Tracking is ubiquitous on the web: companies follow users across websites, collecting vast amounts of data to profile their behavior and target them with personalized ads. For these practices, which can have serious dangers and negative consequences for users, trackers typically don’t know users' real names, instead only assigning them unique identifiers. But are these IDs personal data under GDPR? We’ve explored this question by reviewing relevant sources, including EU case law, legal commentary, and recommendations and decisions from data protection authorities. While there is still debate as to whether IDs on their own constitute personal data, in the larger context of online tracking, there is a strong consensus that such data processing falls within the scope of the GDPR and poses significant risks to the fundamental rights and freedoms of natural persons.
Thousands of tracking companies worldwide constantly collect vast amounts of data on users on the web and on mobile and analyze intimate details about their lives. Based on this data, they try to predict users’ behaviours for example to target and influence users with ads and decide which products to display and at what price. They also claim to be able to assess companies’ risks to protect against spam, compute credit scores, or prevent fraud.1 Additionally, trackers build profiles on users, categorizing them into segments, sometimes based on highly sensitive inferences like health conditions, religious beliefs, sexual orientation, income level, and more. To give just a few examples, reporting has found segments such as heavy alcohol consumers, desire to lose weight, planning to adopt a child, diagnosis for leukemia low income without perspective, conservative values, and even visits to sexual abuse treatment centers. Trackers also score users on criteria like often influenced by ads, inexperienced credit card users, lone wolves, and getting a raw deal out of life to identify vulnerabilities.23 Trackers conduct large-scale experiments, systematically optimizing how to persuade, manipulate, and trigger users.4
Crucially, trackers don’t need to know users’ legal identities for any of this profiling. They collect and assign unique identifiers to track users, and share and link IDs among each other in order to more precisely follow users across websites and apps. For trackers, these IDs are often even more useful than legal names. After all, names are not unique whereas IDs are specifically designed to precisely identify a single user, device, or session. And supposedly anonymized datasets are rarely safe against re-identification.5
Given the enormous risks, it is important to regulate tracking activities. The question then becomes whether the processed information is personal data under the GDPR, even if the trackers don’t collect information on the users’ legal identities but only individualize them based on IDs. Otherwise, such processing would not be covered by the GDPR which, according to Art. 2(1) GDPR, only applies to personal data.
The dangers of restricting the concept of personal data to a person’s legal identity were recognized and articulated early on, long before the GDPR, for example in a 2004 report to Council of Europe’s T-PD Committee67:
[…] not treating the IP and the [GUID] as items of personal data would pose a problem in the light of the risks that the subsequent use of these data represent in terms of the profiling of the individual and, indeed, the possibility of contacting him or her. In this connection, there is evidence that, with the combination of web traffic surveillance tools, it is easy to identify the behaviour of a machine and, behind the machine, that of its user. In this way the individual’s personality is pieced together in order to attribute certain decisions to him or her. Without even enquiring about the “identity” of the individual – ie, his or her name and address – it is possible to categorise this person […] since the individual’s contact point (a computer) no longer necessarily requires the disclosure of his or her identity in the narrow sense. […] The definition of personal data should reflect this fact.
On the surface, the question of whether tracking data is covered by the GDPR should be easy to answer since the GDPR leads with a long list of definitions, with the first one unsurprisingly being for personal data in Art. 4(1) GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
That is further explained in Recital 26 GDPR:
[…] To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. […]
Note however how neither of these explains what it means for a person to be “identified”. They only explain what an “identifiable” person is, relying on a supposed understanding of the “identified“ criterion. In fact, there is no definition of what a controller needs to know for a person to be identified anywhere in the GDPR.8 Now, in many common cases, the meaning may be obvious. Often, the controller knows the data subject’s legal identity, usually through their name. In these cases, the data subject is obviously “identified” and any data relating to that identified person is personal data.
But what about when that’s not the case? As we’ve established above, in the case of tracking, users are typically assigned unique IDs but the controller usually doesn’t know their name or legal identity. Is the concerned data still personal data? And if so, is the user identified or identifiable? It all hinges on the definition of identification. Does the controller need to know the data subject’s legal identity or is it sufficient for them to be able to “single out” the data subject from everyone else, as Recital 26 GDPR alludes to? There are essentially three possible answers to these questions:
- Identification requires knowing a person’s legal identity. Data associated with an ID does not make the person identifiable unless there is additional data that links the ID to information about the person’s legal identity.
- Identification does not require knowing a person’s legal identity, being able to single them out is sufficient. As such, any ID that is uniquely assigned to a person is in and of itself sufficient for identification and thus constitutes personal data.
- Knowing a person’s legal identity is not necessary for information to be considered personal data. However, an ID that is uniquely assigned to a person is not sufficient to identify a person but only makes the person identifiable. (While this answer seems like the least likely based on the wording in Art. 4(1) GDPR, it is quite common. As both identification and identifiability are sufficient on their own to classify information as personal data under the GDPR, the distinction between this and number 1 is only of academic interest and holds little practical relevance.)
Even though these questions have been the subject of heavy legal debate for more than twenty years, long before there were even any plans for the GDPR, the text of the GDPR leaves them unanswered.9 But in the context of tracking, they are of crucial importance: Tracking-related data collection poses significant risks for individuals and can have severe negative consequences for them, all without tracking companies having any clue of their legal identity. If these cases were not covered by the GDPR, it would leave users unprotected against the harms of tracking and undermine the explicit goal of the GDPR to protect the fundamental rights and freedoms of natural persons. This could lead to a feeling of insecurity and cause chilling effects: people adapt their behavior if they know their activities may be tracked. They might hesitate to read about diseases, politics, or other topics that could affect their privacy or reputation.1011
Therefore, it is essential to clarify whether tracking data linked with cookie and fingerprinting IDs is personal data under the GDPR, and if so, under what conditions. In this article, we’ll examine these questions, doing a comprehensive review of relevant sources, including EU case law, legal commentary, and DPA recommendations and decisions. We’ll start by considering the question of whether IDs that are uniquely assigned to a person are personal data under the GDPR on their own (i.e. without the plethora of other information that is associated with them in the context of tracking).
