The Proposed Full General Information Protection Regulation: Suggested Amendments To The Definition Of Personal Data
November 27, 2018
Edit
Douwe Korff, Professor of International Law
I. Background
In a recent judgment (discussed previously on this blog) the 3rd sleeping accommodation of the CJEU has ruled that the concept of "personal data" inward the 1995 information protection (DP) directive is limited to information straight relating to a person, as well as does non include legal analyses inward the file on the person, on which the nation (NL) relied inward taking its decisions inward relation to that somebody (Joined Cases C-141/12 as well as C-372/12). I believe the Court’s restriction of the concept is incorrect as well as opposite to the intended utilisation of information protection; as well as should hold out corrected inward the novel General Data Protection Regulation.
First of all, the Court based itself on the, inward my persuasion erroneous, see that the 1995 EC DP Directive was only aimed at protecting privacy. In particular, it felt that the right of information subjects to access to their personal information should non extend to a legal analysis of their case, contained inward a file on them, because (in the Court’s view) such an analyses “is non inward itself liable to hold out the champaign of report of a cheque of its accuracy past times [a information subject]”, as well as information subjects should non hold out able to utilisation information protection to seek a rectification of such an analysis (cf. para. 44 of the judgment).
Secondly, the Court also relied on the fact that information of the sort at number inward the joined cases was administrative information held past times a world authorization and, drawing a parallel alongside European Union regulations on privacy as well as access to documents, held that access to the legal analysis should hold out addressed nether the latter rules rather than the former. This failed to conduct maintain into trouble concern human relationship the fact that the European Union rules referred to apply only to world (i.e., EU) bodies, whereas the 1995 DP Directive applies also, as well as inward indeed especially, to private-sector bodies (in particular companies) that are non champaign of report to public-sector rules on access to administrative data.
The Court’s judgment, inward sum, seriously limits the concept of personal information as well as the right of access to one’s personal data, as well as therefore seriously limits the application of the entire European Union information protection regime. It leaves individuals alongside seriously less rights inward honour of information on them (or relating to them, or used to conduct maintain decisions on them, or that behave on them) than was previously thought.
Specifically,the judgment runs straight counter to the authoritative 2007 Article 29 Working Party (WP) Opinion on the concept of personal data (Opinion 4/2007, WP136, of xx June 2007). This commencement of all noted that the utilisation of information protection is non limited to a narrow concept of privacy – every bit is indeed also clear from the fact that information protection is guaranteed inward the Charter of Fundamental Rights (CFR) every bit a divide right, sui generis, from the right to private life/privacy (data protection is guaranteed inward Article viii CFR; Privacy inward Article vii CFR). Astonishingly, given that the WP29 is expressly charged alongside providing guidance on the interpretation as well as application of the 1995 DP Directive, the Court did non fifty-fifty cite either the Working Party or this specific opinion.
In the opinion, the Working Party discussed iv elements of the definition, from which it deduces the appropriate criteria for determining whether information should hold out regarded every bit personal information inside the important of the directive. They tin flame hold out paraphrased every bit follows:
- The commencement element: “any information”:
The WP concludes that these words request that the concept of personal information should hold out interpreted broadly, as well as non limited to matters relating to a person’s private as well as position unit of measurement life stricto senso (as has wrongly been done inward the United Kingdom of Great Britain as well as Northern Ireland nether the Durant decision, as well as every bit appears to also underpin the Court’s judgment). It also covers information inward whatever form, including documents, photographs, videos, well as well as biometric data, trunk tissues as well as DNA.
- The minute element: “relating to”:
In full general terms, information tin flame hold out considered to “relate” to an private when it is close that individual. However, information close “things” tin flame also hold out personal data, if the object inward query is closely associated alongside a specific private (e.g., mobile telephone place data). This is of increasing importance inward the era of the Internet of Things. Important inward relation to the CJEU judgment, the WP29 adds the next consideration, alongside reference to an before opinion, on radio frequency identification (RFID) tags, WP105 of nineteen Jan 2005 (original italics as well as bold; underlining added):
In the context of discussions on the information protection issues raised past times RFID tags, the Working Party noted that "data relates to an private if it refers to the identity, characteristics or conduct of an private or if such information is used to decide or influence the way inward which that somebody is treated or evaluated."
