" Working on a common definition of the notion of personal data is tantamount to defining what falls inside or outside the scope of data protection rules."
Article 29 Working Party, Opinion on Personal Data (WP 136)
The definition of personal data is central to the Data Protection Directive. It determines the activities that fall within the scope of the Directive and a common interpretation of this term is important to ensure the harmonisation of data protection rules across the European Union. Minor variations in the treatment of this definition have a disproportionate impact on the ambit of European data protection legislation, either sweeping large areas of commercial activity into an unintended regulatory quagmire, or, alternatively, depriving individuals of entirely legitimate rights to privacy.
The last 12 months have seen a number of significant decisions or pronouncements on this key "personal data" concept. As a result, one of the aims of Data Protected 2008 was to look at the interpretation of this term across Europe to determine if the various states approach it in a manner consistent with each other and with European jurisprudence. The report shows that, in general, most states follow the definition in the Data Protection Directive and interpret this term in a broad manner consistent with the approach of the Article 29 Working Party. However, there are exceptions and some major jurisdictions continue to apply a more restrictive approach to this definition.
The interpretation of the term personal data in Europe must of course start with the Data Protection Directive itself:
"personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."
This broad definition is refined somewhat in recital 26, which states "to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person".
The term was also considered in the case of Bodil Lindqvist (Case C-101/01), which had to consider if information about individuals placed on a website was personal data. The European Court of Justice decided that "referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data".
This indicates that a relatively broad interpretation ought to be taken and clarifies that certain types of information, such as telephone numbers, should be categorised in this manner. However, subsequent guidance indicates that an even broader approach should be considered.
The Article 29 Working Party, Opinion on Personal Data
The most influential guidance on the approach to personal data is the Article 29 Working Party’s Opinion on Personal Data released in June 2007. It intentionally applies as broad an interpretation as possible on the basis that any difficulties that arise as a result should be dealt with by applying the other rules within the directive flexibly and proportionally, i.e. information which is only "barely" personal data ought to be dealt with less strictly than information that relates more directly to an individual’s privacy.
According to the Opinion on Personal Data, four questions must be considered:
Step 1: Is it information?
The Opinion on Personal Data states that "information" should be interpreted widely. Most practitioners will not be surprised to learn that it includes both objective information, such as someone’s height or weight, and also subjective information, such as an assessment of someone’s creditworthiness or competence.
The format of the information is also construed broadly and includes images as well as audio recordings. Biometric information should also be considered as information for this purpose, even if it there is an element of probability in matching that biometric information to an individual.
Step 2: Does it relate to a person?
The opinion takes a similarly broad approach to the more controversial question of whether that information "relates to" an individual. In particular, it firmly rejects any qualification that the information must actually affect the individual’s privacy (as is the case in the United Kingdom, described below).
Instead, information may relate to an individual by reference to its content, purpose or result. These elements are alternative, and not cumulative, requirements and mean:
content - this is information that is actually about an individual. This is the most obvious and common situation in which information will relate to an individual. A classic example is medical records, which are clearly about, and relate to, an individual.
purpose - this applies to information that is collected with the intention of evaluating, affecting or influencing a particular individual. One example would be photos of graffiti tags collected to identify vandals.
result - finally, information may relate to an individual if the use of that information is likely to have an impact on that particular individual, i.e. he or she may be treated differently from other individuals as a result of that information.
Step 3: Is that person identified or identifiable?
The next step, whether that particular person is identified or identifiable, is another area in which difficult issues can arise in practice.
Identification may be direct, for example a person’s name, or indirect, for example the person’s telephone number or a combination of criteria (such as age, occupation, place of residence) that uniquely distinguish him. While this information will normally make it possible to identify the individual by name, this is not an essential requirement and personal data includes information by which a particular individual can be "distinguished" from other members of a group, for example "cookie" information on a computer.
The opinion also considers when an individual is identifiable in light of "all the means likely reasonably to be used either by the controller or by any other person to identify the said person". This requires a range of factors to be considered, including the purpose of the information, the structure of the processing, the advantage to the data controller, the interests of the individual and the risk of technical or organisational failures. Again, the extent of reasonable means are set broadly - so the opinion considers it reasonable that a third party in possession of an IP address might apply through the courts to an ISP in order to identify the name and address of the subscriber attached to an IP address. Thus, any IP address in the hands of any party must be regarded as potentially personal data. This is a highly controversial position, as is described further below.
