OC – CJEU Judgment (European Union, 2024)

This is an appeal of the earlier case [https://gdprhub.eu/index.php?title=CJEU_-_T%E2%80%91384/20_-_OC_v_European_Commission T‑384/20 - OC v European Commission.] The claimant (OC) appealed the general court’s decision on three grounds. That the General Court had legally misinterpreted the definition of personal data and had failed to observe proper administrative procedures when making its judgement (right to a presumption of innocence and the right to good administration under the Charter of Fundamental Rights). On the concept of personal data, the claimant argued that the general court had legally misinterpreted the concept of an ‘identifiable natural person’. They used two points to make this argument: 1) Identifiability is not tied to whether an “average reader” can identify you. The case law states that identifiability depends on whether an individual holds ‘additional factors...necessary for identification... [these factors] can be available to a person other than the controller’ (see C-582/14 at para 39 and 41). The General Court’s use of an average reader does not analyse the factors that the specific reader in the case holds. Thus, contrary to the case law, it does not test whether a person has the additional factors needed for identification. The General Court’s novel use of this test was therefore erroneous. 2) The General Court had erred in arguing that the ‘means reasonably likely’ to be used to identify a data subject (recital 26 GDPR and recital 16 EUDPR) was limited. Rather, the court should have looked at the costs and time required for the identification of the claimant to determine whether the claimant could be identified using ‘reasonable means’. This would be in line with what recital 25 GDPR actually states. The Court held that the General Court had made several errors of law and that the first ground of appeal must be upheld. First, the Court noted that the EUDPR (Regulation 2018/1725) - the piece of legislation applicable at the ca