Douwe Korff, Professor of International Law
I.
Background
In a recent judgment (discussed previously on this blog) the
third chamber of the CJEU has ruled that the concept of "personal
data" in the 1995 data protection (DP) directive is limited to data directly relating to a
person, and does not include legal analyses in the file on the person, on which
the state (NL) relied in taking its decisions in relation to that person (Joined
Cases C-141/12 and C-372/12). I believe the Court’s restriction of the concept
is wrong and contrary to the intended purpose of data protection; and should be
corrected in the new General Data Protection Regulation.
First of all, the Court based
itself on the, in my opinion erroneous, view that the 1995 EC DP Directive was
solely aimed at protecting privacy. In particular, it felt that the right of
data subjects to access to their personal data should not extend to a legal analysis
of their case, contained in a file on them, because (in the Court’s view) such
an analyses “is not in itself liable to be the subject of a check of its
accuracy by [a data subject]”, and data subjects should not be able to use data
protection to seek a rectification of such an analysis (cf. para. 44 of the
judgment).
Secondly, the Court also
relied on the fact that data of the kind at issue in the joined cases was
administrative data held by a public authority and, drawing a parallel with EU
regulations on privacy and access to documents, held that access to the legal
analysis should be addressed under the latter rules rather than the former.
This failed to take into account the fact that the EU rules referred to apply
only to public (i.e., EU) bodies, whereas the 1995 DP Directive applies also,
and in indeed especially, to private-sector bodies (in particular companies)
that are not subject to public-sector rules on access to administrative data.
The Court’s judgment, in
sum, seriously limits the concept of personal data and the right of access to
one’s personal data, and thus seriously limits the application of the entire EU
data protection regime. It leaves individuals with seriously less rights in
respect of data on them (or relating to them, or used to take decisions on them,
or that affect them) than was previously thought.
Specifically,the judgment
runs directly counter to the authoritative 2007 Article 29 Working Party (WP) Opinion on the concept of personal data (Opinion 4/2007, WP136, of 20 June
2007). This first of all noted that the purpose of data protection is not
limited to a narrow concept of privacy – as is indeed also clear from the fact
that data protection is guaranteed in the Charter of Fundamental Rights (CFR) as a
separate right, sui generis, from the
right to private life/privacy (data protection is guaranteed in Article 8 CFR;
Privacy in Article 7 CFR). Astonishingly, given that the WP29 is expressly
charged with providing guidance on the interpretation and application of the
1995 DP Directive, the Court did not even mention either the Working Party or
this specific opinion.
In the opinion, the Working
Party discussed four elements of the definition, from which it deduces the
appropriate criteria for determining whether data should be regarded as
personal data within the meaning of the directive. They can be paraphrased
as follows:
-
The first element: “any information”:
The WP concludes that
these words indicate that the concept of personal data should be interpreted
broadly, and not limited to matters relating to a person’s private and family
life stricto senso (as has wrongly
been done in the UK under the Durant decision, and as appears to also underpin the Court’s judgment). It also covers
information in any form, including documents, photographs, videos, audio and biometric
data, body tissues and DNA.
-
The second element: “relating to”:
In general terms,
information can be considered to “relate” to an individual when it is about
that individual. However, data about “things” can also be personal data, if the
object in question is closely associated with a specific individual (e.g.,
mobile phone location data). This is of increasing importance in the era of the
Internet of Things. Important in relation to the CJEU judgment, the WP29 adds
the following consideration, with reference to an earlier opinion, on radio frequency identification (RFID) tags, WP105 of 19 January 2005 (original italics and bold; underlining added):
In the context of discussions on the data protection
issues raised by RFID tags, the Working Party noted that "data relates to an individual if it refers
to the identity, characteristics or behaviour of an individual or if such
information is used to determine or influence the way in which that person is
treated or evaluated."
...
[I]n order to consider that the data “relate” to an
individual, a "content"
element OR a "purpose"
element OR a "result" element should be present.
The “content”
element is present in those cases where - corresponding to the most obvious and
common understanding in a society of the word "relate" - information
is given about a particular person, regardless of any purpose on the side of
the data controller or of a third party, or the impact of that information on
the data subject.
...
Also a "purpose"
element can be responsible for the fact that information "relates" to
a certain person. That “purpose” element can be considered to exist when the
data are used or are likely to be used, taking into account all the
circumstances surrounding the precise case, with the purpose to evaluate, treat
in a certain way or influence the status or behaviour of an individual.
...
