Wednesday 15 October 2014

The proposed General Data Protection Regulation: suggested amendments to the definition of personal data


Douwe Korff, Professor of International Law
I.                    Background

In a recent judgment (discussed previously on this blog) the third chamber of the CJEU has ruled that the concept of "personal data" in the 1995 data protection (DP) directive is limited to data directly relating to a person, and does not include legal analyses in the file on the person, on which the state (NL) relied in taking its decisions in relation to that person (Joined Cases C-141/12 and C-372/12). I believe the Court’s restriction of the concept is wrong and contrary to the intended purpose of data protection; and should be corrected in the new General Data Protection Regulation.

First of all, the Court based itself on the, in my opinion erroneous, view that the 1995 EC DP Directive was solely aimed at protecting privacy. In particular, it felt that the right of data subjects to access to their personal data should not extend to a legal analysis of their case, contained in a file on them, because (in the Court’s view) such an analyses “is not in itself liable to be the subject of a check of its accuracy by [a data subject]”, and data subjects should not be able to use data protection to seek a rectification of such an analysis (cf. para. 44 of the judgment).

Secondly, the Court also relied on the fact that data of the kind at issue in the joined cases was administrative data held by a public authority and, drawing a parallel with EU regulations on privacy and access to documents, held that access to the legal analysis should be addressed under the latter rules rather than the former. This failed to take into account the fact that the EU rules referred to apply only to public (i.e., EU) bodies, whereas the 1995 DP Directive applies also, and in indeed especially, to private-sector bodies (in particular companies) that are not subject to public-sector rules on access to administrative data.

The Court’s judgment, in sum, seriously limits the concept of personal data and the right of access to one’s personal data, and thus seriously limits the application of the entire EU data protection regime. It leaves individuals with seriously less rights in respect of data on them (or relating to them, or used to take decisions on them, or that affect them) than was previously thought.

Specifically,the judgment runs directly counter to the authoritative 2007 Article 29 Working Party (WP) Opinion on the concept of personal data (Opinion 4/2007, WP136, of 20 June 2007). This first of all noted that the purpose of data protection is not limited to a narrow concept of privacy – as is indeed also clear from the fact that data protection is guaranteed in the Charter of Fundamental Rights (CFR) as a separate right, sui generis, from the right to private life/privacy (data protection is guaranteed in Article 8 CFR; Privacy in Article 7 CFR). Astonishingly, given that the WP29 is expressly charged with providing guidance on the interpretation and application of the 1995 DP Directive, the Court did not even mention either the Working Party or this specific opinion.

In the opinion, the Working Party discussed four elements of the definition, from which it deduces the appropriate criteria for determining whether data should be regarded as personal data within the meaning of the directive. They can be paraphrased as follows:

-                      The first element: “any information”:

The WP concludes that these words indicate that the concept of personal data should be interpreted broadly, and not limited to matters relating to a person’s private and family life stricto senso (as has wrongly been done in the UK under the Durant decision, and as appears to also underpin the Court’s judgment). It also covers information in any form, including documents, photographs, videos, audio and biometric data, body tissues and DNA.

-                      The second element: “relating to”:

In general terms, information can be considered to “relate” to an individual when it is about that individual. However, data about “things” can also be personal data, if the object in question is closely associated with a specific individual (e.g., mobile phone location data). This is of increasing importance in the era of the Internet of Things. Important in relation to the CJEU judgment, the WP29 adds the following consideration, with reference to an earlier opinion, on radio frequency identification (RFID) tags, WP105 of 19 January 2005 (original italics and bold; underlining added):

