Published online by Cambridge University Press: 26 June 2019
This paper explains how the concept of personal data should be delimited. Certainty on this matter is crucial, as it determines the material scope of the data protection obligations. The primary boundary delimiting the scope of personal data is the requirement that personal data ‘relate to’ an individual. The courts of the UK and the EU have sought to delineate this boundary, but there are serious difficulties in the present approaches that have emerged thus far. Two possible ways forward are suggested, taking into account the implications of the direct application of the GDPR in the UK.
1 The concept of personal data is also crucial in the context of freedom of information law, as public authorities are exempt from providing access to information if the information constitutes personal data: see Freedom of Information Act 2000(FOIA 2000), s 2 (read with s 40) and Freedom of Information (Scotland) Act 2002, s 2 (read with s 38); see also Common Services Agency v Scottish Information Commissioner [2008] 1 WLR 1550 at [5].
2 On the issue of identification, see eg Esayas, SY ‘The role of anomymisation and pseudonymisation under the EU data privacy rules: beyond the “all or nothing” approach’ (2015) 6(2) European Journal of Law and TechnologyGoogle Scholar; Schwartz, PM and Solove, DJ ‘The PII problem: privacy and a new concept of personally identifiable information’ (2011) 86 New York University Law Review 1814Google Scholar; Oostveen, M ‘Identifiability and the applicability of data protection to big data’ (2016) International Data Privacy Law 299CrossRefGoogle Scholar.
3 DPA 1998, s 1(1).
4 DPA 2018, s 3(2). See also GDPR, Art 4(1).
5 Section 1(1) of the DPA 1998 listed five species of data: information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).
6 Smith v Lloyds Tsb Bank plc [2005] EWHC 246 (Ch), at [7]–[28].
7 See Ittihadieh v 5–11 CheyneGardens RTMCo Ltd [2018] QB 256 at [61], where Lewison J affirmed these two ‘limbs’ of the definition of personal data.
8 I gratefully borrow the Upper Tribunal's terminology in Information Commissioner v Financial Services Authority [2012] UKUT 464 (AAC), at [10].
9 See Ittihadieh, above n 7, at [93] where this outcome was rejected.
10 YS v Minister voor Immigratie, Integratie en Asiel [2015] 1 WLR 609.
11 Ibid, at [48].
12 Ibid, at [42].
13 Ibid, at [41].
14 Ibid, at [46].
15 Case C-106/89 Marleasing SA v La Comercial Internacional de Alimentacion SA [1990] ECR I-4135, at [8]; Football Association Premier League Ltd v QC Leisure [2012] All ER (EC) 629, at [23].
16 Johnson v Medical Defence Union Ltd (No 2) [2007] All ER (D) 464 (Mar), at [16]. In this case, the meaning of ‘processing’ under the DPA 1998 was at issue.
17 Durant v Financial Services Authority [2003] All ER (D) 124 (Dec), at [3].
18 Campbell v MGN Ltd [2002] All ER (D) 177 (Oct), at [96].
19 Ittihadieh, above n 7, at [68].
20 Durant, above n 17, at [79].
21 Ittihadieh, above n 7, at [84]; DB v General Medical Council [2018] All ER (D) 21 (Jul), at [37].
22 Johnson, above n 16, at [1] and [16].
23 See for example TS v Information Commissioner [2016] UKUT 455, at [40].
24 Durant, above n 17, at [28].
25 See for example R v Commissioner of Police for the Metropolis [2012] All ER (D) 114 (May), at [67], where it was considered that the information in question was personal data because ‘it passes the two tests suggested by Auld LJ in Durant v Financial Services Authority … [i]t is “biographical” and, in each case, the Claimant is the “focus” of the information’. See also Guriev v Community Safety Development (UK) Ltd [2016] All ER (D) 54 (Apr), at [47].
26 As highlighted in Information Commissioner v Financial Services Authority [2012] UKUT 464 (AAC), at [22], the ‘two notions’ were ‘not presented as in some way defining the scope of personal data. Nor were they presented as exhaustive’. See also the Upper Tribunal's opinion in All Party Parliamentary Group [2015] UKUT 377 (AAC), at [19], where it noted that ‘the term “relates to” is broader than the Durant guidance has sometimes been understood to suggest’.
27 As noted by Horner J in Re JR60 [2013] NIQB 93, at [29], personal data has been interpreted as meaning almost the same as private data, as a result of Durant.
28 FOIA 2000, s 40(2) provides for an exemption for information constituting personal data.
29 Efifiom Edem v Information Commissioner [2012] UKFTT 2011_0132 (GRC), at [33]. This decision has been regarded as ‘frankly bizarre’: see Jay, R Data Protection Law and Practice (1st Supplement to the 4th Edition) (London: Thomson Reuters, 2014) p 28Google Scholar.
