The Court of Justice of the European Union (“CJEU”) recently provided further guidance on what constitutes personal data for the purpose of EU law. The CJEU ruled in the joined cases of YS, M, and S v Minister for Immigratie, Integratie en Asiel that the legal analysis contained in an internal document as part of an internal process is not personal data. The decision came following a request for a preliminary ruling by the Dutch courts. The decision is also notable as it clarifies the form in which personal data may be provided to a person pursuant to a subject access request.
This case involved applications from third country nationals for residency in the Netherlands. Applications of this kind are made to the Dutch Immigration and Naturalisation Service (“INS”). In this instance, individual applications for lawful residence were made by YS, M and S. Both M and S were granted residence permits. However, YS’ application failed and was ultimately rejected.
The Decision Making Process
When the INS processes these applications, the application is initially reviewed by a case officer. As part of the internal process, the case officer completed an internal administrative document in which s/he outlines the reasons for a particular decision or draft decision. This document is referred to as “the minute”.
The minute generally contains a variety of information including data relating to the applicant, details of the statements made by the applicant and the documents submitted in the application. It also contains an assessment of this information in the light of the relevant legal provisions (the “legal analysis”). The length of the legal analysis can range from a few sentences to a few pages. The case officer addresses the credibility of the statements made by the applicant and outlines why s/he thinks that the application should succeed or not. It may otherwise be as concise as a reference to the application of a particular line of policy.
Subject Access Request
YS requested the minute in respect of his residency application. On the basis of recent policy, the Minister for Immigration, Interrogation and Asylum (the “Minister”) refused to disclose the minute itself, but did disclose a document containing a summary of the data. YS brought the matter before the District Court, which stayed the proceedings and referred questions to the CJEU. In essence, the questions concerned whether certain data in the minute constituted personal data of the data subject, whether the legal analysis also constituted personal data and the manner in which data could be provided in response to an access request.
Decision of the CJEU: ‘Personal Data’
The CJEU first addressed the basic information relating to the applicant recorded in the minute (e.g. the applicant’s name, date of birth and nationality). The CJEU found that there was no doubt that such information constituted information relating to an identified natural person and was consequently personal data.
In relation to the legal analysis, however, the CJEU determined that while it may contain personal data, it is not in itself personal data. The CJEU stated that, at most, the information contained in the legal analysis (beyond pure legal interpretation) amounted to information about the assessment and application of that law by the decision making authority. In other words, the information concerned internal decision-making procedure of the authority; it did not concern the applicant.
In coming to this conclusion, the CJEU looked to the purpose of the Data Protection Directive: the protection of the fundamental rights of natural persons – in particular, the right to privacy. This right was put in place to protect a data subject’s entitlement to ensure that personal data relating to him/her were correct and lawfully processed. The CJEU clarified the right to access as being necessary, amongst other things, to allow the subject to access the relevant data and request that it be corrected, erased or blocked. The CJEU found that this objective would not be served by extending the right of access to the legal analysis.
Decision of the CJEU: Material Form of the Data
The CJEU then turned to the issue of the form of the data provided to the applicant and looked once again to the purpose of the right of access from the perspective of fundamental rights. The CJEU was satisfied that this purpose would be fulfilled where the data was provided in the form of a full and comprehensive summary. It said this summary would be sufficient to allow the applicant to check that the data were accurate and lawfully processed.
From a data controller’s perspective, the CJEU’s decision further clarifies what constitutes personal data at European law. The case highlights that while the definition of personal data may appear broad, it does have limitations – not all records concerning a subject are required to be released under a subject access request. This may provide room to manoeuvre when responding to an access request.
The decision also helpfully clarifies that the CJEU considers it sufficient to provide a full summary of the relevant data in an intelligible form. This means that provided proper access is granted to the personal data, controllers may no longer be required to provide redacted copies of original documents.