...
[I]n monastic tell to consider that the information “relate” to an individual, a "content" chemical ingredient OR a "purpose" chemical ingredient OR a "result" chemical ingredient should hold out present.
The “content” chemical ingredient is acquaint inward those cases where - corresponding to the most obvious as well as mutual agreement inward a guild of the intelligence "relate" - information is given close a particular person, regardless of whatever utilisation on the side of the information controller or of a 3rd party, or the impact of that information on the information subject.
...
Also a "purpose" chemical ingredient tin flame hold out responsible for the fact that information "relates" to a for sure person. That “purpose” chemical ingredient tin flame hold out considered to be when the information are used or are probable to hold out used, taking into trouble concern human relationship all the circumstances surrounding the precise case, alongside the utilisation to evaluate, care for inward a for sure way or influence the status or conduct of an individual.
...
Influenza A virus subtype H5N1 3rd sort of 'relating' to specific persons arises when a "result" chemical ingredient is present. Despite the absence of a "content" or "purpose" element, data tin flame hold out considered to "relate" to an private because their utilisation is probable to conduct maintain an impact on a for sure person's rights as well as interests, taking into trouble concern human relationship all the circumstances surrounding the precise case. It should hold out noted that it is non necessary that the potential lawsuit hold out a major impact. It is sufficient if the private may hold out treated differently from other persons every bit a lawsuit of the processing of such data.
...
These 3 elements (content, purpose, result) must hold out considered every bit choice conditions, as well as non every bit cumulative ones. In particular, where the content chemical ingredient is present, in that place is no need for the other elements to hold out acquaint to consider that the information relates to the individual. Influenza A virus subtype H5N1 corollary of this is that the same slice of information may relate to unlike individuals at the same time, depending on what chemical ingredient is acquaint alongside regard to each one. The same information may relate to private Titius because of the "content" chemical ingredient (the information is clearly close Titius), AND to Gaius because of the "purpose" chemical ingredient (it volition hold out used inward monastic tell to care for Gaius inward a for sure way) AND to Sempronius because of the "result" chemical ingredient (it is probable to conduct maintain an impact on the rights as well as interests of Sempronius). This way also that it is non necessary that the information "focuses" on someone inward monastic tell to consider that it relates to him. ...
The “legal analyses” that the CJEU ruled were non personal information are clearly covered past times the above: they are the really solid soil on which the information subjects inward questions (asylum seekers) were “treated” as well as “evaluated”. To apply the reasoning of the Working Party: they decide whether Titius should hold out treated the same way every bit Gaius or not; as well as they may also conduct maintain an impact on the rights as well as interests of Sempronius.
This is also crucially of import inward relation to “profiles”. Under the judgment, states as well as companies could struggle that individuals should also non conduct maintain a right to challenge the accuracy of a profile, whatever to a greater extent than than the accuracy of a legal analysis; as well as that, indeed, they are non entitled to hold out provided on need alongside the elements used inward the creation of a profile. After all, a profile, past times definition, is also based on an abstract analysis of facts as well as assumptions non specifically related to the information champaign of report – although both are of course of report used inward relation to the information subject, as well as decide the way he or she is treated.
In my opinion, the higher upward is the most unsafe limitation flowing from the Court’s judgment.
- The 3rd element: “identified or identifiable”:
Although this number did non arise inward the CJEU cases, it is soundless crucial, inward particular inward relation to the ever-increasing as well as ever-more-widely-available massive sets of “Big Data”. In the persuasion of the WP, the nub number is whether a somebody is, or tin flame be, singled out from the data, whether past times call or not. Influenza A virus subtype H5N1 call sometimes suffices for this, but ofttimes not, spell a photograph or an identity number ofttimes does permit such singling out fifty-fifty if no other details of the somebody are known. In relation to pseudonymised or supposedly anonymised data, the WP concluded (with reference to the recitals inward the 1995 directive) that the key number is whether the somebody tin flame hold out identified (singled out), whether past times the information controller or past times whatever other person, “taking trouble concern human relationship of all the way probable reasonably to hold out used either past times the controller or past times whatever other somebody to position that individual.”