30 Information Commissioner v Financial Services Authority & Edem [2012] UKUT 464 (AAC), at [38].
31 Edem v Information Commissioner [2014] All ER (D) 50 (Feb), at [17].
32 Ibid, at [20].
33 Ibid, at [15].
34 Ibid, at [21].
35 Ibid, at [22].
36 Secretary of State for the Home Department v TLU [2018] All ER (D) 85 (Jun), at [39].
37 Ibid, at [43].
38 Ibid, at [40].
39 Durant, above n 17, at [28], [79] and [80]; Ittihadieh, above n 7, at [68].
40 Durant, above n 17, at [28]; TLU, above n 36, at [43].
41 Durant, above n 17, at [28]; Ittihadieh, above n 7, at [63]; TLU, above n 36, at [43].
42 TLU, above n 36, at [39]; Ittihadieh, above n 7, at [65]; Edem above n 31, at [17]–[22].
43 Durant, above n 17, at [79].
44 Common Services Agency, above n 1, at [7].
45 GDPR, Recital 1.
46 DPA 2018, s 2(1).
47 Kokott, J and Sobotta, C ‘The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR’ (2013) 3 International Data Privacy Law 222CrossRefGoogle Scholar at 228. The non-identity of the right to privacy and the right to data protection is well-supported in the academic literature: see eg Tzanou, M ‘Data protection as a fundamental right next to privacy? “Reconstructing” a not so new right’ (2013) 3 International Data Privacy Law 88CrossRefGoogle Scholar at 90; Lynskey, O The Foundations of EU Data Protection Law (New York: Oxford University Press, 2015) p 130Google Scholar; Lynskey, O ‘Deconstructing data protection: the added-value of a right to data protection in the EU legal order’ (2014) 63 International and Comparative Law Quarterly 569CrossRefGoogle Scholar at 578; Bygrave, LA Data Privacy Law: An International Perspective (New York: Oxford University Press, 2014) p 3CrossRefGoogle Scholar.
48 Tzanou, M The Fundamental Right to Data Protection (Oxford: Hart, 2017) p 22Google Scholar.
49 Article 29 Working Party Opinion 4/2007 on the concept of personal data (20 June 2007). The A29WP was established under Art 29 of the DPD as an independent advisory body, providing recommendations and opinions to the European Commission on matters relating to data protection. The A29WP has since been replaced by the European Data Protection Board established by the GDPR.
50 See Case C-434/16 Peter Nowak v Data Protection Commissioner [2017] ECLI:EU:C:2011:777, at [34].
51 Opinion 4/2007, above n 49, p 10.
52 Ibid, p 11.
53 Ibid, p 10.
54 Ibid.
55 Ibid, p 11.
56 GDPR, Arts 15 and 5(1)(a).
57 Purtova, N ‘The law of everything. Broad concept of personal data and the future of EU data protection law’ (2018) 10 Law, Innovation and Technology 40CrossRefGoogle Scholar at 72.
58 It would, for instance, render personal data inventories pointless, since it would not be possible for a data controller to exhaustively identify all the personal data that it processes.
59 Purtova, above n 57, at 73.
60 Ibid, at 79–80.
61 Nowak, above n 50, at [29].
62 Ibid, at [34].
63 Ibid, at [35].
64 Ibid, at [37].
65 Ibid, at [38].
66 Ibid, at [39].
67 Ibid, at [42].
68 Opinion 4/2007, above n 49, at [56].
69 But see Nowak, above n 50, Opinion of Advocate General Kokott at [3], where the Advocate General expressed the view that the replacement of the DPD by the GDPR would ‘not affect the concept of personal data’.
70 See GDPR, Arts 17, 18 and 21, respectively. The expansion of the right to object is evident from the removal of the requirement for the data subject to show ‘compelling legitimate grounds’ before exercising the right pursuant to Art 21(1).
71 See GDPR, Art 83; cf the statutory maximum of £500,000 prescribed by the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010, reg 2.
72 GDPR, Art 9(1).
73 EUWA 2018, s 6(1).
74 EUWA 2018, s 6(4).
75 See UK Information Commissioner Key Definitions: What is Personal Data? (24 May 2018) p 18.
76 Case C-331/88 R v Ministry of Agriculture, Fisheries and Food, ex p FEDESA [1990] ECR I-4023, at [13].
77 GDPR, Recital 4.
78 Case C-101/01 Bodil Lindqvist [2003] ECR I-12992, at [30].
79 The need for clear and certain legal rules in relation to data protection is recognised in the GDPR, Recital 7.