In the context of discussions on the data protection issues raised by RFID tags, the Working Party noted that "data relates to an individual if it refers to the identity, characteristics or behaviour of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated."
...
[I]n order to consider that the data “relate” to an individual, a "content" element OR a "purpose" element OR a "result" element should be present.
The “content” element is present in those cases where - corresponding to the most obvious and common understanding in a society of the word "relate" - information is given about a particular person, regardless of any purpose on the side of the data controller or of a third party, or the impact of that information on the data subject.
...
Also a "purpose" element can be responsible for the fact that information "relates" to a certain person. That “purpose” element can be considered to exist when the data are used or are likely to be used, taking into account all the circumstances surrounding the precise case, with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual.
...
A third kind of 'relating' to specific persons arises when a "result" element is present. Despite the absence of a "content" or "purpose" element, data can be considered to "relate" to an individual because their use is likely to have an impact on a certain person's rights and interests, taking into account all the circumstances surrounding the precise case. It should be noted that it is not necessary that the potential result be a major impact. It is sufficient if the individual may be treated differently from other persons as a result of the processing of such data.
...
These three elements (content, purpose, result) must be considered as alternative conditions, and not as cumulative ones. In particular, where the content element is present, there is no need for the other elements to be present to consider that the information relates to the individual. A corollary of this is that the same piece of information may relate to different individuals at the same time, depending on what element is present with regard to each one. The same information may relate to individual Titius because of the "content" element (the data is clearly about Titius), AND to Gaius because of the "purpose" element (it will be used in order to treat Gaius in a certain way) AND to Sempronius because of the "result" element (it is likely to have an impact on the rights and interests of Sempronius). This means also that it is not necessary that the data "focuses" on someone in order to consider that it relates to him. ...
The “legal analyses” that the CJEU ruled were not personal data are clearly covered by the above: they are the very basis on which the data subjects in questions (asylum seekers) were “treated” and “evaluated”. To apply the reasoning of the Working Party: they determine whether Titius should be treated the same way as Gaius or not; and they may also have an impact on the rights and interests of Sempronius.
This is also crucially important in relation to “profiles”. Under the judgment, states and companies could argue that individuals should also not have a right to challenge the accuracy of a profile, any more than the accuracy of a legal analysis; and that, indeed, they are not entitled to be provided on demand with the elements used in the creation of a profile. After all, a profile, by definition, is also based on an abstract analysis of facts and assumptions not specifically related to the data subject – although both are of course used in relation to the data subject, and determine the way he or she is treated.
In my opinion, the above is the most dangerous limitation flowing from the Court’s judgment.
-                      The third element: “identified or identifiable”:
Although this issue did not arise in the CJEU cases, it is still crucial, in particular in relation to the ever-increasing and ever-more-widely-available massive sets of “Big Data”. In the opinion of the WP, the core issue is whether a person is, or can be, singled out from the data, whether by name or not. A name sometimes suffices for this, but often not, while a photograph or an identity number often does allow such singling out even if no other details of the person are known. In relation to pseudonymised or supposedly anonymised data, the WP concluded (with reference to the recitals in the 1995 directive) that the central issue is whether the person can be identified (singled out), whether by the data controller or by any other person, “taking account of all the means likely reasonably to be used either by the controller or by any other person to identify that individual.
-                      The fourth element: “natural person”:
In principle, personal data are data relating to identified or identifiable living individuals. There are some issues relating to data on deceased persons and unborn children: these can often still (also) relate to living individuals, in the way discussed above, and would then still be personal data in relation to those latter individuals. Data on legal entities can sometimes also, similarly, relate to living individuals associated with those entities. Also, in some contexts some data protection rights are expressly extended to legal persons (companies etc.) per se, in particular under the so-called “e-Privacy Directive”. But that is a special case. This too, however, was not an issue relevant to the CJEU judgment.

Until the CJEU judgment, it could be assumed that as long as the General Data Protection Regulation used the same definition of personal data as the 1995 DP Directive, the above elements and criteria could simply be read into the new instrument.

However, the judgment could result in the definition in the GDPR being read in accordance with the Court’s restricted views, rather than in line with the WP29 guidance.

In my opinion, if the EU wishes to retain a strong European data protection framework, as is often asserted, it is essential that the GDPR expressly (if of course briefly) endorses the WP29 view of the issue, rather than the CJEU’s one.

