On March 7, 2024, the European Court of Justice (“CJEU”) rendered its judgment in an appeal against a decision of the EU General Court (C-479/22P).  In the original decision, the General Court decided that the information contained in a press release by OLAF (a European anti-fraud organization) regarding fraud committed by an unnamed scientist was not personal data as the scientist was not identifiable from the press release (for more on the General Court’s decision, see our blog post here). The scientist appealed the decision arguing that she could easily be identified from the information released by OLAF and thus that the data were personal data.  The EU law concerned in this case is Regulation (EU) 2018/1725, which applies to the processing of personal data within EU bodies, rather than the GDPR, though the definition of personal data is the same in both regulations.

The CJEU overturned the decision of the General Court.  The CJEU noted that:

“it is inherent in the ‘indirect identification’ of a person that additional information must be combined with the data at issue for the purposes of identifying the person concerned. It also follows that the fact that that additional information comes from a person or source other than that of the controller of the data in question in no way rules out the identifiable nature of a person.” 

The court proceeded to point out that the law:

“does not lay down any conditions as regards the persons capable of identifying the person to whom an item of information is linked, since recital 16 of that regulation refers not only to the controller but also to ‘another person’.”

Finally, the CJEU indicated that the General Court could not decide that identifiability should be assessed solely on the basis of the information that OLAF released.  Instead, the information available to other people, and the ways this information could be combined with OLAF’s press release to identify the individual, should be taken into consideration.  For these other people, such as colleagues of the scientist or journalists, the press release data was identifiable, without requiring significant effort, using “reasonable means”. This meant that the data contained in the press release were personal data.

The Court did not decide that the data were personal data simply because OLAF knew who the scientist was.  We expect this the Court to examine that nuance further in the pending SRB case (C-413/23 P). 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.