A third kind of 'relating' to specific persons arises
when a "result" element is
present. Despite the absence of a "content" or "purpose"
element, data can be considered to "relate" to an individual
because their use is likely to have an impact on a certain person's rights and
interests, taking into account all the circumstances surrounding the precise
case. It should be noted that it is not necessary that the potential result
be a major impact. It is sufficient if the individual may be treated
differently from other persons as a result of the processing of such data.
...
These three elements (content,
purpose, result) must be considered as alternative conditions, and not as
cumulative ones. In particular, where the content element is present, there
is no need for the other elements to be present to consider that the information
relates to the individual. A corollary of this is that the same piece of information
may relate to different individuals at the same time, depending on what element
is present with regard to each one. The same information may relate to individual
Titius because of the "content" element (the data is clearly about
Titius), AND to Gaius because of the "purpose" element (it will be
used in order to treat Gaius in a certain way) AND to Sempronius because of the
"result" element (it is likely to have an impact on the rights and
interests of Sempronius). This means also that it is not necessary that the
data "focuses" on someone in order to consider that it relates to him.
...
The “legal analyses” that the CJEU ruled were not personal data are
clearly covered by the above: they are the very basis on which the data
subjects in questions (asylum seekers) were “treated” and “evaluated”. To apply
the reasoning of the Working Party: they determine whether Titius should be
treated the same way as Gaius or not; and they may also have an impact on the
rights and interests of Sempronius.
This is also crucially important in relation to
“profiles”. Under the judgment, states and companies could argue that
individuals should also not have a right to challenge the accuracy of a profile,
any more than the accuracy of a legal analysis; and that, indeed, they are not
entitled to be provided on demand with the elements used in the creation of a
profile. After all, a profile, by definition, is also based on an abstract
analysis of facts and assumptions not specifically related to the data subject
– although both are of course used in relation to the data subject, and
determine the way he or she is treated.
In
my opinion, the above is the most dangerous limitation flowing from the Court’s
judgment.
-
The third element: “identified or identifiable”:
Although this issue did not arise in the CJEU cases, it is still
crucial, in particular in relation to the ever-increasing and
ever-more-widely-available massive sets of “Big Data”. In the opinion of the
WP, the core issue is whether a person is, or can be, singled out from the
data, whether by name or not. A name sometimes suffices for this, but often
not, while a photograph or an identity number often does allow such singling
out even if no other details of the person are known. In relation to
pseudonymised or supposedly anonymised data, the WP concluded (with reference
to the recitals in the 1995 directive) that the central issue is whether the
person can be identified (singled out), whether by the data controller or by
any other person, “taking account of all
the means likely reasonably to be used either by the controller or by any other
person to identify that individual.”
-
The fourth element: “natural person”:
In principle, personal data are data relating to identified or
identifiable living individuals. There are some issues relating to data on
deceased persons and unborn children: these can often still (also) relate to
living individuals, in the way discussed above, and would then still be
personal data in relation to those latter individuals. Data on legal entities
can sometimes also, similarly, relate to living individuals associated with
those entities. Also, in some contexts some data protection rights are
expressly extended to legal persons (companies etc.) per se, in particular under the so-called “e-Privacy Directive”.
But that is a special case. This too, however, was not an issue relevant to the
CJEU judgment.
Until the CJEU judgment,
it could be assumed that as long as the General Data Protection Regulation used
the same definition of personal data as the 1995 DP Directive, the above
elements and criteria could simply be read into the new instrument.
However, the judgment
could result in the definition in the GDPR being read in accordance with the
Court’s restricted views, rather than in line with the WP29 guidance.
In my opinion, if the EU wishes to retain a strong
European data protection framework, as is often asserted, it is essential that
the GDPR expressly (if of course briefly) endorses the WP29 view of the issue,
rather than the CJEU’s one.
Below, I suggest
amendments to the definition of the concept of personal data in the GDPR that
would achieve that (some further amendments should be made to the recitals).
II.
Proposed amendments to
the GDPR
As can be seen from the Annexes, with the different definitions of personal data and
data subject in the Commission text of the GDPR and in the amended version of
the Regulation adopted by the EP (and with the corresponding definitions in the
current 1995 DP Directive), the definitions all say in essence that:
'personal data' means
any information relating to a data subject (with ‘data subject’ then defined as
“an identified or identifiable natural person”), or:
'personal data' means
any information relating to an identified or identifiable natural person -
which comes to the same
thing (and is in accordance with the current directive).
