In an intriguing judgment on April 26, 2023, the General Court of the European Union (EU) delivered a thought-provoking verdict in case T-557/20 that could redefine the landscape of online marketing. This ruling has the potential to reshape the industry, given the ever-evolving nature of digital marketing practices. Today, we delve into the intricacies of this case and explore its implications for businesses operating in the data-driven marketing sphere.

The EU Court’s verdict focuses on the determination of pseudonymized data as personal data under the EU’s General Data Protection Regulation (GDPR). The ruling emphasizes the perspective of the recipient when assessing whether pseudonymized data can be used to re-identify an individual. If the recipient cannot re-identify an individual using pseudonymized data, it does not constitute personal data within the scope of the GDPR. It is irrelevant if the transmitter is able to re-identify data subjects. This decision serves as a milestone that could significantly impact online marketing strategies in the years to come.

The Shift from Cookie IDs to Robust Identifiers in Online Marketing

Over the past two decades, online marketing has heavily relied on cookie IDs, particularly third-party cookies, to track and target users. However, major web browsers like Safari, Firefox, and Brave have taken steps to block these cookies, disrupting established marketing practices. This intervention by browsers has compelled marketing vendors to seek alternative methods for assisting advertisers in reaching their target audiences effectively.

A prominent approach emerging in the industry involves leveraging more robust personal identifiers, such as email addresses, phone numbers, and home addresses. Marketing vendors who possess datasets containing similar identifiers can utilize this information to identify individuals. Tech giants like Facebook and Google are prime examples of such vendors.

The process entails sharing personal identifiers with the vendor, who then cross-checks their dataset for matches. If a match is found, marketing features like retargeting and look-alike audiences become accessible within the vendor’s network, eliminating the need for third-party cookies. However, this method necessitates sharing all the identifiers with the vendor, even those that do not find a match. Consequently, there is a risk of potential misuse of these unmatched identifiers. While vendors claim to promptly delete unmatched identifiers, given the privacy violation fines levied against big tech companies in the past, an added layer of security would be highly advantageous.

Introducing Pseudonyms: Safeguarding Privacy in Data Sharing

To address privacy concerns while sharing first-party identifiers with vendors, a privacy best practice involves hashing the data beforehand. This process transforms identifiable information into pseudonymized data, fortifying the protection of individual privacy, especially when data sharing may not result in a match.

By applying a hash function, the possibilities of (mis)using the data by the vendor are effectively blocked, ensuring the anonymity of the data subjects. This practice aligns with the principles of a zero-knowledge protocol, where the recipient (the marketing vendor) does not gain access to the original data but can still verify its authenticity.

The recent judgment by the General Court validates this privacy best practice as a reliable option for securely sharing data under a zero-knowledge protocol, further safeguarding individuals’ anonymity and privacy.

Are Hashed Identifiers Immune to the Tech Giants?

Considering the perspective of the recipient, let us explore whether hashed identifiers truly protect against the re-identification attempts by tech giants such as Facebook and Google. Assuming we share hashed email addresses with these entities, both utilizing a SHA256 hash, can they re-identify the data subjects if they so desired?

In theory, these companies could attempt a brute-force attack by generating an extensive range of possible input values and hashing them until a match is found. However, the number of potential input values is so vast that this approach becomes impractical for real-world purposes. Thus, from a practical standpoint, the use of hashed identifiers significantly mitigates the risk of re-identification by tech giants.

It must be noted that this is a moving goalpost with technological evolution making it easier and faster to execute a successful brute-force attack and therefore steadily moving it towards a practical option for potential misuse of data protected by pseudonymization. This could be addressed by upgrading to more complex hash algorithms, but this is dependent on changes from the marketing vendors for the matching of hash data to function as intended.

Pseudonymization: It’s Not an GDPR Escape Route

Now, let’s address a crucial misconception that may arise from the T-557/20 judgment. The use of hashed data to share personal information with third parties for marketing purposes does not absolve organizations from their responsibilities to comply with the GDPR. While hashed data without a match does not qualify as personal data under the scope of the T-557/20 case, each matched hash reveals the identity of the data subject, rendering it personal data.

Therefore, hashed identifiers shared to marketing vendors should be treated as personal data, and organizations must fulfill all GDPR requirements when processing such information. Sharing personal data with third parties for marketing purposes still necessitates a valid legal basis, such as consent from the data subject, under the GDPR. It is essential to note that each matched hash identifies an individual, exposing their personal information. Consequently, organizations must diligently adhere to GDPR requirements related to the processing of personal data, while ensuring clear and accessible information about their data sharing activities.

And what about the 2017 Breyer case on IP addresses?

In addition to the judgment in case T-557/20, it is worth mentioning another significant judgement in data compliance. The Breyer case (C-582/14), revolves around the classification of IP addresses as personal data. In this case the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses can be considered personal data if there is a reasonable possibility of identifying individuals through additional information held by a third party, such as an internet service provider.

These cases on face value seem to be in conflict with each other as the Breyer case stated, ‘it is not required that all the information enabling the identification of the data subject must be in the hands of one person’, while T-557/20 focusses on the information available to the recipient alone. How the precedent of these different cases will play out in other judgements remains to be seen.

Conclusion: Navigating the Path to Data Compliance in Online Marketing

The EU Court’s judgment in case T-557/20 offers businesses invaluable compliance insights for online marketing. As the industry adapts to the changing landscape and shifts from traditional cookie-based practices to robust personal identifiers, organizations must tread carefully to uphold privacy rights while achieving their marketing objectives.

By adopting privacy best practices, such as pseudonymization through hashing, companies can strike a balance between personalized marketing and data protection. However, it is crucial to understand that pseudonymization is not a silver bullet that exempts businesses from GDPR requirements. Compliance with consent and information obligations remains paramount, ensuring that individuals’ rights and privacy are respected throughout the data sharing process.

As the online marketing landscape continues to evolve, staying informed about legal precedents and keeping up with data protection best practices is paramount. By incorporating these insights into marketing strategies, businesses can navigate the complex terrain of data compliance, establish trust with consumers, and thrive in an era where privacy and targeted marketing coexist harmoniously.

The future of online marketing beckons—a future where data compliance and privacy are not just legal obligations but essential pillars for success and consumer trust.

Image is sourced from Court of Justice of the European Union: https://curia.europa.eu/