In case C-319/22, the European Court of Justice (“ECJ”) ruled that the vehicle identification number ("VIN") (i) as such is not personal data but (ii) it becomes personal data as regards someone who “reasonably” has means enabling that datum to be associated with a specific person.
This follows the case law of the ECJ that it is often not possible to make a general statement as to whether information is personal data, but rather the circumstances of the specific case must be considered. In its judgment, the ECJ again avoids clearly specifying questions of practical relevance, in particular when the means are "reasonably” likely to be used to identify a data subject.
For the definition of the identifiability of a person, the ECJ repeatedly refers back to its case law on the Breyer case and points out that for the question of identifiability:
"account shall be taken of all the means likely reasonably to be used either by the controller, […] or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity".
This is also in line with Recital 26 of the General Data Protection Regulation (“GDPR”). The Court therefore agrees with the Advocate General's view that although the VIN:
"as such, is not 'personal'", it "becomes personal as regards someone who reasonably has means enabling that datum to be associated with a specific person".
The background to this is also that the Advocate General describes the VIN as a mere "alphanumeric code" in principle, which the manufacturer assigns to a vehicle and which, strictly speaking, only serves to properly identify the vehicle. By its nature, the VIN is therefore actually a datum “ad rem” but not “ad personam”; however, the Advocate General and the ECJ also note that registration certificates must contain information such as the VIN, name and address of the holder of the registration certificate.
Therefore, the VIN constitutes personal data "of the natural person referred to in that certificate", provided that "the person who has access to it may have means enabling him to use it to identify the owner of the vehicle to which it relates or the person who may use that vehicle on a legal basis other than that of owner". The ECJ also states that the VIN as such does not constitute personal data for vehicle manufacturers if the vehicle to which the VIN has been assigned does not belong to a natural person. However, the ECJ does not exclude that even in these cases the VIN can constitute personal data if the VIN is combined with other data.
For this specific case, the ECJ leaves it to the referring court to assess whether "independent operators may reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person", i.e., whether the VIN is personal data.
In addition to the issue of the VIN as personal data, the ECJ also ruled on access to vehicle data in accordance with Art. 61 Regulation 2018/858:
Unfortunately, the ECJ misses the opportunity to provide clarity on practical issues:
In practice, it should also be noted that the VIN is rarely available in isolation and is often processed in conjunction with other data that can already allow identification independently of the VIN (e.g., in the case of user accounts for connected car applications). In any event, in such cases, in practice the VIN very easily becomes personal data, at least for the party processing the additional information (e.g., in connection with a connected car application).
Also, it appears likely that data protection authorities with their intention to broadly protect data subjects will continue to interpret personal data, broadly, i.e., they might apply rather low thresholds for the presence of “reasonably” likely means to identify the data subject (as they also did after the Breyer case).
Many questions therefore remain open, and this will certainly not be the last decision by the ECJ on the definition of personal data.