Below, I suggest amendments to the definition of the concept of personal data in the GDPR that would achieve that (some further amendments should be made to the recitals).
II.                  Proposed amendments to the GDPR
As can be seen from the Annexes, with the different definitions of personal data and data subject in the Commission text of the GDPR and in the amended version of the Regulation adopted by the EP (and with the corresponding definitions in the current 1995 DP Directive), the definitions all say in essence that:

'personal data' means any information relating to a data subject (with ‘data subject’ then defined as “an identified or identifiable natural person”), or:
'personal data' means any information relating to an identified or identifiable natural person -
which comes to the same thing (and is in accordance with the current directive).

The EP text adds clarification on when a person can be regarded as “identifiable”, on the lines of the views of the Article 29 Working Party (drawing on a recital in the current directive); and more specific provisions on “pseudonymous data” and “encrypted data”.

However, neither text adds clarification on the question of when data can be said to “relate” to a (natural, living) persons – which is the issue so badly dealt with in the CJEU judgment.

I propose that the definition of “personal data” in the GDPR be expanded to expressly clarify the question of when data can be said to “relate” to a person, by drawing on the guidance of the Article 29 Working Party set out above; and by also expressly clarifying that “profiles” always “relate” to any person to whom they may be applied. Specifically, I propose that an additional paragraph be added to Article 2(2), spelling out that:

“data relate to a person if they are about that person, or about an object linked to that person; or if the data are used or are likely to be used for the purpose of evaluating that person, or to treat that person in a certain way or influence the status or behaviour of that person; or if the use of the data is likely to have an impact on that person's rights and interests. Profiles resulting from ‘profiling’ as defined in [Article 20 in the Commission text/Article 4(3a) of the EP text] by their nature relate to any person to whom they may be applied.”

The Annexes indicate more specifically how such an amendment could be incorporated into the current (Commission and EP) texts of the Regulation.


Annex I

PROPOSED AMENDMENTS TO ARTICLE 4 OF THE GENERAL DATA PROTECTION REGULATION:

(Added or amended text in bold)

The proposed amendments if applied to the Commission text:

(1)        'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(2)        'personal data' means any information relating to a data subject;

(2a)      data relate to a person if they are about that person, or about an object linked to that person; or if the data are used or are likely to be used for the purpose of evaluating that person, or to treat that person in a certain way or influence the status or behaviour of that person; or if the use of the data is likely to have an impact on that person's rights and interests. Profiles resulting from ‘profiling’ as defined in Article 20 by their nature relate to any person to whom they may be applied.

The proposed amendments if applied to the EP text:

(2)        'personal data' means any information relating to an identified or identifiable natural person ('data subject');

(2a)      an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person;

(2b)     data relate to a person if they are about that person, or about an object linked to that person; or if the data are used or are likely to be used for the purpose of evaluating that person, or to treat that person in a certain way or influence the status or behaviour of that person; or if the use of the data is likely to have an impact on that person's rights and interests. Profiles resulting from ‘profiling’ as defined in paragraph (3a) by their nature relate to any person to whom they may be applied.

(2c) 'pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution;

(2d) ‘encrypted data’ means personal data, which through technological protection measures is rendered unintelligible to any person who is not authorised to access it;

NB: The actual Commission and EP texts are set out in Annex II


Annex II 

The definition of “personal data” in the original Commission text of the GDPR and in the amended version of the Regulation adopted by the European Parliament:

Text proposed by the Commission
Amendment
Definitions
Definitions
For the purposes of this Regulation:
For the purposes of this Regulation:
(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(2) 'personal data' means any information relating to a data subject;
(2) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person;

(2a) 'pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution;

(2b) ‘encrypted data’ means personal data, which through technological protection measures is rendered unintelligible to any person who is not authorised to access it;

Cf. the following definition in the current 1995 DP Directive:
(a) 'personal data 'shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

1 comment: