Personal Data: what’s in a name?

What is personal data? A seemingly straightforward question which, under data protection law, is in fact rather complicated. Cases in the U.K. on the meaning of personal data are often difficult to reconcile with judgments from the Court of Justice of the European Union (‘CJEU’).

In the U.K., the definition of personal data under the Data Protection Act 1998 (‘DPA’) is found in section 1(1): “personal data” means data which relate to a living individual who can be identified-

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

The DPA implements EU Directive 95/46 (‘the Directive’). Article 2(a) of the Directive defines personal data as “any information relating to an identified or identifiable natural person”. According to Article 2(a) and Recital 26 of the Directive, an individual is identified or identifiable if they can be identified directly or indirectly from the data, taking into account all means available to the data controller or third party.

The test for personal data is not decided in the abstract, but by looking at all of the information a data controller currently holds or could obtain. In Criminal Proceedings against Lindqvist (C-101/01) [2004] Q.B. 1014: the CJEU held that mentioning a person by name, or identifying them by other means, for example by telephone number, clearly constitutes personal data for the purposes of the Directive.

Contrast this with Durant v Financial Services Authority [2003] EWCA Civ 1746. In this case, Mr. Durant made a subject access request to the Financial Services Authority in relation to a complaint he had made against Barclay’s Bank. The Court of Appeal held that the mere mention of a data subject in a document does not necessarily amount to personal data. For information to be personal data depends on two factors: (i) biographical relevance, and (ii) focus.

(i) Biographical relevance means “going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised ” [Auld LJ, parapgraph 28].

(ii) focus means: “The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated” [Auld LJ, ibid.].

Fast forward just over a decade and the Court of Appeal found that a name, without any further context, can indeed constitute personal data. In Edem v Information Commissioner [2014] EWCA Civ 92, the sole issue for the Court of Appeal to determine was whether information amounting to the names of three individuals constituted their personal data. Mr. Edem had made a number of complaints to the FSA in regards to its regulation of a particular company and sought disclosure of information about those complaints. Three employees at the FSA had worked on those complaints.

The Court of Appeal concluded that their names did indeed constitute personal data: “a name is personal data unless it is so common that without further information, such as its use in a work context, a person would remain unidentifiable despite its disclosure’ (paragraph 20). It reconciled this conclusion with the approach in Durant by concluding that the issues in the two cases differed. In Durant the nature of the information did not on its face concern or name Mr. Durant. The Court of Appeal endorsed the guidance of the ICO on the approach to ‘biographical significance’: it need only be considered where the information is not ‘obviously about’ an individual or clearly ‘linked’ to him.

The Court of Appeal again considered the nature of personal data in the recent case of Vidal-Hall v Google Inc [2015] EWCA Civ 311. The case involved Google’s access to an individual’s computer browser-generated information (“BGI”) using cookies. Google could ‘farm’ data using the cookies, but not individual names. On the question of whether BGI could be personal data, the Court concluded it was arguable given that BGI could be used to differentiate one person from another if taken in conjunction with information held by third parties.

Last month, the CJEU concluded in C-582/14 Breyer v Bundersrepublik Deutschland that dynamic IP addresses are personal data, even if a third party holds the additional information that would be required to identify the relevant individual. Note that a distinction was made as to whether or not the party holding the IP address had the legal or practical means of obtaining the information from the third party.

The new EU General Data Protection Regulation (‘GDPR’), which is due to take effect in 2018, gives an extremely wide definition of personal data. It includes pseudonymous data (i.e. encrypted data), online identifiers, location data, genetic data and biometric data. The GDPR was not considered in Breyer as it is not yet in force. The issue will no doubt be in the courts again.

If you are interested in further information or advice in this area of law, please contact my clerks to instruct me.