Wednesday, July 04, 2007

Art. 29 Working Party Opinion on "Personal Data"

The Art. 29 Working Party has now published its working opinion (4/2007) (pdf) on the concept of personal data. Not only does it maintain its position that "personal data" is a broad definition, but it also gives a detailed analysis of the definition - ie. "any information relating to an identified or identifiable natural person."

"As a general consideration it has been noted that the European lawmaker intended to adopt a broad notion of personal data, but this notion is not unlimited. It should always be kept in mind that the objective of the rules contained in the Directive is to protect the fundamental rights and freedoms of individuals, in particular their right to privacy, with regard to the processing of personal data. These rules were therefore designed to apply to situations where the rights of individuals could be at risk and hence in need of protection. The scope of the data protection rules should not be overstretched, but unduly restricting the concept of personal data should also be avoided. The Directive has defined its scope, excluding a number of activities, and allows flexibility in the application of rules to activities that are within its scope. Data protection authorities play an essential role infinding an appropriate balance in this application (see paragraph II).

The Working Party’s analysis has been based on the four main “building blocks” that can be distinguished in the definition of “personal data”: i.e. “any information”, “relating to”, “an identified or identifiable”, “natural person”. These elements are closely intertwined and feed on each other, but together determine whether a piece of information should be considered as “personal data”. The analysis is supported by examples from the national practice of European DPAs.

• The first element – “any information” – calls for a wide interpretation of the concept, regardless of the nature or content of the information, and the technical format in which it is presented. This means that both objective and subjective information about a person in whatever capacity may be considered as “personal data”, and irrespective of the technical medium on which it is contained. The opinion also discusses biometric data and the legal distinctions with human samples from which they may be extracted (see paragraph III.1).

• The second element – “relating to” – has so far been often overlooked, but plays a crucial role in determining the substantive scope of the concept, especially in relation to objects and new technologies. The opinion provides three alternative elements – i.e. content, purpose or result – to determine whether information “relates to” an individual. This also covers information that may have a clear impact on the way in which an individual is treated or evaluated (see paragraph III.2).

• The third element – “identified or identifiable” – focuses on the conditions under which an individual should be considered as “identifiable”, and especially on “the means likely reasonably to be used” by the controller or by any other person to identify that person. The particular context and circumstances of a specific case play an important role in this analysis. The opinion also deals with “pseudonymised data” and the use of “key-coded data” in statistical or pharmaceutical research (see paragraph III.3).

• The fourth element – “natural person” – deals with the requirement that “personal data” are about “living individuals”. The opinion also discusses the interfaces with data on deceased persons, unborn children and legal persons (see paragraph III.4).

The opinion finally discusses what happens if data fall outside the scope of the definition of “personal data”. Different solutions may be available to deal with issues in these cases, including national legislation outside the scope of the Directive, provided that other community law is respected (see paragraph IV). "

Full text: Opinion 4/2007 on the concept of Personal Data (pdf)

No comments: