Tissue Samples and Graffiti: Personal Data and the Article 29 Working Party

July 25, 2007

The Article 29 Working Party has finally released its long awaited opinion on the definition of personal data.[1] The opinion, unsurprisingly, defines this term broadly and introduces a new four stage test to determine what constitutes personal data. This article considers the background to this opinion, the elements of this new test and contrasts this with the current position in some Member States.


1. A Key Definition


The definition of ‘personal data’ is central to the Data Protection Directive (95/46/EC). It determines the ambit and the activities that fall inside or outside the scope of the Directive. Accordingly, a common interpretation of this term is important to ensure the harmonisation of data protection rules across the European Union.


With this in mind, the Article 29 Working Party has approached this term broadly on the basis that any difficulties a broad definition imposes should be dealt with by applying the other rules within the Directive flexibly and proportionally (ie information which is only ‘barely’ personal data ought to be dealt with less strictly than information that relates more directly to an individual’s privacy).


While the opinion is long and detailed – running to 26 pages – it doesn’t address the additional requirement that the personal data be either processed automatically or be part of a structured filing system (Article 3(1)). This omission is somewhat surprising given this is an intrinsic part of what is and is not personal data and given that questions over the extent of structured filing systems commonly arise. For example, there have been some controversial judicial decisions on this topic such as the UK case of Michael John Durant v Financial Services Authority [2003] EWCA Civ 1746.


2. The New Four-stage Personal Data Test


Personal data is defined as: ‘any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.


The Article 29 Working Party has derived four key tests from this definition to determine what constitutes personal data.


2.1 Step 1: Is it information?


The reference to ‘any information’ should be interpreted widely. It extends to both objective information, such as someone’s height or weight, and also subjective information, such as an assessment of someone’s creditworthiness or competence.


The format of the information is also construed broadly and includes information stored as images, for example from a video camera, as well as audio recordings, such as telephone records. Biometric information should also be considered as information for this purpose, even if it there is an element of probability in matching that biometric information to an individual.


In fact the Article 29 Working Party gives only one example of something that might not be information for these purposes: human tissue samples. However, even then the extraction of information from those samples, such as DNA, would create information that would engage data protection rules.


2.2 Step 2: Does it relate to a person?


The more interesting issue is whether that information relates to an individual. In the UK this is interpreted as requiring the information actually to affect the individual’s privacy so that a mere mention of the individual is not sufficient to mean that information is personal data (see 3.1 UK: A Privacy Link below).


The Article 29 Working Party firmly rejects any such qualification. This step should instead be approached very broadly by looking at whether the information relates to an individual by reference to its content, purpose or result. These elements are alternative requirements, not cumulative requirements, and mean:


·                    content – this is information that is actually about an individual. This is the most obvious and common situation in which information will relate to an individual. A classic example is medical records, which are clearly about, and relate to, an individual.


·                    purpose – this applies to information that is collected with the intention of evaluating, affecting or influencing a particular individual. One example would be photos of graffiti tags collected to identify vandals (see 2.3 Step 3: Is that person identified or identifiable? below). The need for such a forward-looking concept is somewhat odd. At the point the information is actually linked to the individual it will become personal data and subject to the Directive and the rationale for bringing it within the scope of the Directive before then is not clear.


·                    result – finally, information may relate to an individual if the use of that information is likely to have an impact on that particular individual (ie he or she may be treated differently to other individuals as a result of that information). The boundaries of this concept are far from clear. It is worth considering an example. A company may be in the process of assessing which supplier should be awarded a contract. For some suppliers, this may result in a particular sales executive at that supplier receiving a bonus. However, from the company’s perspective, it seems perverse to say that this assessment, and any subsequent decision, is subject to the Directive because it may have a result on that sales executive and therefore is information relating to him or her.


It is self-evident that information about a person (the content concept) will also relate to that person. However, the need for the purpose or result concept is far from clear and significantly blurs the boundaries of what is and is not personal data.


2.3 Step 3: Is that person identified or identifiable?


The next step, whether that particular person is identified or identifiable, is another area in which difficult issues can arise in practice.


The Opinion considers identification might be direct, for example through the person’s name, or indirect, for example through the person’s telephone number, car registration number or combination of criteria (such as age, occupation, place of residence) that uniquely distinguish him. This is highly context specific so, for example, the name Christian Schmidt may identify an individual in a small company but would not identify him amongst the whole state of Germany.


While a person will most commonly be identified by his or her name, this is not an essential requirement and the Article 29 Working Party interpret this concept as including information by which a particular individual can be ‘distinguished’ from other members of a group.


One useful example of this is cookies. In many cases it may be practically impossible to link a cookie back to a particular individual’s name and address (unless the user has voluntarily supplied this information to the website owner). However, the cookie can still uniquely locate that particular web surfer in the online world by distinguishing him or her from others and therefore ought to be treated as personal data. This is certainly the position of the UK Information Commissioner in his recent guidance on websites.[2]


The Opinion also examines the concept of an identifiable individual; whether someone is ‘identifiable’ is determined in light of ‘all the means likely reasonably to be used either by the controller or by any other person to identify the said person’ (Recital 26). This issue should be considered by reference to a range of factors including the purpose of the information, the structure of the processing, the advantage to the data controller, the interests of the individual and the risk of technical or organisational failures. This analysis generously concludes that if the ‘possibility [of identifying the person] does not exist or is negligible, the person should not be considered as “identifiable”’’.