The EP text adds
clarification on when a person can be regarded as “identifiable”, on the lines
of the views of the Article 29 Working Party (drawing on a recital in the
current directive); and more specific provisions on “pseudonymous data” and
“encrypted data”.
However, neither text
adds clarification on the question of when data can be said to “relate” to a
(natural, living) persons – which is the issue so badly dealt with in the CJEU
judgment.
I propose that the
definition of “personal data” in the GDPR be expanded to expressly clarify the
question of when data can be said to “relate” to a person, by drawing on the
guidance of the Article 29 Working Party set out above; and by also expressly
clarifying that “profiles” always “relate” to any person to whom they may be
applied. Specifically, I propose that an additional paragraph be added to
Article 2(2), spelling out that:
“data relate to a person if they are about that
person, or about an object linked to that person; or if the data are used or
are likely to be used for the purpose of evaluating that person, or to treat that
person in a certain way or influence the status or behaviour of that person; or
if the use of the data is likely to have an impact on that person's rights and
interests. Profiles resulting from ‘profiling’ as defined in [Article 20 in the
Commission text/Article 4(3a) of the EP text] by their nature relate to any
person to whom they may be applied.”
The Annexes indicate more specifically how such an amendment could be incorporated into the current
(Commission and EP) texts of the Regulation.
Annex I
PROPOSED AMENDMENTS TO ARTICLE 4 OF THE GENERAL
DATA PROTECTION REGULATION:
(Added or amended text
in bold)
The proposed amendments
if applied to the Commission text:
(1) 'data subject' means an identified natural person or a natural
person who can be identified, directly or indirectly, by means reasonably
likely to be used by the controller or by any other natural or legal person, in
particular by reference to an identification number, location data, online
identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that person;
(2) 'personal data' means any information relating to a data
subject;
(2a) data
relate to a person if they are about that person, or about an object linked to
that person; or if the data are used or are likely to be used for the purpose of
evaluating that person, or to treat that person in a certain way or influence
the status or behaviour of that person; or if the use of the data is likely to
have an impact on that person's rights and interests. Profiles resulting from
‘profiling’ as defined in Article 20 by their nature relate to any person to
whom they may be applied.
The proposed amendments
if applied to the EP text:
(2) 'personal data' means any information relating to an
identified or identifiable natural person ('data subject');
(2a) an identifiable person is one who can be
identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, unique identifier or
to one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social or gender identity of that person;
(2b) data
relate to a person if they are about that person, or about an object linked to
that person; or if the data are used or are likely to be used for the purpose of
evaluating that person, or to treat that person in a certain way or influence
the status or behaviour of that person; or if the use of the data is likely to
have an impact on that person's rights and interests. Profiles resulting from
‘profiling’ as defined in paragraph (3a) by their nature relate to any person
to whom they may be applied.
(2c) 'pseudonymous data'
means personal data that cannot be attributed to a specific data subject
without the use of additional information, as long as such additional
information is kept separately and subject to technical and organisational
measures to ensure non-attribution;
(2d)
‘encrypted data’ means personal data, which through technological protection
measures is rendered unintelligible to any person who is not authorised to
access it;
NB: The actual
Commission and EP texts are set out in Annex II
Annex II
The
definition of “personal data” in the original Commission text of the GDPR and
in the amended version of the Regulation adopted by the European Parliament:
Text proposed by the
Commission
|
Amendment
|
Definitions
|
Definitions
|
For the purposes of this
Regulation:
|
For the purposes of this
Regulation:
|
(1) 'data subject' means an
identified natural person or a natural person who can be identified, directly
or indirectly, by means reasonably likely to be used by the controller or by
any other natural or legal person, in particular by reference to an
identification number, location data, online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that person;
|
|
(2) 'personal data' means any
information relating to a data subject;
|
(2) 'personal data' means any
information relating to an identified or identifiable natural
person ('data subject'); an
identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification
number, location data, unique identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social
or gender identity of that person;
|
|
(2a) 'pseudonymous data' means personal data that
cannot be attributed to a specific data subject without the use of additional
information, as long as such additional information is kept separately and
subject to technical and organisational measures to ensure non-attribution;
|
|
(2b) ‘encrypted data’ means personal
data, which through technological protection measures is rendered
unintelligible to any person who is not authorised to access it;
|
Cf. the following definition in the current 1995 DP
Directive:
(a) 'personal data 'shall mean any information
relating to an identified or identifiable natural person ('data subject'); an
identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social
identity;