Whatever happens with the Digital Omnibus (and as regards Article 4 GDPR it already seems quite clear that nothing is going to happen) we will have to live with the SRB Scania doctrine (the subjective interpretation of the concept of “personal data”).
In other words, we must get used to the idea of living with uncertainty.
Nothing new in a field as contextual as the protection of personal data.
From here on, I don´t mean to give lessons on how to do so.
I can only share how I do it myself: by reading and applying the SRB / Scania doctrine in the following way:
• Starting with the outcome: for a third party’s access to your pseudonymized dataset to be effectively exempt from the GDPR, the risk of re-identification of the data subjects must be insignificant.
• That outcome must be assessed from the perspective of the “content, purpose and effects” of that third party processing.
This approach substantially clarifies and simplifies, in my opinion, the analysis of each case.
Today we will apply this approach to a real case, in which another of the key indeterminate concepts from Scania is also present: How far does the concept of singling out extend? Is singling out the same as identifying?
This post is a kind of reflection following this exchange with Peter Craddock and Mark Leiser.
You’re reading ZERO PARTY DATA. The newsletter on current affairs, technopolies, and law by Jorge García Herrero and Darío López Rincón.
In the spare moments this newsletter leaves us, we specialize in solving complicated stuff in personal data protection. If you have one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com
Thanks for reading Zero Party Data! Sign up!
The Criteo judgment of the French Conseil d’État
In the Criteo decision it is emphasized that “the sanctioned party admitted that the identification of certain individuals was not technically impossible”.
Moreover, the crucial paragraph in Criteo ends with an interesting final statement: that Criteo cannot “usefully” invoke that such identification “would be of no interest to it”.
Checkmate.
I interpret this final remark in two ways:
• In adtech, scale and massive correlation capacity explain why de facto mere singling-out is equated with identification.
• As its very name indicates, the more personalized is (the more it is individualized), the better “personalized advertising” sells. The industry does not care about knowing people’s civil identity, but it has every incentive to individualize them at a granular level.
And as the Conseil d’État says: no, Criteo, don´t even think of denying it.
Singling-out versus indirect identifiability
Craddock criticizes that the recognition of identifiability in Criteo was partial, that no investigation was conducted into what percentage of the dataset was identifiable or not, and that the ruling and sanction are issued as a whole.
From my point of view, if the purpose of Criteo’s processing is to personalize the advertising delivered to the data subject, and that purpose is achieved, producing the desired effect, it is evident that processing of data protected by the GDPR has taken place: Criteo does not know the “civil identity” of each data subject, and it does not bloody need to in order to fulfill its purpose.
In the IAB Europe judgment, the CJEU dispatches the issue of the controller’s capacity to single out recipients in a single paragraph: paragraph 45.
Essentially: if the TC string linked to other additional information (IP address, cookies or whatever persistent identifier it may be) makes it possible to identify the data subject, then the TC string is personal data.
In short, the CJEU declared that the TC String together with the identifiers linked by the partners included in the TCF served to fulfill the purpose of the processing: personalizing the advertising with which the data subjects are targeted.
Peter Craddock insists that it has “never been declared that singling out is equivalent to identification”. Well, the context was so clear that it did not need to be said.
Not in vain does the concept and the specific wording of Recital 30 of the GDPR originate from this industry.
It is understandable that the CJEU avoids all-encompassing declarations that affect the entire industry and all companies.
We all know companies that promote ethical formulas and mechanisms in this field.
Companies that are not, needless to say, IAB or Criteo.
Incentives
Let us retain that final remark regarding Criteo’s “interest”: the Conseil d’État has brought to the forefront an important interpretative element that is here to stay: the incentives of the organization.
Particularly important are the incentives of the controller who intends to access the pseudonymized dataset, when assessing whether or not the SRB / Scania doctrine applies.
Someone might also say that the CJEU has never explicitly referred to incentives, but the concept is inherent in the purpose of the processing: if a recipient “X” has incentives to re-identify the data subject and reasonable means to achieve it, from my point of view one must treat with great caution — in the specific case of “X” — the element of “legal prohibition” as a silver bullet for simply considering the SRB Scania doctrine applicable.
Especially if the sanctioning track record of “X” (or of the industry in which it operates) is particularly sad and discouraging from the point of view of personal data protection.
Accountability vs responsibility gaps
Ultimately, it is accountability that portrays the actors in the market.
Meta, IAB, Criteo, Google are the usual suspects repeatedly sanctioned in different countries, on different continents and in different legal disciplines.
Accountability means compliance, but above all demonstrating compliance.
And trying to turn this concept upside down, pretending that it should be the authorities who must demonstrate whether IAB or Criteo can or cannot identify all or only some of the data subjects — and not the other way around — may seem an effective trick, but a cheap one when observed up close.
This trick is always the same:
Argumentatively: (i) focusing on the part instead of the whole and/or (ii) insisting on the fragmentation of information to avoid responsibilities (“it is not data”, “it is not processing”, “the GDPR does not apply”).
However, the CJEU has repeatedly dismantled these arguments in matters of joint controllership (yes: you are jointly responsible even if you do not have direct access to the personal data), the right to be forgotten (it is not necessary that the news sought to be de-indexed identify the data subject by name and surname), and privacy by design (Russmedia was not held liable for a mere third-party publication, but for its very design of the service).
Gaps
And I can't stop remembering those gaps, when I read that datasets coming from adtech and sold by data brokers were used to identify those who visited Epstein's island already in 2024, to identify more than twelve million Germans, including especially sensitive officials, so that the famous U.S. ICE knows who has flown where, or to more effectively detain its targets.
While the data stream keeps flowing, all that remains is to argue that the CJEU has not said exactly this or that thing.
But it is the finger pointing at the sky.
Well, enough metaphors for today.
Jorge García Herrero
Lawyer and Data Protection Officer