The ECJ’s Breyer judgement#
When a law is not definitive, it is up for the courts to interpret it. For EU law, the European Court of Justice (ECJ) is the highest court, with its judgements being binding for national courts. In the case of IDs as personal data, the ECJ’s October 2016 judgement in case C‑582/14 (Breyer) is often referred to.
The Breyer case concerned the question of whether dynamic IP addresses are personal data. The plaintiff, Patrick Breyer, sued the Federal Republic of Germany for storing his IP addresses when he accessed several websites run by German Federal institutions, without his consent and beyond the duration of his visits. One of the issues the ECJ decided on was the question of whether a dynamic IP address constitutes personal data for the website operator (“online media services provider”), even if only the ISP has the additional data to connect the IP address to the user’s legal identity.
To quote the relevant parts of the decision (paras. 28–39, 44–48):
[…] it must be noted, first of all, that it is common ground that a dynamic IP address does not constitute information relating to an ‘identified natural person’, since such an address does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer.
Next, […] it must be ascertained whether such an IP address, registered by such a provider, may be treated as data relating to an ‘identifiable natural person’ where the additional data necessary in order to identify the user of a website that the services provider makes accessible to the public are held by that user’s internet service provider.
The fact that the additional data necessary to identify the user of a website are held not by the online media services provider, but by that user’s internet service provider does not appear to be such as to exclude that dynamic IP addresses registered by the online media services provider constitute personal data within the meaning of Article 2(a) of Directive 95/46.
However, it must be determined whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject.
Thus, […] that would not be the case if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.
Although the referring court states in its order for reference that German law does not allow the internet service provider to transmit directly to the online media services provider the additional data necessary for the identification of the data subject, it seems however, […] in the event of cyber attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings.
Thus, it appears that the online media services provider has the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, on the basis of the IP addresses stored.
Even though, on the surface, the ECJ did decide that (temporary) identifiers like dynamic IP addresses can constitute personal data (as the case is often summarized as) and the judgement is as such generally regarded as a positive development toward a broad understanding of the concept of personal data, it can also be read as supporting a restrictive position on IDs as personal data. In this case, the ECJ did not consider the IP address to identify the user directly. Instead, it ruled that an IP address only (potentially) makes a user identifiable if there is additional information that links the IP to the user’s legal identity.
When discussing what the Breyer judgement means for our question at hand, we first have to consider its legal basis. Notably, the case was not decided under the GDPR but under Directive 95/46/EC (Data Protection Directive, DPD), the predecessor of the GDPR. And even though the definition of personal data in both of them is similar, there are some notable differences. Compare Art. 2(a) DPD with Art. 4(1) GDPR:
“Personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
Even though they are largely identical, it is clear that the legislature deliberately wanted to widen the scope. The mention of “identification numbers” as information potentially making a person identifiable was expanded to “identifiers”, listing names, identification numbers, location data, and online identifiers as examples.
This becomes even more apparent when comparing Recital 26 DPD to Recital 26 GDPR:
Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; […]
The GDPR introduces the concept of pseudonymisation, stating that pseudonymised data should be considered personal data. It also introduces the notion of singling out as a potential means of identifiability. Albrecht/Jotzo confirm the legislature’s intention behind the introduction of the “singling out” criterion12:
Data subjects can be indirectly inferred for example through “singling out” as mentioned in Recital 26 GDPR. The European Parliament had pushed for this clarification, since in the online world, for example with the help of cookies, IP addresses, browser fingerprints and other techniques, personality profiles are generated for many users by which they receive individual advertising without the operators of such advertising networks needing their civil names.
The judgments should not, according to IMY, be read […] in the way that a legal possibility to access information that can link IP addresses to individuals must be demonstrated for IP addresses to be considered personal data. An interpretation of the concept of personal data that always requires demonstrating a legal possibility to link such information to an individual would, according to IMY, entail a significant limitation of the scope of protection of the regulation, and open up possibilities to circumvent the protection in the regulation. This interpretation would, among other things, conflict with the purpose of the regulation according to Article 1(2) GDPR. The Breyer judgment was decided under the previously applicable Directive 95/46 and the concept of “singling out” according to Recital 26 of the current regulation (that knowledge of the actual visitor’s name or physical address is not required, since singling out in itself is sufficient to make the visitor identifiable), was not specified in the previously applicable directive as a method for identifying personal data.
Alternatively, Purtova proposes a contextual interpretation of Breyer which negates its restrictive potential (in agreement: Farinho15). They argue that it is important to pay close attention to the context of the case, which specifically concerns dynamic IP addresses (which are regularly reassigned to other users by ISPs) not during but after the browsing session ended. In this context, the IP address alone does in fact not identify (individualize) the user anymore, it now refers to the set of all users who were assigned the IP address at some point. As such, the ECJ specifically ruled that a reassigned dynamic IP address can only lead to identification in combination with the ISP’s traffic logs which record who held the IP address at which point.8 This however does not preclude IDs in general directly identifying users. Purtova concludes8:
The IP address provides a direct link to a flesh and blood individual who is browsing through the website’s content. Under these circumstances, a website visitor is directly identified by the dynamic IP address [during the browsing session]. Once the session is ended and the Internet connection is broken, the retained dynamic IP address is no longer pointing to a specific [node] on the network. The direct link with the visitor is severed and additional information is necessary to restore it. This contextual reading of Breyer does not effect the validity of the […] understanding of identification as distinguishing a person from the group and preserves a far reach of the GDPR.