Finally, pseudonymised, key-coded and anonymous data must also be considered. If the pseudonymisation or key-coding process can be reversed by the data controller or any other person in order to identify the individual then it is still likely to be personal data.
Step 4: Is the person a living natural person?
Even this straightforward issue receives some detailed analysis (including looking at the position of unborn children and frozen embryos!). Of more widespread application are the comments about dead people and legal persons. The opinion acknowledges that, while information about these types of person is not personal data per se, it may still be personal data if it relates to an individual. For example, information about the medical condition of a dead person may relate to living individuals.
Divergence from the Opinion on Personal Data
1. The UK Information Commissioner’s Guidance
In August 2007, the UK’s Information Commissioner followed the Article 29 Working Party into print with its own guidance on what is and is not personal data. The guidance focuses in particular on the second element of the four-part test identified by the Article 29 Working Party, the difficult issue of when data can be said to "relate to" an individual.
The Information Commissioner’s guidance provides a helpful flow diagram, incorporating eight questions to help identify whether data relates to an individual or not. Like the Article 29 Working Party paper, the requirements are alternatives, so that answering "yes" to any of the questions indicates that the data concerned is personal:
As can be seen from this flow chart, five of the eight questions posed by the UK Information Commissioner correlate to the question of whether the data relates to an individual by content, purpose or result, the three concepts identified by the Article 29 Working Party. Because each of the questions in the Information Commissioner’s guidance are alternatives, the results of the Information Commissioner’s guidance are therefore precisely the same as the Article 29 Working Party guidance - a broad concept of personal data. The Information Commissioner’s guidance, however, includes two further questions. Questions six and seven, regarding "biographical significance" and "focus" of the data have no equivalents in the Article 29 Working Party paper; with good reason, as they are derived from the UK Court of Appeal decision of Durant v FSA . The key section from the judgment of Auld LJ is:
"… not all information retrieved from a computer search against an individual’s name or unique identifier is personal data . . . Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense… The second is one of focus. The information should have the putative data subject as its focus..."
The Information Commissioner, in compiling its guidance, appears to have exploited the phrase "two notions that may be of assistance" and constructed its guidance on the basis that Auld LJ’s judgment is simply one helpful "notion" and does not exclude other possible helpful "notions" to identify personal data. But this approach glosses over the overriding requirement that Auld LJ later identified in his judgment that personal data must " affect [the data subject’s] privacy, whether in his personal or family life, business or professional capacity". Whatever else Auld LJ’s comments might mean, they certainly do not enable "insignificantly biographical" data to be personal data, whereas both the Information Commissioner’s guidance and that of the Article 29 Working Party would. As a result, although the Information Commissioner’s guidance is entirely consistent with the Article 29 Working Party guidance, it is not consistent with Durant. That is the conclusion the Information Tribunal reached in its decision early in 2008 in Harcup , when it found: " We have difficulty in reconciling the approach in the Guidance [of the Information Commissioner] with that in Durant" .
To complete the picture, it is now clear that the Article 29 Working Party regards Durant as compromising the protection afforded to individuals by the Data Protection Directive , and that as a result the European Commission considers that the UK has failed to implement the Directive adequately.
From that we can see that there are a spectrum of possible interpretations of personal data. At one end sits the Article 29 Working Party’s approach, adopting a broad approach without any materiality threshold. At the other end sits the Court of Appeal decision in Durant, which applies a broad privacy-based materiality test to whether data is personal or not. Caught in the middle is the Information Commissioner, faced with the impossible task of both trying to ensure that the UK is seen to implement the directive correctly, whilst at the same time remaining bound by a Court of Appeal decision.
2. IP address cases
However, the UK courts are no longer alone in taking a narrower view on what is and is not personal data than the Article 29 Working Party. This year, other differences have started to emerge between the broad view of personal data articulated by the Article 29 Working Party and national courts.
