Decoding Data? ECJ’s verdict on Vehicle Identification Numbers as personal data

The ECJ on vehicle identification numbers as personal data:

In case C-319/22, the European Court of Justice (“ECJ”) ruled that the vehicle identification number ("VIN") (i) as such is not personal data but (ii) it becomes personal data as regards someone who “reasonably” has means enabling that datum to be associated with a specific person.

This follows the case law of the ECJ that it is often not possible to make a general statement as to whether information is personal data, but rather the circumstances of the specific case must be considered. In its judgment, the ECJ again avoids clearly specifying questions of practical relevance, in particular when the means are "reasonably” likely to be used to identify a data subject.

Subject of the proceedings

For the definition of the identifiability of a person, the ECJ repeatedly refers back to its case law on the Breyer case and points out that for the question of identifiability:

"account shall be taken of all the means likely reasonably to be used either by the controller, […] or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity".

This is also in line with Recital 26 of the General Data Protection Regulation (“GDPR”). The Court therefore agrees with the Advocate General's view that although the VIN:

"as such, is not 'personal'", it "becomes personal as regards someone who reasonably has means enabling that datum to be associated with a specific person".

The background to this is also that the Advocate General describes the VIN as a mere "alphanumeric code" in principle, which the manufacturer assigns to a vehicle and which, strictly speaking, only serves to properly identify the vehicle. By its nature, the VIN is therefore actually a datum “ad rem” but not “ad personam”; however, the Advocate General and the ECJ also note that registration certificates must contain information such as the VIN, name and address of the holder of the registration certificate.

Therefore, the VIN constitutes personal data "of the natural person referred to in that certificate", provided that "the person who has access to it may have means enabling him to use it to identify the owner of the vehicle to which it relates or the person who may use that vehicle on a legal basis other than that of owner". The ECJ also states that the VIN as such does not constitute personal data for vehicle manufacturers if the vehicle to which the VIN has been assigned does not belong to a natural person. However, the ECJ does not exclude that even in these cases the VIN can constitute personal data if the VIN is combined with other data.

For this specific case, the ECJ leaves it to the referring court to assess whether "independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person", i.e., whether the VIN is personal data.

Further decisions of the ECJ in the judgment (C-319/22)

In addition to the issue of the VIN as personal data, the ECJ also ruled on access to vehicle data in accordance with Art. 61 Regulation 2018/858:

1. The obligation under the second sentence of Art. 61(1) of Regulation 2018/858 to present the information referred to therein in an easily accessible manner, in the form of machine-readable and electronically processable data sets applies to all “vehicle repair and maintenance information" (within the meaning of point 48 of Art. 3 of Regulation 2018/858) and is not limited to spare parts information (within the meaning of point 6.1 of Annex X No. 6.1 to that regulation).
   
   
2. According to the second sentence of Art. 61(1) and the second subparagraph of Art. 61(2) of Regulation 2018/858, vehicle manufacturers are required to provide vehicle repair and maintenance information to independent operators in files whose format is used for direct electronic processing of the data records contained in these files; in conjunction with Art. 61(4) and the third subparagraph of point 6.1 of Annex X of Regulation 2018/858, they are also required to set up a database that makes it possible to search for all original parts of the vehicle on the basis of the VIN and other additional means provided for in the aforementioned provision.
   
   
3. Art. 61(1) in conjunction with Art. 61(4) and with point 6.1 of Annex X of Regulation 2018/858 establishes a "legal obligation" (within the meaning of Art. 6(1)(c) GDPR) on car manufacturers to provide the VIN of the vehicles they manufacture to independent operators as "controllers" within the meaning of Art. 4(7) GDPR.

Evaluation and practical relevance

Unfortunately, the ECJ misses the opportunity to provide clarity on practical issues:

• Means “reasonably” likely to be used to identify the data subject: In particular, the ECJ leaves open the key question of when means are “reasonably” likely to be used to identify a data subject and leaves this assessment to the referring court. Recital 26 of the GDPR provides more details than the ECJ decision itself, by requiring the taking into account of “all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”. However, the assessment criteria for the term "reasonably” remain unclear (e.g., does it mean "theoretically possible" or "practically probable"?). In this respect, the decision does not really go beyond what the ECJ had already decided in similar cases (such as ECJ case C-175/20 and ECJ case C-582/14 (Breyer)). In Breyer, the ECJ considered third party information "likely reasonably to be used to identify" the data subject to be sufficient to establish the presence of personal data, and also denied personal data "if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant".
• Perspective: The ECJ does again not clearly state whether the assessment as to whether personal data is at hand must be (solely) undertaken from the perspective of the party that holds the data (“relative approach”) or also from the perspective of third parties (“objective approach”). It states that data “becomes personal data as regards someone who reasonably has means” but also that “account should be taken of all the means likely reasonably to be used either by the controller […] or by any other person, to identify that person”. This can be interpreted in different ways (though it can be argued that the court takes a more relative view in this case).

In practice, it should also be noted that the VIN is rarely available in isolation and is often processed in conjunction with other data that can already allow identification independently of the VIN (e.g., in the case of user accounts for connected car applications). In any event, in such cases, in practice the VIN very easily becomes personal data, at least for the party processing the additional information (e.g., in connection with a connected car application).

Also, it appears likely that data protection authorities with their intention to broadly protect data subjects will continue to interpret personal data, broadly, i.e., they might apply rather low thresholds for the presence of “reasonably” likely means to identify the data subject (as they also did after the Breyer case).

Many questions therefore remain open, and this will certainly not be the last decision by the ECJ on the definition of personal data.