On May 4, 2022, the General Court of the EU handed down a decision that helps clarify the standard of proof required to demonstrate that information that does not identify someone by name constitutes “personal data” under EU data protection law. The court also clarifies that the burden of proof falls on the entity alleging that the information is personal data.
The case concerns an online press release published by the European Anti-Fraud Office’s (“OLAF”) announcing that it had determined that a Greek scientist had committed fraud using EU funds intended to finance a research project. Among other things, the scientist alleged that the press release contained “personal data” about her and, therefore, OLAF breached data protection law because it did not have a legal basis to disseminate her “personal data”. She also alleged that OLAF’s press release had enabled two journalists to identify her and write each an article mentioning her by name.
The court disagreed with the position taken by the scientist, holding that the she was not able to demonstrate that the published information enabled her identification and, therefore, it had not demonstrated that the information was “personal data”. It also decided that OLAF was not responsible for the news articles that identified the scientist by name.