Other EU case law#
As a result, the Breyer judgement is of little help for finding an answer to our questions. The same applies for the ECJ’s November 2023 judgement in case C-319/22. Here, the court had to decide whether the vehicle identification number (VIN) of a car constitutes personal data under the GDPR and whether car manufacturers are obliged to make it available to independent operators, such as spare parts suppliers or publishers of technical information (paras. 43–44). The ECJ noted that the VIN appears on the registration certificate of the vehicle, along with the name and address of the holder of that certificate, who may be the owner or the user of the vehicle (para. 47). It ruled that the VIN is personal data for those who have reasonable means to link it to a specific person, such as the independent operators who have access to the registration certificates or other sources of information, but also indirectly for the vehicle manufacturers making the VIN available to operators, even if the VIN is not, in itself, personal data for them (paras. 47–49):
[…] the VIN must appear on the registration certificate for a vehicle, as must the name and address of the holder of that certificate. In addition, […] a natural person may be designated in that certificate as the owner of the vehicle, or as a person who can use the vehicle on a legal basis other than that of owner. In those circumstances, the VIN constitutes personal data, within the meaning of Article 4(1) of the GDPR, of the natural person referred to in that certificate, in so far as the person who has access to it may have means enabling him to use it to identify the owner of the vehicle to which it relates or the person who may use that vehicle on a legal basis other than that of owner. […] where independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person, which it is for the referring court to determine, that VIN constitutes personal data for them, within the meaning of Article 4(1) of the GDPR, and, indirectly, for the vehicle manufacturers making it available, even if the VIN is not, in itself, personal data for them, and is not personal data for them in particular where the vehicle to which the VIN has been assigned does not belong to a natural person.
At first glance, this looks as though the ECJ is reinforcing its Breyer judgement and saying that being able to link an ID to a person’s legal identity is also necessary under the GDPR for it to be consider personal data. However, the ECJ introduces the section quoted above by saying that a non-personal ID becomes personal where it can reasonably associated with a specific person (para. 46):
[…] a datum such as the VIN – which is […] an alphanumeric code assigned to the vehicle by its manufacturer in order to ensure that the vehicle is properly identified and which, as such, is not ‘personal’ – becomes personal as regards someone who reasonably has means enabling that datum to be associated with a specific person.
Just as Purtova argues for Breyer, a contextual interpretation is needed here, as well. The defendant in this case is Scania CV AB, described as “one of the largest manufacturers of heavy goods vehicles in Europe” (para. 16). Therefore, it is likely that most of the vehicles sold by Scania are not owned or used by natural persons, but by legal entities, which are not covered by the GDPR (Recital 14 GDPR). As such, it makes sense that the ECJ stresses that the VIN constitutes personal data only where it is linked to a natural person (paras. 55–61). The situation is different for tracking, however, where IDs such as cookies or fingerprints are almost exclusively used to target individuals and their online behaviour. The ECJ’s judgement cannot simply be generalized over all these cases.
First reactions to the judgement also criticize the ECJ for being vague with regards to the relevant questions on personal data, questioning the relevance the judgement will have in practice.16
Finally, we have to consider the April 2023 judgement of the EGC in case T‑557/20. There, the EGC had to decide whether the comments submitted by the affected shareholders and creditors of a bank that was placed under resolution by the Single Resolution Board (SRB) constituted personal data and whether the SRB had infringed its obligation to inform them that their comments would be shared with Deloitte, an independent valuer. Alongside with the comments, the SRB had collected, among other documentation, proof of identity of the submitting persons (para. 9) but only made that available to a limited number of their internal staff. The comments were transmitted to Deloitte without this additional documentation, which had been replaced with a unique alphanumeric code (paras. 16, 24). After complaints by several shareholders and further information provided by the SRB, the European Data Protection Supervisor (EDPS) ultimately issued a decision finding the comments associated with unique IDs to be pseudonymous and thus personal data, and confirming an infringment (para. 32).
The EGC annulled the decision of the EDPS, on the grounds that the EDPS had not properly assessed whether the information transmitted to Deloitte related to an identified or identifiable natural person (paras. 97, 101, 105):
[…] it is […] apparent from the [ECJ Breyer judgement], that, in order to determine whether the information transmitted to Deloitte constituted personal data, it is necessary to put oneself in Deloitte’s position in order to determine whether the information transmitted to it relates to ‘identifiable persons’. […] Thus, the EDPS is incorrect to maintain that it was not necessary to ascertain whether the authors of the information transmitted to Deloitte were re-identifiable by Deloitte or whether such re-identification was reasonably possible. […] Therefore, since the EDPS did not investigate whether Deloitte had legal means available to it which could in practice enable it to access the additional information necessary to re-identify the authors of the comments, the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725.
Even though the EGC didn’t actually decide whether the transmitted data is personal data but only that the EDPS had insufficiently assessed the case to come to such a conclusion, it makes its position on pseudonymous data clear. The EGC does not share the interpretation that unique IDs are automatically personal data.17 It interprets the ECJ Breyer judgement such that the classification of data as personal data is relative to a certain party. That is, for data to be considered personal data to a certain party, said party itself needs to have (reasonable and legal, even if just theoretical) access to additional information that would allow it to associate a certain ID with the legal identity of a person.
Also, even though the ruling concerns Regulation 2018/1725 (the counterpart to the GDPR for EU institutions) and not the GDPR, everything in it also applies to the GDPR since the passages it relies on are identical between both (Art. 3(1) Regulation 2018/1725 is identical to Art. 4(1) GDPR, Recital 16 Regulation 2018/1725 is identical to Recital 26 GDPR).