- The 4th element: “natural person”:
In principle, personal information are information relating to identified or identifiable living individuals. There are precisely about issues relating to information on deceased persons as well as unborn children: these tin flame ofttimes soundless (also) relate to living individuals, inward the way discussed above, as well as would so soundless hold out personal information inward relation to those latter individuals. Data on legal entities tin flame sometimes also, similarly, relate to living individuals associated alongside those entities. Also, inward precisely about contexts precisely about information protection rights are expressly extended to legal persons (companies etc.) per se, inward particular nether the so-called “e-Privacy Directive”. But that is a special case. This too, however, was non an number relevant to the CJEU judgment.
Until the CJEU judgment, it could hold out assumed that every bit long every bit the General Data Protection Regulation used the same definition of personal information every bit the 1995 DP Directive, the higher upward elements as well as criteria could but hold out read into the novel instrument.
However, the judgment could lawsuit inward the definition inward the GDPR beingness read inward accordance alongside the Court’s restricted views, rather than inward line alongside the WP29 guidance.
In my opinion, if the European Union wishes to retain a strong European information protection framework, every bit is ofttimes asserted, it is essential that the GDPR expressly (if of course of report briefly) endorses the WP29 see of the issue, rather than the CJEU’s one.
Below, I suggest amendments to the definition of the concept of personal information inward the GDPR that would accomplish that (some farther amendments should hold out made to the recitals).
II. Proposed amendments to the GDPR
As tin flame hold out seen from the Annexes, alongside the unlike definitions of personal information as well as information champaign of report inward the Commission text of the GDPR as well as inward the amended version of the Regulation adopted past times the EP (and alongside the corresponding definitions inward the electrical flow 1995 DP Directive), the definitions all say inward essence that:
'personal data' way whatever information relating to a information champaign of report (with ‘data subject’ so defined every bit “an identified or identifiable natural person”), or:
'personal data' way whatever information relating to an identified or identifiable natural somebody -
which comes to the same thing (and is inward accordance alongside the electrical flow directive).
The EP text adds clarification on when a somebody tin flame hold out regarded every bit “identifiable”, on the lines of the views of the Article 29 Working Party (drawing on a recital inward the electrical flow directive); as well as to a greater extent than specific provisions on “pseudonymous data” as well as “encrypted data”.
However, neither text adds clarification on the query of when information tin flame hold out said to “relate” to a (natural, living) persons – which is the number so badly dealt alongside inward the CJEU judgment.
I suggest that the definition of “personal data” inward the GDPR hold out expanded to expressly clarify the query of when information tin flame hold out said to “relate” to a person, past times drawing on the guidance of the Article 29 Working Party begin above; as well as past times also expressly clarifying that “profiles” ever “relate” to whatever somebody to whom they may hold out applied. Specifically, I suggest that an additional paragraph hold out added to Article 2(2), spelling out that:
“data relate to a somebody if they are close that person, or close an object linked to that person; or if the information are used or are probable to hold out used for the utilisation of evaluating that person, or to care for that somebody inward a for sure way or influence the status or conduct of that person; or if the utilisation of the information is probable to conduct maintain an impact on that person's rights as well as interests. Profiles resulting from ‘profiling’ every bit defined inward [Article xx inward the Commission text/Article 4(3a) of the EP text] past times their nature relate to whatever somebody to whom they may hold out applied.”
The Annexes request to a greater extent than specifically how such an amendment could hold out incorporated into the electrical flow (Commission as well as EP) texts of the Regulation.
