Is an IP address or an URL personal data? Should it be personal data? Anyway, given the European-wide review of the Data Protection Directive, I have decided to put my head above the parapet and describe what I think the definition of personal data should look like. Of course, readers might disagree – but all I would say that if we don’t have any idea of what the definition should look like, then Governments and the European Commission will happily impose a definition of personal data that suits them.
For convenience I shall amend the definition found in the UK Act (below). The paragraph(c) in italics has been added and the final part of the Act’s definition (from “and includes...”) has been removed. My proposed definition thus reads:
“personal data” means data which relate to a living individual who can be identified-
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, or
(c) from the data and other information which has been provided by, or is likely to be provided by, the data subject
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
The paragraph that has been struck out removes the legal arguments underpinning the controversial Durant judgment from the Court of Appeal. In that judgment, the Court ignored the Parliamentary record which explained why the text about “opinions” and “intentions” had been included, and decided to interpret the definition without that input.
In Durant, the Court determined that the fact that the definition of “personal data” had specified “intentions” and “opinions” as being components of personal data meant that the definition of personal data had to be a narrow one. This was because, if the definition of personal data was a broad one, there would be no need for the specification of “intentions” and “opinions” as part of the definition. Having rejected a broad definition of personal data, the Court then concluded that the words “relate to” had to be constructed in a narrow way so that that personal data had to be “focused” on the data subject or had to possess “biographical significance” for the data subject.
That is why removal of the text that begins with “... and includes...” should confine Durant to the dust-bin of data protection history.
The paragraph(c) I have added (in italics) states that if a data subject provides the relevant identifying information to the service provider (e.g. name, IP address, URL, date, time of use of service etc) then the data processed by the data controller becomes personal data.
So, for example, if Google Street View published details of say, a house, and if the individual concerned provided Google with details of the URL link to that house, and identifying details about himself, then the data becomes personal data and regulated by the data protection regime.
This linkage then engages the data protection regime and allows the data subject to raise the issue of whether it is legitimate for Google to continue to process his personal data (e.g. whether the data subject’s right to object to the processing of personal data should prevail). Similarly, service providers who processes IP addresses in connection with marketing related activities should, if the mechanism in above is used, would need to satisfy the right to object to marketing purpose.
I accept there is an philosophical objection to this process that requires the data subject has to identify himself to the ISP or Google or whoever etc. There are many who would find that such an idea is an anathema; after all, many hold it as axiomatic that Internet use should be anonymous.
However, all I ask is that such a reader to put that objection to one-side for the moment, and consider the impact of the words “....or is likely to be provided by, the data subject” in the definition I propose.
This covers the situation where the data controller has not got the identifying details from the data subject but there is a reasonable expectation that the controller may be furnished with such details in future. So, if more and more individuals contact a service provider in order to disclose identifying details as described above, the more a service provider should anticipate that further identifying details are “likely” to come into his possession.
In other words, there will come a time when the number of contacts made by data subjects with the service provider will be such that a service provider will be obliged to treat the data as personal data on ALL users (i.e. without the need for any further contacts from any other data subject).
For example, suppose a supplier has a database of 1,000,000 IP addresses and there is only one data subject contact. One would argue that the frequency of contact from data subjects is such that a future contact from another specific individual is “possible” rather than "likely". However, suppose there were 100,000 data subject contacts – one would then say that contact from any specific individual in future is “likely” to occur. If you agree with this conclusion, then the data controller will be processing personal data (even though 900,000 data subjects have not identified themselves).
Note that the definition empowers data subjects – they decide what happens. The frequency of contact will depend on how all users of an Internet service view a particular service; the more the suspicions about a service, the greater the number of contacts from users. The definition thus includes an implicit encouragement to service providers to arrange their processing affairs transparently so that users do not provide their details and engage the Act. Indeed, I would also expect consumer and privacy advocates to develop software applications from to allow users to provide a log of the necessary URLs and IP addresses so they can be furnished to data controllers.
I think the approach I suggest is better than a definition of personal data that includes a description of technology. Just look at the UK’s new Privacy in Electronic Communications Regulations (PECR) that are under discussion at the moment (see blog of 23 September 2010; “Coalition Government chooses to minimise privacy protection against spammers and behavioural advertisers”).
This is the third time that these PECR provisions have been enacted since 1997, mainly because the law in this area has had to be refreshed in order to play “catch up” with new developments in technology. My solution is not dependent on future technical development; the data subject can assume a degree of control whenever they want to.
James Callaghan, a Labour Prime Minister of the 1970’s, once told a new Minister that if he behaved like a doormat, he should expect to be trod on. I think this sentiment also applies to the privacy of data subjects. They are responsible for their own privacy – no-one else is.
It follows that the law should provide individuals with the means to protect themselves whenever they feel an organisation has trod on their privacy – and that is what my definition of “personal data” delivers.
Advert: We are running several sets of data protection courses next year. We are starting a set of the 7-day DP course in London (beginning 18th January) and running the 5-day intensive course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepares delegates for the examination in April 2011. Our courses are structured so they are also suitable for those who do not seek the ISEB qualification. See the “brochure” section of the Amberhawk website (www.amberhawk.com)
Comments