Copyright societies in a number of European states have sought to identify individuals who are infringing copyright owners’ rights using peer-to-peer networks. They have done this by gathering the IP addresses of users engaged in file sharing, and then asking ISPs to disclose the names and addresses of the subscribers to whom the IP addresses relate. Courts in a number of jurisdictions, either as part of the prosecution of the subscribers or as part of an application against the ISPs for disclosure, have had to consider whether the processing of information about IP addresses in isolation is processing of personal data and therefore subject to the fairness and other requirements of the Data Protection Directive.
Courts in Sweden (involving the Antipyratbyran), Spain ( Promusicae) and Austria have all found that IP addresses are personal data in the context of such cases, taking a broad view of personal data like the Article 29 Working Party. But in decisions in the courts in Rome (the Peppermint case), Nanterre and Paris (the Limewire, Anthony G and Henri S decisions), courts in France and Italy have both found IP addresses not to be personal data. Both the CNIL and Garante have reacted strongly against the decisions, arguing forcibly that the decisions are a misapplication of their law, which should continue to be regarded as interpreting "personal data" broadly.
The Analysis Conducted
Given this spate of guidance and court decisions that seem inconsistent with the view propounded by the Article 29 Working Party, we sought to identify just how much inconsistency there was in the way member states applied the concepts of personal data. We did that by asking local counsel in eight key jurisdictions to consider 11 different factual scenarios and apply their law to them, identifying whether data involved was or was not personal. Where there was doubt, local counsel contacted the local regulatory authorities’ helplines for confirmation of their views.
In the case of the UK, we sought only to apply the concepts set out in Durant, rather than the broader guidance of the Information Commissioner, given the Information Commissioner is bound by the decision in Durant.
Data Protected 2008 shows that, in general, most states take a broad interpretation of this term consistent with the Directive and the Opinion on Personal Data. However, the position is not entirely uniform and there are differences even between those states adopting a broad approach.
The table below shows whether common types of information are likely to be considered as personal data in a range of major European jurisdictions. The definition of personal data is highly contextual so these are, of course, only an indication of how this data could be treated.
For example, minutes of a meeting (see item 3) are less likely to be personal data in the United Kingdom. However, this depends on the focus of the meeting. If it relates to an individual’s performance or personal life, as opposed to a purely business matter, then it is very likely it would be personal data notwithstanding the narrow approach in the United Kingdom.
What is personal data?
ü - means the information is likely to be personal data x - means the information is unlikely to be personal data
Nonetheless, the table illustrates some of the key differences in the interpretation of the "personal data" concept. Five themes, in particular, are worth drawing out:
Key finding 1: High degree of commonality
Despite the differences identified below, one of the most striking features of the table above is that in almost half the scenarios we looked at, the application of the "personal data" concept was entirely consistent across all the countries we surveyed. In that respect the work of the Article 29 Working Party to achieve an integrated approach across the Europe has been a success.
Key finding 2: The UK out of step
The table clearly indicates just how far out of step the UK approach to personal data is with its European peers. Whilst Belgium regarded all 11 categories of data to be personal, in the UK less than half were. Even in those categories where we did identify "personal data" we were, to some extent, being generous - for example, on the basis of Harcup there are strong grounds to think that mere names in isolation are unlikely to be personal data. It is the Durant notion of privacy, significantly biographical and focus, that is driving these distinctions.
Although this privacy requirement features in other jurisdictions’ legislation, it is treated very differently. For example, Germany defines personal data to be information concerning the " personal or material circumstances" of an individual but interprets this proviso very widely in practice. The Federal Constitutional Court’s decision in Volkszählungsurteil, which predates the Directive, explicitly concluded that there should be no materiality threshold, based on privacy or otherwise, applied to concepts of personal data. All data relating to living individuals, however trivial, should be regarded as personal data.
Interestingly, some other states, such as Portugal and the Czech Republic, treat information about the private life of a data subject as sensitive personal data and therefore it is subject to the additional protection provided for such information.
Key finding 3: Approach to IP addresses varies
As we expected, the approach to IP addresses varied. The decisions in the French courts resulted in a clear-cut "no" for IP addresses in France, but it is also apparent that the difference in views expressed in different European States is being played out in Germany on a smaller scale. Our local counsel reported that although some courts (Berlin) and some data protection authorities (Hesse and Lower Saxony) regarded static and dynamic IP addresses as personal data, other data protection authorities and the German Federal Government did not.