Annex I
PROPOSED AMENDMENTS TO ARTICLE 4 OF THE GENERAL DATA PROTECTION REGULATION:
(Added or amended text inward bold)
The proposed amendments if applied to the Commission text:
(1) 'data subject' way an identified natural somebody or a natural somebody who tin flame hold out identified, straight or indirectly, past times way reasonably probable to hold out used past times the controller or past times whatever other natural or legal person, inward particular past times reference to an identification number, place data, online identifier or to 1 or to a greater extent than factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
(2) 'personal data' way whatever information relating to a information subject;
(2a) information relate to a somebody if they are close that person, or close an object linked to that person; or if the information are used or are probable to hold out used for the utilisation of evaluating that person, or to care for that somebody inward a for sure way or influence the status or conduct of that person; or if the utilisation of the information is probable to conduct maintain an impact on that person's rights as well as interests. Profiles resulting from ‘profiling’ every bit defined inward Article xx past times their nature relate to whatever somebody to whom they may hold out applied.
The proposed amendments if applied to the EP text:
(2) 'personal data' way whatever information relating to an identified or identifiable natural somebody ('data subject');
(2a) an identifiable somebody is 1 who tin flame hold out identified, straight or indirectly, inward particular past times reference to an identifier such every bit a name, an identification number, place data, unique identifier or to 1 or to a greater extent than factors specific to the physical, physiological, genetic, mental, economic, cultural or social or sex identity of that person;
(2b) information relate to a somebody if they are close that person, or close an object linked to that person; or if the information are used or are probable to hold out used for the utilisation of evaluating that person, or to care for that somebody inward a for sure way or influence the status or conduct of that person; or if the utilisation of the information is probable to conduct maintain an impact on that person's rights as well as interests. Profiles resulting from ‘profiling’ every bit defined inward paragraph (3a) past times their nature relate to whatever somebody to whom they may hold out applied.
(2c) 'pseudonymous data' way personal information that cannot hold out attributed to a specific information champaign of report without the utilisation of additional information, every bit long every bit such additional information is kept separately as well as champaign of report to technical as well as organisational measures to ensure non-attribution;
(2d) ‘encrypted data’ way personal data, which through technological protection measures is rendered unintelligible to whatever somebody who is non authorised to access it;
NB: The actual Commission as well as EP texts are begin inward Annex II
Annex II
The definition of “personal data” inward the master copy Commission text of the GDPR as well as inward the amended version of the Regulation adopted past times the European Parliament:
| Text proposed past times the Commission | Amendment |
| Definitions | Definitions |
| For the purposes of this Regulation: | For the purposes of this Regulation: |
| (1) 'data subject' way an identified natural somebody or a natural somebody who tin flame hold out identified, straight or indirectly, past times way reasonably probable to hold out used past times the controller or past times whatever other natural or legal person, inward particular past times reference to an identification number, place data, online identifier or to 1 or to a greater extent than factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; | |
| (2) 'personal data' way whatever information relating to a data subject; | (2) 'personal data' way whatever information relating to an identified or identifiable natural person ('data subject'); an identifiable somebody is 1 who tin flame hold out identified, straight or indirectly, inward particular past times reference to an identifier such every bit a name, an identification number, place data, unique identifier or to 1 or to a greater extent than factors specific to the physical, physiological, genetic, mental, economic, cultural or social or sex identity of that person; |
| | (2a) 'pseudonymous data' way personal information that cannot hold out attributed to a specific information champaign of report without the utilisation of additional information, every bit long every bit such additional information is kept separately as well as champaign of report to technical as well as organisational measures to ensure non-attribution; |
| | (2b) ‘encrypted data’ way personal data, which through technological protection measures is rendered unintelligible to whatever somebody who is non authorised to access it; |
Cf. the next definition inward the electrical flow 1995 DP Directive:
(a) 'personal information 'shall hateful whatever information relating to an identified or identifiable natural somebody ('data subject'); an identifiable somebody is 1 who tin flame hold out identified, straight or indirectly, inward particular past times reference to an identification number or to 1 or to a greater extent than factors specific to his physical, physiological, mental, economic, cultural or social identity;
