ECJ ruling on VIN and general aspects of the term 'personal data'

The consequences of the ECJ's decision in Case C-319/22 (also referred to as the ‘Scania case’) of November 9, 2023 will certainly be discussed in the data protection scene for a long time to come. It is already visible that the judgment creates big waves in the automotive industry and related sectors, but also in the data protection community in general. However, it seems doubtable whether this is justified or whether essentially the same aspects as before the decision must be taken into account when clarifying the question of the existence of personal data. In the exact case dealt with by the ECJ, it will first be decided by the Regional Court of Cologne whether the VIN is indeed personal data for vehicle manufacturers and independent operators. The ECJ ruling itself does not yet provide a direct and unambiguous answer.

The background

The Opinion of the Advocate General already indicated that the case, which is not primarily a data protection case, would inevitably lead to the clarification of data protection related aspects. The ECJ had to decide whether and, if so, under what circumstances a VIN constitutes personal data. In Germany, Section 45 Federal Road Traffic Act contains a provision according to which the VIN is a datum that enables a reference to an identified or identifiable natural person (in other words, a data subject and therefore the VIN is always personal data). For this reason and due to the views of the various data protection authorities, it has been assumed that a VIN always constitutes personal data. This seems to not only be the case in Germany. In his Opinion, however, the Advocate General argued that a VIN does not always have to be personal data, but can certainly be personal data. The ECJ has now decided and essentially agreed with the Advocate General's statements. This means that, in principle, there may also be a processing activity for which the VIN is not personal data.

Content of the decision

Below you will find a brief summary of the content of the ECJ decision, with an indication of the general topic and the relevant references.

Topic: Does the VIN as such always constitute personal data when looked at on its own?

Paragraph number(s): 46 and 49

Summary of content:

• No, a VIN is an alphanumeric code that manufacturers assign to a vehicle to uniquely identify a vehicle; the purpose of the VIN is to identify the vehicle (i.e. an object) and not primarily to identify a human
• As such, the VIN is not personal data, but it can still be personal data nevertheless

Topic: Under what circumstances does a VIN relating primarily to a vehicle have a connection to a human?

Paragraph number(s): 47

Summary of content:

• There can be a connection between a VIN and a human if, for example, a human is named in the registration documents
• A holder or owner or other person in possession of a vehicle on the basis of a legal title must, just like the VIN, be indicated in the registration documents; the VIN and the person named in the documents then have a connection with each other ("vehicle with Vin XYZ belongs to person A")
• The VIN of a vehicle is comparable to the device ID of a telephone; both relate primarily to an object and not to a human being, although there can still be an additional connection to a human

Topic: Under what circumstances is a VIN personal data?

Paragraph number(s): 45 until 49

Summary of content:

• A VIN is personal data if it relates to an identified or identifiable natural person who is indicated in the vehicle documents together with the VIN
• A natural person is considered identifiable if either a controller or a third party has means that could reasonably be used to identify the natural person
• “Identify" means that a controller or a third party has means that could reasonably be used to directly or indirectly associate the VIN with an identified or identifiable natural person
• A VIN can either sometimes be linked to a natural person who is named in vehicle documents or also otherwise used as a criterion assigned to a natural person and then be personal data

Topic: Can the VIN be personal data even if the one using the VIN does not have the means and information to identify a natural person?

Paragraph number(s): 45 until 49

Summary of content:

• Yes, the VIN can be personal data for someone even if the party itself does not have the means and information to identify a natural person
• For a vehicle manufacturer, a VIN is also personal data if an independent operator who receives the VIN from the manufacturer reasonably has the means to assign the VIN to a natural person; it is not necessary that the manufacturer itself has the means and information and that the VIN itself is personal data for the manufacturer
• It is not necessary for all information required for direct or indirect identification (here: more information than just the VIN itself) to be in the hands of one and the same party
• If a manufacturer does not have the means and information necessary for identification, the VIN is nevertheless indirectly a personal datum for such a manufacturer if the independent operator who receives the VIN from the manufacturer has such means and information
• In practice, this leads to the following result in the following example: an entity "A" cannot itself identify a natural person with the data it uses. This entity passes this data on to the independent controller (as in the case decided by the ECJ) or processor or joint controller "B". B has the information and means to make a direct or indirect identification of a natural person. Therefore, the data passed on by A to B also becomes personal data for A.

Topic: What role does it play if the name of a legal entity named in the vehicle documents also contains the name of a natural person (e.g. Peter Müller GmbH)?

