the reasonably likely legal means with which to re-identify individuals from within their own resources, are unlikely to be held responsible for breach of data protection law as they would be processing anonymised data.
This is ground breaking. The decision means that data, including random identifiers in alphanumeric code generated in relation to specific individuals, ("IDs") CAN be passed on provided the recipient organisation cannot reasonably link them back to the relevant individual, and keeps them Anonymous.
Third parties in advertising supply chains and publishers will welcome the clarity but will need to think carefully about the controls they need to put in place, and what technology they invest in, to avoid reidentification and ensure they adopt prudent practices and can prove they reduce risk with relation to proportionate effort in terms of time, cost and man-power, so that they limit the risk of identification and can show it will in reality to be insignificant.
Under GDPR, Anonymous data is not Personal Data. Given the "reasonably likely legal means" decision in Breyer as it has been applied in SRB, the mere threat of hacking or illegal activity outside the control of the recipient is NOT sufficient to classify random identifiers in alphanumeric code in the possession of that organization as Personal Data.
By extension, contracts restricting the re-identification and obligations on organizations to invest in means to prevent re-identification and comply with the standard of ensuring reasonably likely legal means to reidentify people, can be inserted in contracts to ensure compliance with the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