However, as a decision of the EGC, the judgement is not binding for national courts. The EDPS already appealed the judgement in July 2023. Therefore, the EGC’s judgement does not create a precedent for the interpretation of the GDPR, unless it is confirmed by the ECJ.
Positions taken in legal literature#
Since the current case law doesn’t answer our questions, we’ll do a comprehensive review of the legal literature on the subject. As a key concept of European data protection law, the question of identifiability under the DPD and GDPR has been heavily debated in many papers and commentaries, with a few key positions being observable.
Knowing the person’s legal identity#
The first question we need to consider is whether information can be personal data at all without the controller knowing the data subject’s legal identity (especially the name). A few authors like Hermann/Mühlenbeck/Schwartmann argue that it is not. They say that a person is generally identified by some information if the controller can easily infer their (legal) identity from that information.18 Similarly, Eßer19, Gola20, and Klar/Kühling21 argue that email addresses are only directly identifying if they contain a person’s name but not if they contain a pseudonym.
However, there is a far greater corpus of authors taking the position that knowing the person’s name is not necessary. Arning/Rothkegel22, Ernst23, Farinho24, Purtova8, Schild25, and Ziebarth26 all explicitly state so. Karg explains27:
The GDPR does not stipulate such a narrow understanding of the concept of identification [as in conventional linguistic usage or in the German Code of Criminal Procedure], and this would not do justice to the purpose of comprehensive protection of data subjects. It is sufficient that the person can be individualized or made recognizable by or with the help of the corresponding information. In this respect, the controller does not need to process information such as the legal name […] together with the information in question in order for there to be personal data. The only decisive factor is that, from the perspective of the controller, the information is or can be assigned to one and the same person and the person is singularized. This is the case if the person can be recognized or re-addressed by means of the information used and/or confusion is ruled out.
Similarly, Schantz also refers to the concept of “singling out” as an argument for considering personal data in cases where a person can be individualized by the controller, even if the controller doesn’t know their name.28 Albrecht29, Klabunde30, the EU FRA’s Handbook on European data protection law31, and Ziebarth26 all mention examples of details that can identify a person without knowing their name being necessary, such as phone numbers, social security numbers, online identifiers, and video recordings. Schantz explicitly lists pseudonymized email addresses as examples of personal data.11
Zuiderveen Borgesius criticises the idea that a name is the only or even the most effective identifier and argues that many companies could easily tie a name to data that they are processing but aren’t interested in doing so, mentioning the example of a phone number or other phone ID being a far more useful identifier for sending messages to a phone or tracking its location.32 This argument is echoed by Schantz.28
Karg/Kühn33 and Wenhold34 held the position that knowing a person’s name or legal identity is not necessary even under the old DPD with its less broad wording. In fact, in its WP 136 from 2007, the Article 29 WP already expressed that “the possibility of identifying an individual no longer necessarily means the ability to find out his or her name”.35
Cookie, advertising and similar IDs#
With most authors agreeing that knowing a person’s name is not necessary and that other identifiers are possible, the question then becomes whether cookie, advertising, and similar IDs on their own are sufficient to make a person identified or identifiable.
Still in its WP 136, the Article 29 WP was of the opinion that that was already the case under the DPD35:
[Identification using something other than a name] may happen when other “identifiers” are used to single someone out. Indeed, computerised files registering personal data usually assign a unique identifier to the persons registered, in order to avoid confusion between two persons in the file. Also on the Web, web traffic surveillance tools make it easy to identify the behaviour of a machine and, behind the machine, that of its user. Thus, the individual’s personality is pieced together in order to attribute certain decisions to him or her. Without even enquiring about the name and address of the individual it is possible to categorise this person on the basis of socio-economic, psychological, philosophical or other criteria and attribute certain decisions to him or her since the individual’s contact point (a computer) no longer necessarily requires the disclosure of his or her identity in the narrow sense. […] The definition of personal data reflects this fact.
It reinforced that position in WP 188 from 2011.36 Meanwhile, Dieterich37 and Schmidt38 disagreed with this interpretation, citing the necessity of controllers linking additional information (like email addresses) with the online IDs for them to be personal data.
Under the GDPR, there are more authors in favor of the interpretation that IDs can be personal data on their own. The Article 29 WP successfully pushed for the “singling out” criterion to be included in the GDPR, where it is mentioned in Recital 26 as we’ve seen already.392940
Based on that, Albrecht/Jotzo29, Farinho41, Karg42, Schantz43, and Schild44 conclude that it is enough for the controller to individualize, differentiate or recognize a person based on some information for that information to be personal data. Farinho explains that it doesn’t matter whether this individualization is possible “for a short period of time or a long one”.41 Albrecht/Jotzo argue that the inclusion of the “singling out” criterion in Recital 26 GDPR invalidates earlier arguments that required knowing a person’s legal identity instead of just an ID.11
[…] the whole point of behavioural targeting is tracking individuals, building profiles of individuals, and targeting ads to individuals. The goal of behavioural targeting is, in the words of a marketing company, ‘to use data to deliver the right ad to the right person at the right time.’ To do this, behavioural targeting companies must single out people with unique identifiers.
Albrecht/Jotzo29, Ernst45, Klabunde46, Schantz43, and Schild44 all mention online identifiers like IP addresses, cookie IDs, device IDs, and browser fingerprints as examples of identifiers that allow for such individualization. Karg goes further, reasoning that any randomly assigned string that is assigned to a single person, at least for the timeframe of the processing, is sufficient for individualization.42
Meanwhile, Arning/Rothkegel47 and Klar/Kühling48 hold the position that IDs alone do not allow for identification but only in combination with other information that allows for inferring the person’s identity.