Paragraph number(s): 49 and other related ECJ case law

Summary of content:

• If no natural person is mentioned in the vehicle documents at all, the VIN cannot relate to a natural person; the VIN then only relates to a legal entity named in the documents and as such is not personal data within the meaning of Art. 4 No. 1 GDPR
• However, if the name of the legal entity mentioned in the vehicle documents contains the name of a natural person (e.g. Peter Müller GmbH), then, in accordance with the case law of the ECJ, the information on the legal entity also at the same time is information about a natural person; see paragraph numbers 53 and 54 here: “legal persons can claim the protection of Articles 7 and 8 of the Charter in relation to such identification only in so far as the official title of the legal person identifies one or more natural persons. That is the case with the applicant in the main proceedings in Case C‑92/09. The official title of the partnership in question directly identifies natural persons who are its partners.”
• If the name of a legal entity indicated in the vehicle documents also contains the name of a natural person, the VIN can still be personal data, even though a legal entity is indicated in the vehicle documents
• If only a legal entity is mentioned in the documents and its name does not contain the name of a natural person, then the VIN is generally not personal data

Topic: When can a VIN not be personal data even though a natural person is named in the vehicle documents?

Paragraph number(s): 46 until 49

Summary of content:

• If a natural person is named in the vehicle documents, but neither the controller nor a third party can reasonably be expected to have the means and information for direct or indirect identification, then the VIN is not personal data either

Topic: What about the provision in Section 45 Sentence 2 of the German Federal Road Traffic Act?

Paragraph number(s): 45 until 49

Summary of content:

• Because Section 45 Sentence 2 leaves no room for the assumption of a non-existent of personal data in individual cases, the provision is in violation of EU law
• Because Section 45 sentence 2 defines certain information in general terms as personal data, although Art. 4 No. 1 GDPR contains a final definition of personal data, the German provision is in violation of EU law

Is everything now clear about determining what constitutes personal data?

The answer is clearly "no". On the one hand, the Regional Court of Cologne has yet to decide whether the “independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person” (see paragraph 49 of the judgment). On the other hand, it is clearly noticeable at key points in the judgment that the judges at the ECJ had a hard time answering the questions referred to the court. There is no clear and easily understandable statement in the judgment as to whether personal data is always personal data for everyone or can also only be personal data for some. It is clear that third parties must be considered while it is still unclear which exact third parties must be taken into account when examining identifiability.

The statements in paragraph 46 suggest that it is exclusively an individual consideration from the point of view of the individual party and that the information available and accessible only to third parties is not relevant. The VIN as such is not personal data, but it becomes personal data “as regards someone who reasonably has means enabling that datum to be associated with a specific person.” This could at first be understood to mean that personal data is only given for a party who can itself associate information with a specific natural person and have access to this information. In paragraph 48 of the judgment it also says: “In those circumstances, the VIN constitutes personal data (…) in so far as the person who has access to it may have means enabling him to use it to identify (…).”

However, an understanding of an assessment for the existence of “personal data”, which is to be done purely from the individual perspective of individual parties, does not really fit with the findings in the decisive paragraph 49. There the Court assumes that the VIN in itself is not a personal datum for the vehicle manufacturer, especially not if the vehicle to which it has been assigned does not belong to a natural person. But at the same time the ECJ decided that even in such a case the VIN is personal data “indirectly, for the vehicle manufacturers making it available”, as long as this is true for the independent operators. The ECJ assumes that if identification of a natural person is possible for the independent operators, because they “may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person” the same is true for manufacturers. And in such a case, the VIN is still personal data for manufacturers, “even if the VIN is not, in itself, personal data for them.”

The ECJ ruling must therefore be understood to mean that it does not depend on the purely individual perspective of a single party and not exclusively on the means and information available to that party. Rather, the ECJ confirmed its old case law in paragraph 45. “To determine whether a natural person is identifiable, directly or indirectly, account should be taken of all the means likely reasonably to be used either by the controller (…) or by any other person, to identify that person”. It therefore also depends on the means of identification that could not be used by the controller, but only by a third party, and not only on the means used individually by a particular party. The court is not “requiring that all the information enabling that person to be identified should be in the hands of a single entity.”

If an entity "A" itself does not have the means of identification and information, such as the VIN, is not in itself personal data, then the information can still be personal data because of the means and information available to entity "B".

Outlook

In the new decision, the ECJ has unfortunately not found any very clear words at the decisive points. In any case, it is clear that an isolated and purely individual consideration of the means and information available to an individual player is also not in line with the ECJ ruling, although such tendencies are slightly recognizable in paragraphs 46 and 48 (especially, in the German version of the judgment). At the same time, it is also clear that a VIN does not always have to be personal data. In particular, it remains to be clarified which third parties are to be included in the circle whose means and information have an influence on whether information is personal data for someone else. In the case decided by the ECJ, independent operators are ultimately to receive the VIN from the manufacturer and it is rather evident that in the case of a direct data exchange with a third party, the means and information of the third party should also be considered. The case might have to be assessed differently if there was no relationship and no data exchange between the controller and the third party. But this is still completely unclear after the judgment.

A decision by the General Court on personal data and pseudonymization was seen by some in the data protection scene as a change of direction in the determination of what constitutes personal data. This case will be reviewed by the ECJ in the future. Maybe the ECJ will take the opportunity there to find clearer words that are useful in practice when the question of existence of personal data needs to be clarified in individual cases.