New developments on the GDPR definition of "personal data": Swedish DPA decides against new case from the CJEU in 4 recent decisions on Google Analytics

On 30 June 2023, the Swedish Data Protection authority Integritetskyddsmyndigheten ("IMY") published four decisions^[1] (the "GA-decisions") assessing whether the companies who were subject to the review (1) had transferred personal data to a third country when using Google Analytics, and if so (2) whether these transfers were compliant with Chapter V of the GDPR.

To answer these questions, IMY first had to determine whether the information in question constituted "personal data" under the GDPR. IMY found that it did, but the legal reasoning behind this conclusion is somewhat surprising, in light of The Court of Justice of the European Union (“CJEU”) ruling on 26 April 2023, in the case of Single Resolution Board (“SRB”), T 557/20, ECLI:EU:T:2023:219. As some of our readers may recall, we commented on this case in Schjødt's Technology Update in June this year. You can read that article here.

In short, “personal data” is defined in GDPR Article 4(1) as “any information relating to an identified or identifiable natural person”. Data which does not meet these criteria falls outside the scope of the GDPR. As in SRB, an important issue in the GA-decisions by IMY was whether the natural persons in question were identifiable.

The CJEU (General Court) clarified in SRB that a supervisory authority cannot conclude that de-identified information shared with a third party relates to an identifiable natural person, without first investigating whether the third-party has legal means available to it which could in practice enable it to access the additional information necessary to re-identify the natural persons it relates to (see SRB paragraph 105).

However, IMY reasoned in the GA-decisions – contrary to SRB – that it is not necessary to show that a third-party has legal means to re-identify the natural persons which certain information relates to. According to IMY, this is because such an interpretation of the term "personal data" would mean a significant limitation of the protective scope of the GDPR, and would provide for opportunities to circumvent this scope.^[2] In effect, IMY says that a third party can be presumed to have the necessary legal means to re-identify the natural person.

Although SRB has now been appealed (C-413/23 P), we note that the General Court drew its aforementioned conclusions in SRB in light of the case law established in judgment of 19 October 2016, Breyer (C-582/14, EU:C:2016:779), which is also cited by IMY in the GA-decisions. Considering these opposite conclusions by the General Court and IMY are drawn from the same case, there will hopefully be no doubt, when SRB in finally decided, as to how to answer the very fundamental question of when a natural person should be considered identifiable.

Schjødt will be monitoring any further developments closely, both in SRB and the GA-decision against Tele 2 Sverige AB (dnr DI-2020-11373) which has been appealed to the Administrative Court of Stockholm (14339-23).

<sup>[1] Integritetskyddsmyndighetens decisions 2023-06-30, dnr DI-2020-11373 (Tele 2 Sverige AB "Tele 2"); dnr DI-2020-11397 (CDON AB "CDON"); dnr DI-2020-11368 (Coop Sverige AB "Coop"); dnr DI-2020-11370 (Dagens Industri Aktiebolag "Dagens Industri").

[2] See Tele 2, page 12; CDON, page 13; Coop, page 14; Dagens Industri, page 17.</sup>