The CJEU has recently published the Advocate General Opinion in case C-319/22 (“Gesamtverband Autoteile-Handel”) which clarifies that the preferred CJEU test for personal data still stands when assessing Vehicle Identification Numbers (“VINs”), rather than VINs being automatically personal data. The details of this test, and application of it to VINs, is described further below.
Furthermore, the Advocate General proposed that Regulation 2018/858, which compels OEMs to share certain information with independent operators (such as manufacturers of spare parts), constitutes a sufficient legal requirement such that it can permit sharing of personal data (whenever the data to be shared under it is deemed to be personal data) in compliance with the regulation 2018/858 under the legal obligation basis in Art. 6(1)(c) of the GDPR.
VINs as Personal Data
The CJEU Tests for Personal Data
Under the GDPR definition, personal data is information which relates to an identified or identifiable natural person.
CJEU case law has typically broken this down into two tests, i.e.
- whether there is an identified or identifiable natural person (CJEU case: Breyer), and
- whether the data relates to that natural person (CJEU case: Nowak),
The second test as to whether data relates to the natural person centers on whether it is linked to that person by reason of its “content, purpose or effect”. This is intentionally and knowingly a very low bar. Indeed, in the present case this aspect is glossed over entirely by the Advocate General; it is in effect conceded that if the VIN could be linked to a natural person, it does relate to that person.
The contemplated case instead focuses on the first test (i.e. whether a natural person is identified or identifiable from the VIN). For data such as VINs where the person involved is not immediately clear from the data by itself, Breyer established the need to assess the following 3 steps:
- What data is held by the controller or third parties which could be used to identify the natural people involved in the data;
- How this data could be combined to identify the natural person involved in the data; and
- Whether any methods identified are prohibited by law or practically impossible due to disproportionate effort in terms of time, cost and man-power, in such a way that the risk of identification is insignificant.
In Breyer, this 3-step test, and in particular the assessment of the viability of the methods in the third step, was applied from the perspective of the party seeking to consider the data anonymous. The mere fact that another party held the necessary information to de-anonymise the data does not (in itself) make data personal. However, in Breyer, the ability of the particular party to access that data held by the third party did make it personal. This has since been reinforced by the CJEU Case T‑557/20 dated 26 April 2023 (see case here), which explicitly notes that in analysing anonymisation one must put themselves in the position of the party seeking to find the data anonymous (as opposed to any other party which may hold re-identification keys).
The AG’s Opinion in the contemplated case
The previous consideration of VINs by the CJEU in the context of the GDPR occurred in Case C-175/20 (“Valsts ieņēmumu dienests”). In this past case, the CJEU had established that VINs were trivially personal data, with both the Advocate General and Judges adopting this stance with no further examination.
However, this inference is called into question by the Advocate General in the present case, who notes that the previous CJEU decision concerned VINs in the hands of a state body which would clearly have means accessible to it to link that VIN to a particular person. The Advocate General notes that in other situations the two tests (the Breyer test being the most important one here) should be considered, with the OEM assessing whether the VIN is personal data in their own hands, and if disclosing it to an independent operator they need to consider whether that independent operator has the means to link the VIN to a specific natural person.
These should each be done on basis of the 3 steps described above. This means that, for example, VINs relating to corporate vehicles may not constitute personal data if they can only be linked to the corporate owner rather than to any natural person. Furthermore, in disclosing the data to an independent operator whether the data is personal should be considered from the perspective of the information available to that independent operator. Therefore, such an operator with access to a registration certificate (including both the VIN and a natural person as the owner) is likely to find the data to be personal in their hands.
Legal Basis for Sharing VINs
After noting that VINs could be personal data in some situations (but not always), the Advocate General then turns to whether Regulation 2018/858 could enable the sharing of such VINs with independent operators in compliance with the GDPR. In this regard, the key question was whether the requirement in this regulation 2018/858 satisfied the test for being a “legal obligation”, such as to satisfy the requirements to be a legal basis in Art. 6(1)(c) of the GDPR.
In this regard, the Advocate General notes that the requirements set out by the regulation 2018/858 satisfies the test for being a legal basis under the GDPR. Specifically, the Advocate General recognised that the basis and purpose of the processing were laid out in Article 61 of the regulation 2018/858, and that these were in line with the objective in the public interest of improving the functioning of the EU internal market, and the requirement to share this data was considered to be proportionate to that aim.
The Advocate General's opinion, though not binding on the CJEU, carries considerable weight because the CJEU often follow such opinions. Do therefore add this CJEU case to your case law tracker to see if the court follows (or not) the reading of the Advocate General in the coming months.