Personal data or non-personal data, that is the question! The different interpretations of ECJ and Italian Supreme Court

When we deal with data protection, the identification of the boundaries of the definition of personal data is the first milestone: if data are to be considered as personal data, then privacy law is applicable; If data do not fall under this category, then privacy law is not applicable.

About this critical point, in the very same days, at European level and at Italian level, the respective Supreme Courts have provided two interpretations not easy to harmonize.

On 18^th October 2016, in Patrick Breyer v. Bundesrepublik Deutschland, the European Court of Justice (“ECJ”) ruled[1] that dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider (“ISP”) has about that person.

According to Article 2(a) of the Directive 95/46, “personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

The triggering point is when a data subject can be held as identifiable and, in particular, what indirect identification means. In this respect, the interpretation offered by the ECJ appears very broad.

In deed, although a dynamic IP address is per se not sufficient to identify the data subject, the ECJ held that such a piece of information has to be treated as personal data provided that the missing pieces of the puzzle can be collected also by other sources, such as ISPs.

The ECJ held that the possibility to combine a dynamic IP address with additional data collected by the ISP falls within the concept of means which might likely be used to identify the data subject. In deed, in case of a cyber-attack, the provider of a website could contact the competent authority in order to obtain the missing information from the ISP.

The decision seems aligned with a trend aimed at expanding the concept of personal data.

It is rather peculiar, thus, that, on 13^rd October 2016 (only five days before the ruling of the ECJ), the Italian Supreme Court issued a decision[2] oriented in the opposite direction, interpreting the meaning of “indirect identification” in a very narrow way.

In deed, according to the Italian Supreme Court, in some circumstances, even information such as name and surname can be not sufficient to make the data subjects identifiable.

The case at issue was related to the publishing on the official website of a local authority of two resolutions mentioning information regarding three citizens, involved in two different accidents, including the relevant names and surnames.

The data subjects held that, making available such information to the public, the local authority breached their right to privacy and, therefore, they filed an action for damages against such authority.

In this respect, the Italian Supreme Court provided a quite surprising interpretation of the concept of personal data, concluding that name and surname of an individual are not sufficient elements to identify the data subject. In deed, according to the Supreme Court, only through the association of these data with other information (e.g. date and place of birth, tax code, etc.), a sure identification of the data subject is possible; considering also the population of the municipality at issue (about 83,000 inhabitants). And, consequently, a secure method of identification would have required too many investments in terms of researches, also through databases of third parties, and, therefore, a totally disproportionate effort in respect to the possible interests of the public to identify three citizens involved in two insignificant accidents.

It goes without saying that such a decision seems not in line with the mentioned position of the ECJ, as well as with prior decisions of the Italian Data Protection Authority, with regard to what is the meaning of “means likely reasonably to be used to identify the data subject”.

Although the decision of an Italian judge, including the decisions of the Italian Supreme Court, are not binding precedents for the Italian courts, in any case, it is an authoritative decision of the Italian supreme judge and, therefore, the relevant principles could be held in consideration also in future judgments.

Interesting days for the privacy professionals in Italy.