One unusual example in the Opinion is a transport company keeping photos of graffiti ‘tags’ marked on their vehicles. While the identity of the vandals is probably not known at the time the image is stored and recorded, the purpose of the exercise is subsequently to identify them at a future date. This makes it reasonably likely that the vandals will be identified in the future and therefore these images should be considered as personal data and subject to the data protection rules.


The Article 29 Working Party also spends a reasonable amount of time considering psuedonymised, key-coded and anonymous data, mostly by reference to medical details and clinical trials. This mainly concentrates on whether the pseudonymisation or key-coding process can be reversed by the data controller or any other person in order to identify the individual. If it can, then it ought to be treated as personal data. This is also consistent with the concept mentioned above that unique identifiers ought to be considered as personal data, even if they can’t be linked back to each individual’s actual name and address.


In contrast, where information is statistical in nature and the sample is sufficiently large, it is likely to be truly anonymous and it will not be possible to identify an individual. 


2.4 Step 4: Is the person a living natural person? 


Even this fairly straightforward issue is examined in some detail, including looking at the position of unborn children and frozen embryos.


Of more widespread application are the comments about dead people and legal persons. The Opinion acknowledges that while information about these types of person is not personal data per se it may still be subject to the Directive if it relates to an individual. The boundaries of this concept are far from clear. For example, is the annual report of a major company personal data about the chairman and chief executive? The information clearly relates to their performance in running the company.


Finally, the Opinion points out that some jurisdictions, such as Italy, Austria and Luxembourg, apply data protection laws to both natural and legal persons.


3. A Missed Opportunity?


When the Directive was adopted in 1995 there was a genuine concern that modern computer technology could be used to create large monolithic databases about individuals and that, if this was done in an uncontrolled manner, it could harm individuals’ privacy and integrity.


The requirements of the Directive are relatively straight forward when they are applied to this type of large monolithic database. However, in the last 12 years technology has become pervasive and we now have many more situations in which information about individuals is captured by computer technology. On the one hand this means good data protection laws are more important than ever to protect individuals from the relentless encroachment of technology. On the other hand it is becoming increasing difficult to apply the rigid and bureaucratic rules of the Directive to the new forms of live and unstructured electronic data.


It is interesting to see how this challenge is being tackled in some Member States. 


3.1  UK: A Privacy Link?


The definition of personal data was considered by the UK Court of Appeal in the case of Durant. The impact of this decision is best summarised in a later case, Smith v Lloyds TSB Bank Plc [2005] EWHC 246 (Ch), on what constitutes personal data:


(a) .. not all information retrieved from a search against an individual’s name or unique identifier is personal data within the [UK Data Protection Act 1998], (b) .. mere mention of an individual in a document held by a data controller does not mean that the document contains personal data in relation to that individual, (c) .. whether information is capable of constituting personal data depends on where it falls in a continuum of relevance or proximity to the data subject, (d) .. in answering that question it is relevant to consider whether the information is biographical in a significant sense; and whether it has the putative data subject as its focus and, finally, (e) .. personal data is information that affects the privacy of the putative data subject, whether in his personal, business or professional capacity.’


Therefore, the information must somehow affect the individual’s privacy in order for it to be personal data. For example, an e-mail sent by an individual about company business in his or her capacity as employee of a company will not routinely be treated as personal data as it is not about that individual, it is about the company. This approach means that the data protection rules are targeted at, and only applied in, situations in which an individual’s privacy is at stake.


However, the Article 29 Working Party has firmly rejected this approach and has instead adopted an all embracing approach to this test based on its content, purpose and result model (see above Step 2: Does it relate to a person?).


This rejection also makes it seem more likely that the Commission will start infringement proceedings against the UK for failure to implement the Directive properly. However, until the UK Government actually changes the law or the ratio in Durant is overturned by the Court of Appeal or House of Lords, the UK will continue to be bound by the decision in Durant and not the Opinion of the Article 29 Working Party.


3.2 Sweden: Unstructured Electronic Personal Data


Another interesting approach to the ‘personal data’ concept is contained in the Swedish Personal Data Act (SFS 1998:204) which was amended on 1 January 2007. This relaxes the rules on unstructured electronic personal data – for example, information about individuals in the body of a Word document, in the body of text on a website or incidentally included in sound and picture recordings.


Under the new regime this type of unstructured electronic information will not be subject to detailed rules regarding its handling but instead will be subject to a less onerous ‘misuse model’, which simply requires that the information is not misused to the detriment of an individual’s personal integrity. Again, this approach helps to ensure that data protection rules are targeted where an individual’s privacy is most likely to be at risk without imposing undue burdens on data controllers.


 


The Article 29 Working Party Opinion does not look at these wider issues and instead seems to be directed at ensuring as expansive a definition of personal data as possible within the existing framework to prevent any ‘shadow zones’ within its scope. It may have been better if the Opinion had sought to focus the definition of ‘personal data’ more carefully to target situations in which the individual’s privacy might actually be affected. Similarly, it would have been interesting to look at other ways to influence the impact of this definition, for example by considering the measures available to Member States to ensure that when the Directive is engaged it acts in a manner that is proportionate and targeted, based on the actual risk to individual’s privacy.


 


Christopher Millard is an SCL Fellow and a Partner at Linklaters LLP; Peter Church is a Solicitor at the London office of Linklaters LLP: christopher.millard@linklaters.com and peter.church@linklaters.com








[1]    Opinion 4/2007 on the concept of personal data (WP 136) – http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf



[2]    Data Protection Good Practice Note, Collecting personal information using websites – http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/collecting_personal_information_from_websites_v1.0.pdf