Personal data in the larger context of online tracking#
In summary, there is still debate on whether IDs on their own constitute personal data under the GDPR. However, in the context of online tracking and advertising, IDs are never processed on their own. Instead, they are combined with other information, such as interaction data, browsing history, location data, device parameters, behavioral patterns, and IP addresses, to create detailed fingerprints and profiles of users and target them with personalized ads. In this larger context, there is fairly universal agreement, even from those who reject cookie and similar IDs being personal data on their own, that such data processing falls under the scope of the GDPR and constitutes personal data.
This is supported by Recital 30 GDPR, which states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Gola20, Klar/Kühling48, and Schild49 confirm that this typically applies in the case of fingerprinting and other online profiling. Karg/Kühn33 and Wenhold50 already considered fingerprinting data to be personal data under the DPD, with Wenhold stating that due to “monopolistic operator structures“ on the internet enabling interlinkage, it cannot be ruled out that fingerprints could be tied to IP addresses, thus “infecting” them with personal data50.
In more recent commentary, Karg contends that the information and communication technology constantly improves the ability to individualize persons based on various and ultimately only seemingly anonymous or non-personal information. They cite that uniquely marking a browser and the user behind it is possible based on usage history and behavioral linking of internet sessions over a longer period of time, with this allowing individualization of the user and thus leading to otherwise anonymous data becoming personal data.51 They explain that an observed expansion of the scope of data protection law is thus not caused by a perceivedly more extensive interpretation of the concept of personal data, but rather by the constantly increasing analytical capabilities of technology and the resulting increasing ability in gaining knowledge about individuals.52 Given this situation, they argue that there is a need for an extension rather than a reduction of the scope of data protection law. A potential balancing between the interests of society, economy and state with the rights of the data subjects is not to happen in the definition of personal data, but at the level of lawfulness of data processing, especially according to Art. 5 and 6 GDPR.52
Positions taken by data protection authorities#
In addition to the legal literature and the EU case law, we also have to consider the positions taken by the data protection authorities, as they are responsible for enforcing the GDPR and issuing guidance and decisions on its interpretation and application.
For example, the DPC Ireland explains that cookies can include personal data such as usernames or unique identifiers like user IDs and other tracking IDs. The DPC adds that where cookies contain identifiers that may be used to target a specific individual, or where information is derived from cookies and other tracking technologies that may be used to target or profile individuals, this will constitute personal data and its processing is also subject to the rules set out in the GDPR. The DPC also emphasizes that online identifiers are included in the definition of personal data in Article 4(1) of the GDPR, and that it does not matter whether the controller is in possession of other information that may be needed to identify an individual; the fact that the person may be identified, even with the addition of information held by another organisation, is sufficient to make this data personal data.53
Similarly, the ICO, the UK DPA, explains that online identifiers, such as IP addresses, advertising IDs, pixel tags, account handles, and device fingerprints, can be used to distinguish one user from another and to create profiles of individuals, even when those individuals are unnamed. The ICO notes that this is particularly the case when the information enables the controller to single out, make inferences or take specific actions in relation to users, such as identifying them over time or across multiple devices and websites. The ICO concludes that where this is the case, the processing must comply with the UK GDPR.54
In an FAQ on Google Analytics, the Danish Datatilsynet also adopts a broad understanding of personal data in relation to online identifiers. It states that a unique identifier makes it possible to identify the individual to whom the data relates, even if it is not possible to assign a specific name or identity to the person concerned. It cites the GDPR’s explicit mention of the “singling out” concept.55
In addition to the guidelines, some DPAs have also issued decisions on specific cases involving the processing of IDs that are uniquely assigned to a person. These decisions provide concrete examples of how the DPAs apply the GDPR in relation to tracking data and IDs.
One of the most common issues relating to tracking that the DPAs have addressed is the use of Google Analytics in the context of noyb’s 101 complaints following the Schrems II judgement.
For example, the Swedish DPA (IMY) issued a decision in June 2023, fining Tele2 Sverige AB and three other website providers for using Google Analytics despite the EU recommendations and decisions and without implementing additional safeguards.58 In the decision, the IMY explains that network/online identifiers can be used to identify a user, especially when combined with other similar types of information.59 The IMY considered the data collected by Google Analytics, such as unique identifiers stored in the cookies
_gid, IP addresses, and other information related to the website visit and user’s browser. They highlight that these identifiers were created with the express aim of being able to distinguish individual visitors, thus making them identifiable. The IMY notes that even if the IDs alone did not make individual identifiable, the IDs in combination with the other transmitted data makes website visitors even more distinguishable. As such, they conclude that the transmitted data information constitutes personal data. The IMY explains that this differentiation is in itself sufficient to make the visitor indirectly identifiable in accordance with Recital 26 and that knowledge of the visitor’s name or physical address is not required. They also do not consider it necessary that the controller or processor actually intends to identify the visitor, noting that the possibility of doing so is in itself sufficient to determine whether it is possible to identify a visitor.60
Further, the IMY observed that the complainant logged into their Google account when visiting the website, which allowed Google to draw conclusions about them based on their registration with Google, making it even more clear that personal data was processed.61 They however notably do not consider this a requirement for the classification of the information as personal data.
Similarly, the Austrian DPA (DSB) issued a decision in December 2021, finding that an Austrian website violated the GDPR by transferring personal data to US by using Google Analytics. The DSB notes that the cookies used by Google Analytics,
cid, contained unique identifiers that were stored on the users' devices and browsers, and that only through these identifiers was it possible for the website operator and Google to distinguish visitors as well as determine whether they had visited the website before. The DSB explains its position that such a possibility of individualizing website visitors was sufficient to open the scope of data protection law and that being able to find out the person’s name was not necessary, citing Recital 26 GDPR as justification.62 With regards to the controller’s and Google’s argument that they didn’t actually intend to associate the IDs with an actual person, the DSB underlines63:
Insofar as the defendants argue that no “means“ are used to link the identification numbers in question here to the person of the complainant, it must be reiterated that the implementation of Google Analytics on [the website] results in a singling out within the meaning of Recital 26 GDPR. In other words: Those who use a tool that only enables such singling out in the first place, cannot take the position that they do not “reasonably” use any means to make natural persons identifiable.
The DSB also notes that these identifiers could combined with other information, such as browser data and IP addresses, which made the website visitors even more identifiable, referring to Recital 30 GDPR. The DSB further points out that Google Analytics was specifically designed to be implemented on as many websites as possible, in order to collect information about website visitors. They conclude that the data processed by Google Analytics constituted personal data and stress that not applying the GDPR to the processing done by Google Analytics would run afoul of the fundamental right to data protection.64
The DSB’s decision was later confirmed by the Austrian Federal Administrative Court in judgement W245 2252208-1/36E, W245 2252221-1/30E.
In a more recent decision in March 2023, the DSB found that the use of Facebook’s tracking pixel by an Austrian website provider also violated the GDPR and the Schrems II judgement. In the decision, the DSB follows the same argument as in the Google Analytics decision, quoting from it with regards to the classification of tracking data as personal data.65
Again concerning Google Analytics but also Google Tag Manager, Tietosuojavaltuutetun toimisto, the Finish DPA, issued a decision in December 2022 against the public library online services of four cities in Finland. The decision mentions that personal data was collected through those tools but doesn’t provide a reasoning with further details.66 Just as the Swedish and Austrian DPAs, the Finish DPA also found an unlawful transfer of personal data to the US.
The CNIL, the French DPA, issued a decision in March 2022, ordering three French websites to comply with the GDPR in relation to their use of Google Analytics. The CNIL explains that online identifiers, such as IP addresses or information stored in cookies, could be used as a means of identifying a user, especially when combined with other similar types of information, citing Recital 30 GDPR. The CNIL explains that the websites had to demonstrate the means implemented to ensure that the identifiers collected were anonymous, otherwise they could not be qualified as anonymous. They also note that the IDs used by Google Analytics were unique identifiers that were intended to differentiate between individuals and that these identifiers could also be combined with other information, such as the address of the site visited, metadata relating to the browser and operating system, the time and data relating to the visit to the website, and the IP address. The CNIL argues that this combination reinforced their distinguishing nature and made the visitors identifiable. The CNIL believes that the scope of the right to data protection would be diminished if this were decided otherwise.67
The CNIL also sanctioned Criteo, an online advertising company, with a fine in June 2023 for failing to verify that users from whom it processed data had given their consent. The CNIL considers that Criteo processed personal data, given the number and diversity of the data collected and the fact that they were all linked to an identifier, which made it possible, with reasonable means, to re-identify the natural persons to whom this data relates. The CNIL also notes that the Criteo cookie ID was intended to distinguish each individual whose data it collected and that a large amount of information intended to enrich the user’s advertising profile was associated with this identifier. The CNIL believes that even if Criteo did not directly have the identity of the person associated with a cookie ID, reidentification could be possible if Criteo also collected other data such as the email address, the IP address, or even the user agent (or hashed forms thereof). The CNIL concludes that as long as Criteo is able to re-identify individuals using reasonable means, the processed data is personal data under the GDPR.68
In one of the few DPA proceedings on the matters not related to the Schrems II judgement, the Norwegian Datatilsynet published a draft decision in May 2021, notifying Disqus, a company that provides a platform for online comments, that it would be fined for unlawfully processing personal data for programmatic advertising. The DPA states that online identifiers, such as cookie IDs, were personal data, as they enabled the controller to distinguish one website user from another, and to monitor how each user interacts with the website, citing Art. 4(1) GDPR and Recital 30 GDPR to support its interpretation.69 A final decision on the matter has not been published yet.
Finally, the DPA of Lower Saxony in Germany (LfD NDS) issued a decision in May 2023 concerning the use of a “pay or okay” system by Heise, a German tech news site. The site made users choose between paying for a monthly subscription or agreeing to their data being processed for advertising and other purposes. The LfD found that such a system was, in principle, permissible but that the requirements for obtaining consent were not fulfilled by Heise. In the decision, the LfD describes the high number of observed local storage objects, tracking techniques and third-party services used on the site, explaining that they will not provide a legal assessment of each one as a result. The LfD notes, without providing further reasoning, that Heise processed personal data through these objects, citing for example that Adform placed a
cid cookie, which they determined to be an ID based on the name.70
Keegan/Eastwood, From “Heavy Purchasers” of Pregnancy Tests to the Depression-Prone: We Found 650,000 Ways Advertisers Label You, 2023, retrieved 2023-11-16 ↩︎
cf. e.g. Rocher/Hendrickx/de Montjoye, Estimating the success of re-identifications in incomplete datasets using generative models, Nature Communications, 2019; lschatzkin/Budington/maximillianh/Antaki, About Cover Your Tracks, 2021, retrieved 2023-11-24 ↩︎
The Council of Europe is an international organisation established after World War II to uphold human rights, democracy and the rule of law in Europe, centred on the European Convention on Human Rights.
The CoE’s Convention 108 was the first legally binding international instrument in the data protection field and opened for signature in 1981. The convention is binding for states that have ratified it, requiring its signatories to enact certain principles of the fundamental rights with regard to the processing of personal data into national law. The convention was updated in 2018 to address new data protection challenges that have arisen in the preceding decades, becoming Convention 108+.
Poullet et al., Report on the application of data protection principles to the worldwide telecommunication networks, T-PD (2004) 04 final, section 2.1.3 ↩︎
Purtova, From knowing by name to targeting: the meaning of identification under the GDPR, IDPL, Vol. 12, No. 3 (2022) ↩︎
A similarly unanswered and related discussion, that isn’t relevant here, though, concerns the question of whether information is considered personal data based on an absolute (objective) or a relative (subjective) approach, which is not definitely answered by the GDPR either. The absolute approach assumes that information is personal data if the controller or any third party can link it to a person, regardless of the actual use of the linking possibilities, the individual abilities and means of the controller, and the legality of the linking. The relative approach considers only the means and knowledge that the controller actually and reasonably has in the specific case to establish the link between the information and the person. Under the old DPD, the ECJ has favored the relative approach (cf. Breyer ruling), but with some limitations and elements of the absolute approach. The controller must take into account not only the direct and immediate knowledge and means of a third party, but also the indirect and potential ones, as long as the linking is legally permissible and reasonably possible. The ECJ thus expands the scope of the relevant knowledge and technical possibilities, but also adds a clear corrective. The link between the information and the person does not have to be actually established, but only potentially possible.
Further on that subject, with different positions: Ziebarth in Sydow/Marsch, DS-GVO/BDSG, 3. edition, 2022, Art. 4 Nr. 1 DSGVO, mn. 34 – 39; Karg in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 1. edition, 2019, Art. 4 DSGVO, mn. 58 – 61; Klar/Kühling in Kühling/Buchner, DS-GVO/BDSG, 3. edition, 2020, Art. 4 Nr. 1 DSGVO, mn. 25 – 30; Arning/Rothkegel in Taeger/Gabel, DSGVO - BDSG - TTDSG, 4. edition, 2022, Art. 4 DSGVO, mn. 33 – 38; Hermann/Mühlenbeck/Schwartmann in Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, 2. edition, 2020, Art. 4 Nr. 1 DSGVO, mn. 35 – 40; Eßer in Auernhammer, DSGVO/BDSG, 8. edition, 2023, Art. 4 Nr. 1 DSGVO, mn. 20; Gola in Gola/Heckmann, Datenschutz-Grundverordnung - Bundesdatenschutzgesetz, 3. edition, 2022, Art. 4 Nr. 1 DSGVO, mn. 20 – 22; Schantz in Schantz/Wolff, Das neue Datenschutzrecht, 1. edition, 2017, mn. 276 – 278; Farinho in Spiecker/Papakonstantinou/Hornung/De Hert, General Data Protection Regulation, Art. 4(1) Personal data, 2023, mn. 28; Finck/Pallas, They who must not be identified, IDPL, Vol. 10, No. 1 (2020) ↩︎
Zuiderveen Borgesius, Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection Regulation, Computer Law & Security Review 2016, 256, p. 267–268 (longer open access preprint) ↩︎
Schantz in Schantz/Wolff, Das neue Datenschutzrecht, 1. edition, 2017, chapter C.II, mn. 293 ↩︎
Albrecht/Jotzo, Das neue Datenschutzrecht der EU, 1. edition, 2017, Part 3, mn. 3 (translated) ↩︎
IMY, Beslut efter tillsyn enligt dataskyddsförordningen – Tele2 Sverige AB:s överföring av personuppgifter till tredjeland, DI-2020-11373, 2023-06-30, p. 12 (translated) ↩︎
Kring/Marosi, Ein Elefant im Porzellanladen – Der EuGH zu Personenbezug und berechtigtem Interesse, K&R 2016, 773, p. 776 ↩︎
Farinho in Spiecker gen. Döhmann/Papakonstantinou/Hornung/De Hert, General Data Protection Regulation, Art. 4(1) Personal data, 2023, mn. 24 ↩︎
e.g. Quiel, Entscheidung des EuGH zur FIN und generellen Aspekten des Personenbezugs, 2023, retrieved 2023-11-13 ↩︎
in agreement: Bronner, Personenbezug bei pseudonymisierten Daten, jurisPR-ITR 12/2023 Anm. 5; Schweinoch/Peintinger, EuG: Datenschutz-Verstoß bei Weitergabe pseudonymisierter oder anonymisierter Daten, CR 2023, 532-539; Kunczik, Relativer Personenbezug von Daten, ITRB 2023, 176-177 ↩︎
Hermann/Mühlenbeck/Schwartmann in Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, 2. edition, 2020, Art. 4 Nr. 1 DSGVO, mn. 32 ↩︎
Eßer in Auernhammer, DSGVO/BDSG, 8. edition, 2023, Art. 4 Nr. 1 DSGVO, mn. 21 ↩︎
Gola in Gola/Heckmann, Datenschutz-Grundverordnung - Bundesdatenschutzgesetz, 3. edition, 2022, Art. 4 Nr. 1 DSGVO, mn. 23 ↩︎
Klar/Kühling in Kühling/Buchner, DS-GVO/BDSG, 3. edition, 2020, Art. 4 Nr. 1 DSGVO, mn. 39 ↩︎
Arning/Rothkegel in Taeger/Gabel, DSGVO - BDSG - TTDSG, 4. edition, 2022, Art. 4 DSGVO, mn. 24, 30 ↩︎
Ernst in Paal/Pauly, DS-GVO BDSG, 3. edition, 2021, Art. 4 Nr. 1 DSGVO, mn. 8 ↩︎
Farinho in Spiecker gen. Döhmann/Papakonstantinou/Hornung/De Hert, General Data Protection Regulation, Art. 4(1) Personal data, 2023, mn. 20 ↩︎
Schild in BeckOK Datenschutzrecht, 45. edition, 2023, Art. 4 Nr. 1, mn. 17 ↩︎
Ziebarth in Sydow/Marsch, DS-GVO/BDSG, 3. edition, 2022, Art. 4 Nr. 1 DSGVO, mn. 14 ↩︎
Karg in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 1. edition, 2019, Art. 4 Nr. 1 DSGVO, mn. 48–49 (translated) ↩︎
Schantz in Schantz/Wolff, Das neue Datenschutzrecht, 1. edition, 2017, chapter C.II, mn. 291–292 ↩︎
Albrecht/Jotzo, Das neue Datenschutzrecht der EU, 1. edition, 2017, Part 3, mn. 3 ↩︎
Klabunde in Ehmann/Selmayr/Klabunde, DS-GVO, 2. edition, 2018, Art. 4 DSGVO Nr. 1, mn. 18 ↩︎
Zuiderveen Borgesius, Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection Regulation, Computer Law & Security Review 2016, 256, p. 268 (longer open access preprint) ↩︎
Karg/Kühn, Datenschutzrechtlicher Rahmen für “Device Fingerprinting” - Das klammheimliche Ende der Anonymität im Internet, ZD 2014, 285, p. 288 ↩︎
Wenhold, Nutzerprofilbildung durch Webtracking, 1. edition, 2018, chapter E.I.2, p. 130 ↩︎
Article 29 Data Protection Working Party, WP 136: Opinion 4/2007 on the concept of personal data, p. 14 ↩︎
Article 29 Data Protection Working Party, WP 188: Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising, p. 8 ↩︎
Dieterich, Canvas Fingerprinting – Rechtliche Anforderungen an neue Methoden der Nutzerprofilerstellung, ZD 2015, 199, p. 201 ↩︎
Schmidt, Anforderungen an den Einsatz von Cookies, Browser-Fingerprinting und ähnlichen Techniken im deutschen Recht, K&R 2016, 86, p. 88 ↩︎
Tosoni/Bygrave in Kuner/Bygrave/Docksey, The EU General Data Protection Regulation: A Commentary, 1. edition, 2020, Art. 4(1) GDPR, p. 108 ↩︎
Schantz in Schantz/Wolff, Das neue Datenschutzrecht, 1. edition, 2017, chapter C.II, mn. 291 ↩︎
Farinho in Spiecker gen. Döhmann/Papakonstantinou/Hornung/De Hert, General Data Protection Regulation, Art. 4(1) Personal data, 2023, mn. 21, 24 ↩︎
Karg in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 1. edition, 2019, Art. 4 Nr. 1 DSGVO, mn. 50 ↩︎
Schantz in Schantz/Wolff, Das neue Datenschutzrecht, 1. edition, 2017, chapter C.II, mn. 292–293 ↩︎
Schild in BeckOK Datenschutzrecht, 45. edition, 2023, Art. 4 Nr. 1, mn. 17, 19 ↩︎
Ernst in Paal/Pauly, DS-GVO BDSG, 3. edition, 2021, Art. 4 Nr. 1 DSGVO, mn. 18 ↩︎
Klabunde in Ehmann/Selmayr/Klabunde, DS-GVO, 2. edition, 2018, Art. 4 DSGVO Nr. 1, mn. 18 ↩︎
Arning/Rothkegel in Taeger/Gabel, DSGVO - BDSG - TTDSG, 4. edition, 2022, Art. 4 DSGVO, mn. 27 ↩︎
Klar/Kühling in Kühling/Buchner, DS-GVO/BDSG, 3. edition, 2020, Art. 4 Nr. 1 DSGVO, mn. 36 ↩︎
Schild in BeckOK Datenschutzrecht, 45. edition, 2023, Art. 4 Nr. 1, mn. 20 ↩︎
Wenhold, Nutzerprofilbildung durch Webtracking, 1. edition, 2018, chapter E.I.2, p. 144 ↩︎
Karg in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 1. edition, 2019, Art. 4 Nr. 1 DSGVO, mn. 52–53 ↩︎
Karg in Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, 1. edition, 2019, Art. 4 Nr. 1 DSGVO, mn. 65 ↩︎
DPC Ireland, Guidance Note: Cookies and other tracking technologies, 2020 ↩︎
Datenschutzkonferenz, Orientierungshilfe der Aufsichtsbehörden für Anbieter:innen von Telemedien ab dem 1. Dezember 2021 (OH Telemedien 2021), version 1.1, 2022 ↩︎
IMY, Beslut efter tillsyn enligt dataskyddsförordningen – Tele2 Sverige AB:s överföring av personuppgifter till tredjeland, DI-2020-11373, 2023-06-30, p. 10 ↩︎
IMY, Beslut efter tillsyn enligt dataskyddsförordningen – Tele2 Sverige AB:s överföring av personuppgifter till tredjeland, DI-2020-11373, 2023-06-30, p. 11 ↩︎
IMY, Beslut efter tillsyn enligt dataskyddsförordningen – Tele2 Sverige AB:s överföring av personuppgifter till tredjeland, DI-2020-11373, 2023-06-30, p. 13 ↩︎
Tietosuojavaltuutetun toimisto, Apulaistietosuojavaltuutetun päätös käsittelyn lainmukaisuutta, käsittelyn turvallisuutta, sisäänrakennettua ja oletusarvoista tietosuojaa, rekisteröityjen informointia ja henkilötietojen siirtoa kolmansiin maihin koskevassa asiassa, 4672/161/22, 2022-12-13 ↩︎
Datatilsynet, Advance notification of an administrative fine – Disqus Inc., 20/01801-5, 2021-05-02, p. 15–16 ↩︎
Die Landesbeauftrage für den Datenschutz Niedersachsen, Beschwerdeverfahren gegen Verarbeitungen personenbezogener Daten bei der Nutzung der Webseite www.heise.de, 2023-05-17, p. 6 ↩︎