Key finding 4: Anonymised and pseudonymised data
The treatment of anonymised data also causes some variance between different states. At one extreme, Belgium treats information as personal data if anyone holds the information necessary to identify the relevant individual. This is the case regardless of whether or not the data controller is ever likely to obtain that additional information from the relevant third party. For example, key coded information is still considered to be personal data even if the key codes are not held by the data controller and there is no realistic chance they could obtain them (see item 11).
In contrast, the data protection authority in Slovakia only treats information as personal data if the relevant individual can be identified from that information (and not other information it might hold or might acquire in the future) though it should be noted this approach has not been tested by Slovak courts and remains highly controversial.
Key finding 5: Legal entities
While not reflected in the questions above, some States also apply their data protection law to legal entities. These laws are fully applied in some cases, i.e. Austria, Italy and Liechtenstein, whereas other states apply their law only partially.
For example, Iceland and Norway have extended their data protection law to also apply to credit checks on legal entities, Denmark applies its law in part to smaller companies and Malta has extended its data protection law to marketing to legal entities.
Finally, some other states have their own unique features in their approach to personal data. Spain, for example, has implemented a business card exemption. This takes contact information about persons working for a company outside the scope of personal data so long as it is only used to contact that person on company matters.
Sweden has created a sub-category of personal data known as unstructured electronic personal data. This might be information about individuals in the body of a word document, in the body of text on a website or incidentally included in sound and picture recordings. This type of unstructured electronic information is not subject to detailed rules regarding its handling but instead is subject to a less onerous "misuse model", which simply requires that the information is not misused to the detriment of an individual’s personal integrity.
Data Protected 2008 shows that, in general, most states’ definition of personal data is consistent with the Directive and that they have taken a broad interpretation consistent with the Opinion on Personal Data.
However, there are some variations between states. While these variations remain, data controllers operating in multiple jurisdictions are likely to take a cautious approach and adopt a wide interpretation.
Certainly, it seems clear that whilst the UK may strike the sharpest contrast with the approach of the Article 29 Working Party in this area, it is not the only member state that approaches the concept of personal data in an alternative manner. Given the crucial nature of this concept to the impact of the Data Protection Directive as a whole, it is hard to imagine that this disparity will be allowed to persist in the longer term.
This article forms part of Data Protected, the most comprehensive overview of European data protection legislation. It covers the EU Member States together with Switzerland, Iceland, Liechtenstein and Norway. The report can be accessed online at www.linklaters.com/dataprotected.
By Richard Cumbley  and Peter Church, London
1 Durant v Financial Services Authority  EWCA Civ 1746. Although the House of Lords was recently given the opportunity to review Durant in Common Services Agency v Scottish Information Commissioner  UKHL 47, it chose not to do so (per Lord Hope at para 20).
2 Ibid. at para 28.
3 Mr Tony Harcup v (1) The Information Commissioner and (2) Yorkshire Forward EA/2007/0058. 4 Ibid. at para 20.
5 Article 29 Working Party paper 141 at page 4: "Given the strong links between the Jersey legal system and its English counterpart . . . it may be that [Durant] will be followed. In so far as such an interpretation restricts the definition of personal data of the Directive, this may compromise the extent to which the Jersey legislation protects Personal Data."
6 A number of FOIA requests have revealed that the UK’s implementation of the following articles of the Data Protection Directive are under investigation by the Commission: Articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28.
7 Based on two contradictory contacts with the CNIL helpline.
8 This article, like Data Protected as a whole, depends on the work of a large number of practitioners in a variety of jurisdictions. Thanks go to: Tanguy Van Overstraeten and Guillaume Couneson, Linklaters De Bandt, Brussels; Hana Gawlasova and Barbora Lezatkova, Linklaters, Prague; Stephanie Faber and Eléonore Feld, Linklaters, Paris; Dr Konrad Berger, Linklaters, Munich; Edouard Delosch, Linklaters Loesch, Luxembourg; Carmen Burgos and Beatriz Pavon, Linklaters, Madrid; and Elisabet Lundgren and Jens Norberg, Linklaters, Stockholm.