I. Introduction
On 6 February 2025, Advocate General (AG) Spielmann issued his Opinion on the ongoing appeal in EDPS v. SRB (C- 413/23 P). While the case itself delves into issues of pseudonymisation, a point of interest lies in how this Opinion, far from departing from precedent, actually entrenches how the CJEU has proceeded to view “personal data” as a wholly relative concept.
In this regard, this post builds upon the Opinion of the AG, in an effort towards understanding whether the concept of relative personal data is doctrinally sound and consistent with the wording of the General Data Protection Regulation (GDPR). I would argue that viewing personal data as relative, while being seemingly pragmatic and realistic, stems from a conceptual inconsistency dating back to the judgment of the CJEU in Breyer (C-582/14).
II. EDPS v. SRB: Background
The brief facts are as follows: the Single Resolution Board (SRB) adopted a resolution scheme in favour of a firm, and entrusted Deloitte with the task of analysing data relating to comments received from participants during a consultation. While passing on the information to Deloitte, SRB filtered, collated and aggregated the information and added an alphanumeric code, so that SRB could later on link the data with the individual participants. Deloitte, on its part, was not provided with the identifiers and was not in a position to link the data points received from SRB with the individual participants.
The European Data Protection Supervisor (EDPS) nevertheless opined that the data passed on to Deloitte, although pseudonymised, constituted personal data. As a result, SRB was held to have infringed the right of the data subject to be notified of the recipients of her personal data at the time of collection, by not disclosing Deloitte as a recipient of the data subjects’ personal data in its privacy policy.
Before the General Court, one of the primary issues revolved around whether the data received by Deloitte constituted “personal data”. The Court held that the EDPS erred in viewing the data solely from the perspective of SRB, in whose hands it was undoubtedly “personal data”, but completely ignoring the perspective of Deloitte. In other words, while the data collected and stored by SRB was “personal data”, the data passed on by SRB to Deloitte may not be so. The implication, to generalise beyond the facts, was simply this: the same data can be “personal” in the hands of one controller, and not “personal” in the hands of another.
Such a relative understanding has been adopted, albeit with more nuance, by the AG in his Opinion in the appeal filed before the CJEU. In the first place, the AG accepted the fact that the comments received during the consultation phase “related to” a natural person, in that they expressed their “logic and reasoning”, and following the dictum in Nowak (C- 434/16) necessarily pertained to the “subjective opinion” of the persons concerned (para. 33). As a result, the data in the hands of SRB was “personal data”.
However, and quite importantly, the Opinion does not answer whether the pseudonymised data was “personal data” in the hands of Deloitte, and whether Deloitte ought to be burdened with the responsibilities of a controller. Instead, the AG deftly points out that pseudonymisation, although not akin to anonymisation, does not rule out the possibility of the pseudonymised data as not being considered personal data (para. 52). The consequence seems to be the same as that hinted by the General Court: data that is “personal” in the hands of SRB, may not necessarily be “personal” in the hands of Deloitte. Simply put, the determination of a data point as being “personal” or not cannot be viewed objectively based on the nature of the data, but would differ from controller to controller.
III. Personal Data under the GDPR: Absolute or Relative?
Article 4(1) of the GDPR defines “personal data” as “any information relating to an identified or identifiable natural person”. While this definition by itself does not determine the question of whether personal data is an absolute or relative concept, Recital 26 is instructive on this point. As per that Recital, the test of identifiability relies on the question of whether a data subject can be identified by taking into account “all the means reasonably likely to be used….. either by the controller or by another person to identify the natural person directly or indirectly.” It is worth noting that the phrase “or by another person” refers to whether “another person” has the means reasonably likely to be used to identify the natural person, and not whether additional information needed by the controller to identify her is available in the hands of “another person”.
Yet, in Breyer, the CJEU seemingly conflates the two. In a sentence that has been widely cited in subsequent cases, the CJEU interpreted the language in the recital as follows:
“…for information to be treated as ‘personal data’………it is not required that all the information enabling the identification of the data subject must be in the hands of one person.” (Breyer, para. 43)
In Breyer, the Court employed such an interpretation to hold that although online media service providers could not identify individuals based on dynamic IP addresses, they constituted personal data “in relation to that provider”, since in the case of a cyberattack, the online media service providers could approach the competent authority and ask for additional information from Internet service providers for identification (Breyer, paras. 47 and 49). This, according to the CJEU, constituted “means reasonably likely to be used” by the online media service provider to identify a natural person.
The implications of such an interpretation are far-reaching. In its original sense, Recital 26 implies that in deciding whether any information is personal data, one needs to account for the “means likely reasonably to be used” for identification by either the controller possessing the information, or by any other person. In other words, if a natural person is identifiable through “means likely reasonably to be used” by any person globally, such information would constitute personal data. As a result, an absolute view of personal data needs to be taken.
On the other hand, if the dictum in Breyer is accepted, then the information would be personal data only if the controller itself can identify the individual, using additional information that is possessed either by itself or by another person. This essentially connotes that what is personal data for one controller may not be so for another: the notion of what is personal data then becomes relative.
Before Breyer, in its Opinion 05/2014 (p. 9), the Article 29 Working Party, using a factual matrix similar to the SRB case, had argued that if identifiers are removed and passed on to a third party, the data continues to remain personal data. Borgesius (p. 263) also accepts that Recital 26, interpreted literally, points towards an absolute interpretation of personal data. However, commenting on the decision of the General Court in SRB, Alexandre Lodie has argued that the relative model has informed the judicial approach since Breyer, possibly in an attempt to limit the scope of personal data.
