Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Important EU Court decision for publishers and AdTech suppliers 

May 18, 2023By Preiskel & Co

EU General Court has made an important decision for information used by those operating in online advertising and publishing.

CJEU rulings are binding within the EU and no longer in the UK (though UK organisations may need to adhere to them, when the extraterritorial provisions of the EU’s GDPR apply).

The issue related to the condition laid down in Article 3(1) of Regulation 2018/1725 that the information is to “relate” to an ‘identified or identifiable’ natural person”.

The first issue was whether the information was “related” or “linked” to a person “ by its content, purpose or effect”. On the fact the recipient of the information did not examine the content, purpose or the effect of the data transmitted.

The second issue involved sharing individual comments collected via a form linked to an alphanumeric code without sharing the means with which to reidentify people from that code. The court stated:

“90. In so far as recital 16 of Regulation 2018/1725 refers to the means likely reasonably to be used by both the controller and by ‘any other person’, its wording suggests that, for information to be treated as ‘personal data’ within the meaning of Article 3(1) of Regulation 2018/1725, it is not required that all the information enabling the identification of the data subject must be in the hands of one person (see, by analogy, judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 43).”

In the Breyer case, the Court of Justice nevertheless held that the possibility of combining an IP address with additional information held by the internet service provider constituted “a means likely reasonably to be used to identify the data subject”.

In the Breyer case CJEU also, and more importantly for publishing and advertising, held that the reasonable likelihood test would not have been met if prohibited by law or practically impossible on account of the fact that it would have required a disproportionate effort in terms of time, cost and man-power, so that the risk of identification would have appeared in reality to be insignificant (judgment of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 46).

In the present case the court found that:

1) in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted to it relates to ‘identifiable persons’.

2) alphanumeric codes associated to individual comments did not in itself allow the authors of the comments to be identified, and, second, that Deloitte did not have plausible means to access to the identification data received that would have allowed the participants to be “linked to” their comments by virtue of the alphanumeric code.

The Court therefore decided that the alphanumeric code and the associated information transmitted to a data recipient, will not be considered personal data if the data recipient does not have “the reasonably likely legal means” to re-identify the data subjects.

The Court also clarified that an individual’s declared data (text, comments or opinions in the SRB case ) cannot be assumed to be personal data. Instead, a case-by-case assessment is necessary to determine whether the information collected is “reasonably linkable” to a specific identifiable individual by the organization receiving the data

Thus, if non personal data is not reasonably likely to be linkable back to identify a single living individual by the recipient in whose hand the data is held it is not to be treated as personal data. Data in the hands of one organization can thus be safeguarded in alphanumeric code and it can be passed on in that form.

The requirement that it needs to be “reasonably linkable by the recipient” is important.  The fact that the data sender has the means to re-identify data subjects is irrelevant to whether the information sent is automatically Personal Data in the hands of the recipient as they are independent parties.

So what?

Much depends on who holds the data. Google or Apple hold comprehensive users’ data and that may include email addresses and bank card details and real world data about names addresses and telephone numbers. That data is all reasonably linkable in whatever form it is held and it is often linked together.

To use that data they need to rely on at least one lawful basis for processing (e.g. consent, contract performance, legitimate interest, etc. and clearly explain their users how and when they will use their personal data. Furthermore, they need to obtain express consent from the users to place cookies on the users’ devices and collect their information (unless they are essential cookies). The cookie consent they obtain has to be meaningful – which means telling the consumer in plain and unvarnished terms what the choices are and giving them an unrestricted choice. Unvarnished and unrestricted choice is would not involve presenting a large green “click here” consent button around a desired outcome.

By comparison those in the ad supply chain that just require identifiers to place their ads but do not have access to the user information, do not have the reasonably likely legal means with which to re-identify individuals from within their own resources, are unlikely to be held responsible for breach of data protection law as they would be processing anonymised data.

This is ground breaking. The decision means that data, including random identifiers in alphanumeric code generated in relation to specific individuals, (“IDs”)  CAN be passed on provided the recipient organisation cannot reasonably link them back to the relevant individual, and keeps them Anonymous.

Third parties in advertising supply chains and publishers will welcome the clarity but will need to think carefully about the controls they need to put in place, and what technology they invest in, to avoid reidentification and ensure they adopt prudent practices and can prove they reduce risk with relation to proportionate effort in terms of time, cost and man-power, so that they limit the risk of identification and can show it will in reality to be insignificant.

Under GDPR, Anonymous data is not Personal Data. Given the “reasonably likely legal means” decision in Breyer as it has been applied in SRB, the mere threat of hacking or illegal activity outside the control of the recipient is NOT sufficient to classify random identifiers in alphanumeric code in the possession of that organization as Personal Data.

By extension, contracts restricting the re-identification and obligations on organizations to invest in means to prevent re-identification and comply with the standard of ensuring reasonably likely legal means to reidentify people, can be inserted in contracts to ensure compliance with the law.

 

Please contact Jose Saras ,  Tim Cowen or Danny Preiskel if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Latest Preiskel & Co blog posts
  • CMA AI Report: The Foundation of the UK’s AI Response
    September 21, 2023
  • Navigating Health Data Compliance: A Roadmap for Employers
    September 21, 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK
    September 15, 2023
  • Practical Guide – Net Neutrality in the UK
    September 14, 2023
  • Virgin succeeded in defending a claim by EE for loss of EE’s profits caused by Virgin’s breach of the MVNO Exclusivity Clause
    September 12, 2023
  • Getting out of a (data) scrape: global statement published for the protection of publicly accessible personal data online
    September 8, 2023
  • The dark side of design: the ICO and CMA call for businesses to rethink their website layouts
    August 18, 2023
  • Could the Supreme Court’s ruling on litigation funding agreements cause havoc for litigation funders?
    August 17, 2023
  • US Threats of a ‘Te(ch)xodus’ from the UK?
    August 17, 2023
  • Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision
    August 4, 2023
  • Unlocking Data Flows: EU-US Data Privacy Framework Receives Adequacy Decision
    July 13, 2023
  • UK’s World Leading Approach on Artificial Intelligence – White Paper outlines 5 guideline principles for responsible use of AI
    July 5, 2023

The Preiskel Blog

  • CMA AI Report: The Foundation of the UK’s AI Response 21 Sep 2023
  • Navigating Health Data Compliance: A Roadmap for Employers 21 Sep 2023
  • Transatlantic convergence? Recent cases on advertising and privacy from the USA and UK 15 Sep 2023
  • Practical Guide – Net Neutrality in the UK 14 Sep 2023

Preiskel news

  • Practical Guide – Net Neutrality in the UK
  • Danny Preiskel featured in GCCM Magazine (June/July 2023 issue 55)  
  • Danny Preiskel moderating a panel at the MEF Connects – The Future of Fraud Prevention event (5th September 2023, hybrid)
  • Preiskel & Co advised TMT Analysis on the acquisition of Phronesis Technologies
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy