In a recent judgment, the Court of Justice of the EU has clarified when personal data can lead to identifiability. This case concerned a press release from OLAF, the European Anti-Fraud Office, which uncovered a fraud that had been committed with a Greek research project funded by the EU. Among other things, the report described the involvement of a Greek researcher in the fraud. A significant detail is that her name was not mentioned in the text.
The researcher claimed compensation from OLAF for the non-material damage allegedly caused to her by the press release. On appeal, the debate focused on the question whether the data in the press release should be classified as personal data.
Personal data is defined as “any information relating to an identified or identifiable natural person”. Therefore, the question was whether the data in the press release lead to the identifiability of the researcher.
The ECJ first repeated the current assessment framework:
- When determining whether a natural person is identifiable, account should be taken of “all the means reasonably likely to be used”, either by the controller or by “another person”, to identify the natural person “directly or indirectly”.
- The fact that additional information is necessary to identify the data subject does not exclude that the data can be personal data.
- Account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
- If identification requires a disproportionate effort, the data are not personal data.
In addition to this, the ECJ clarified that:
- the additional information that may be used to identify a person may also be external information;
- identifiability is not limited to the controller, but also covers any person other than the controller who is able to identify the data subject; and
- in order to assume ‘identifiability’ and to conclude that the data are personal data, there is no need to prove that a person has actually been identified.
The ECJ also held that the fact that a person has actually been identified does not necessarily mean that the data at issue is or are personal data; it must then still be examined whether the person can reasonably be expected to be identifiable without a disproportionate effort.
Finally, the ECJ concluded that the press release contained so many data that these may reasonably lead to the researcher's identification by a specific group, in particular by persons working in the same scientific field and familiar with her professional background. Besides, the report contained some key elements which, in combination with publicly available information that can be found without a disproportionate effort, may also lead to identification by other readers. The ECJ concluded that the data in the press release are personal data. It does not matter that the researcher’s name was not mentioned. The consequence of this ruling is that the GDPR applies, and that the General Court will have to assess the researcher’s claim anew.