This trend is evident in the case law of the CJEU. In Scania (C- 319/22), the Court was called upon to determine whether Vehicle Identification Numbers (VIN) constitute personal data. In the words of the Court, “where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person,…..that VIN constitutes personal data for them” (Scania, para. 49).
A more difficult case arose in IAB Europe (C-604/22). Here, the CJEU determined that a string of letters and characters denoting the user’s preferences while providing consent on a consent management platform would constitute personal data, as long as it could reasonably be used in conjunction with identifiers like IP addresses for identification. This was despite the fact that IAB Europe, which possessed the string, could not combine the string with other identifiers without “external contribution”. On the face of it, this case seems to support the “absolute” or “objective” reading of Recital 26: even if controller X cannot reasonably use a data point to identify a person, it constitutes personal data if “any other person” can reasonably use it for identification. However, as Alexandre Lodie rightly points out, the Court chooses a relative approach in this case as well. As the Court notes, “the members of IAB Europe are required to provide that organisation, at its request, with all the information allowing it to identify the users whose data are the subject of a TC String” (IAB Europe, para. 48). As a result, the data was held to be “personal” because IAB Europe itself had the “means likely reasonably to be used” to identify the data subject, and not that it could be “personal data” even though IAB Europe could not reasonably identify the data subject.
Therefore, it can be said that although Recital 26 points towards an absolute approach towards interpreting personal data, case law of the CJEU since Breyer has consistently adopted a relative approach. What is worrying, however, is that this approach is rooted in a potential inconsistency by the CJEU in interpreting Recital 26 in Breyer, which has been followed without question in later cases.
IV. Pragmatism versus Doctrinal Coherence ?
It is undoubtedly true that burdening an entity that cannot reasonably identify an individual with the responsibilities of a controller, may be excessively onerous. In that sense, the relative interpretation of personal data might seem to be a more pragmatic choice to take. In fact, this was the precise argument adopted by the AG in the Opinion in Breyer: “it would never be possible to rule out, with absolute certainty, the possibility that there is no third party in possession of additional data which may be combined with that information and are, therefore, capable of revealing a person’s identity” (para. 65). As a result, an expansive interpretation of “personal data” would make almost every entity processing any data as a controller. Further, as argued by Purtova, the fear that data protection law would end up becoming the “law of everything”, might become a reality.
Viewed critically, however, there are two points worth making. Firstly, even if an entity does end up becoming a controller, its responsibilities might vary based on whether it is able to identify the data subject. For example, under Article 11(2) of the GDPR, most of the rights available to the data subject are extinguished if the controller can demonstrate that it is unable to identify the data subject. This provision further underlines the fact that an entity can process “personal data” and hence become a “controller”, without it being able to identify the data subject. This raises serious questions on whether the GDPR tilts towards an “absolute” reading of “personal data” after all. Secondly, the dictum in Google Spain (C-131/12) provides a narrow window for certain entities to process “personal data” without being a “controller”. As the Court notes, search engines would be classified as controllers only
“inasmuch as the activity of a search engine is therefore liable to affect significantly, and additionally….the fundamental rights to privacy and to the protection of personal data” (Google Spain, para. 38).
The qualifiers underlined above, if generalised to entities beyond search engines, might indicate that it is permissible, for certain entities to process “personal data” without being labelled as “controllers”, as long as such processing does not “significantly” affect the rights of the data subject.
Even otherwise, I would argue that restricting the interpretation of “personal data” by way of a relative approach offers no pragmatic advantages over an absolute approach. Let us consider a hypothetical counterfactual mapped onto the SRB case. Under an “absolute” interpretation of personal data, the data would be considered “personal” vis-à-vis Deloitte under all circumstances, because although Deloitte cannot reasonably identify the data subject, SRB can do so.
However, and quite surprisingly, we would reach an identical conclusion even if we adopt a relative approach that is consistent with Breyer. This is because, on the facts of the SRB case, there is a possibility that due to a cyberattack for which Deloitte is not responsible, the identifiers available only with SRB are made public, thus affording Deloitte an opportunity to link them with the data in its possession and identify the individuals. As a result, Deloitte would, in all cases, have the “means likely reasonably to be used” to identify the individual, since such identification using publicly available data by Deloitte is neither “prohibited by law” nor would it involve “disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant” (Breyer, para. 46). Careful readers may notice that the example of a cyberattack used in this illustration is a deliberate choice, since the CJEU in Breyer used the very same example in determining its “means likely reasonably to be used” test, and hold that dynamic IP addresses constituted personal data vis-à-vis online media service providers as well.
V. Conclusion
In this post, I argue that the relative approach in interpreting personal data, as exemplified by the Opinion of the AG in SRB, may not be doctrinally coherent. Instead, this approach flows from a possible inconsistency in the Breyer case. Further, apart from exceptional cases, there is no pragmatic reason for favouring the relative approach over an absolute interpretation of “personal data”, the latter being more in line with the scheme of the GDPR. Even otherwise, if a relative approach is indeed found suitable for practical reasons, it is probably wiser to amend the legal text itself rather than rely on artificial interpretational gymnastics to arrive at a solution.
Nirmalya Chaudhuri is a legal researcher based in India. He holds an LLM from the University of Cambridge, which he pursued as a Cambridge Trust Scholar. He may be reached at [email protected].