European Commission – CJEU Judgment (European Union, 2025)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice of the European Union ruled that a press release from the European Commission could identify an academic researcher, which could harm their reputation. This matters because it reinforces that even seemingly anonymous information can lead to identification, impacting how organizations handle sensitive data.
What happened
The court found that a press release published by the European Commission contained information that could identify a researcher.
Who was affected
The academic researcher who was the subject of the press release was affected.
What the authority found
The Court ruled that the General Court misinterpreted the rules regarding personal data, stating that the information in the press release allowed for the researcher to be identifiable.
Why this matters
This case sets a precedent for how organizations must consider the potential for identification in their communications. It reminds all entities to be cautious about sharing information that could lead to someone's identification.
National Law Articles
An academic researcher (the data subject) received EU funding for a project. The European Commission was initially a party to the funding agreement, but was later replaced by the European Research Council Executive Agency (ERCEA). The ERCEA later carried out a financial audit and informed the European Anti-Fraud Office (OLAF) of the results. OLAF alleged that the data subject had fraudulently claimed part of the funding for personal expenses, and published a press release on its website. The data subject brought an action to the General Court, requesting compensation from the Commission for the damage caused by the press release. The General Court dismissed the action, and stated that there was no violation of the data subject’s rights. According to the General Court, whether the data subject is identifiable depends on the ‘means reasonably likely to be used’ to identify the applicant as well as whether the ‘average or likely reader’ of said press release would be able to identify them. The General Court did not take into account the journalist that identified the data subject, as it did not fall under the definition of "average reader"See: GC - T‑384/20 - OC v Commission. The data subject appealed the decision to the CJEU. The CJEU held that the General Court had misinterpreted the EUDPR and GDPR; the CJEU dismissed the General Court’s reasoning of the “average reader”, and stated that the information in the press release (such as the data subject’s gender, nationality, grant amount and father’s occupation) allow the data subject to be identifiable.See CJEU - C‑479/22 P - OC v Commission The CJEU referred the case back to the General Court. The Commission argued that the press release is anonymous, does not disclose any personal data of the data subject and does not contain inaccurate data. Therefore, the press release cannot cause the data subject any harm. The Court first clarified that there are three cumulative conditions for the EU to incur non-contractua
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (2)
Other cases involving European Commission in EU
CJEU Judgment
Details
Judgment Date
1 October 2025
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-9533About this data
Cite as: Cookie Fines. European Commission - European Union (2025). Retrieved from cookiefines.eu
Last updated: