This post is the first in a series of posts that the Fieldfisher Privacy, Security and Information team will publish on forthcoming changes under Europe’s new General Data Protection Regulation (the “GDPR“), currently being debated through the “trilogue” procedure between the European Commission, Council and Parliament (for an explanation of the trilogue, see here).
The GDPR, like the Directive today and – indeed – any data protection law worldwide, protects “personal data”. But understanding what constitutes personal data often comes as a surprise to some organizations. Are IP addresses personal data, for example? What about unique device identifiers or biometric identifiers? Does the data remain personal if you hash or encrypt it?
What does the law require today?
Today, the EU definition of “personal data” is set out in the Data Protection Directive 95/46/EC. It defines personal data as “any information relating to an identified or identifiable natural person” (Art. 2(a)), and specifically acknowledges that this includes both ‘direct’ and ‘indirect’ identification (for example, you know me by name – that’s direct identification; you describe me as “the Fieldfisher privacy lawyer working in Silicon Valley” – that’s indirect identification).
The Directive also goes on to say that identification can be by means of “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity“. This has caused a lot of debate in European privacy circles – could an “identification number” include an IP address or cookie string, for example? The Article 29 Working Party has previously issued comprehensive guidance on the concept of personal data, which made clear that EU regulators were minded to treat the definition of “personal data” as very wide indeed (by looking at the content, purpose and result of the data). And, yes, they generally think of IP addresses and cookie strings as personal – even if organizations themselves do not.
This aside, EU data protection law also has a separate category of “special” personal data (more commonly referred to as “sensitive personal data”) . This is personal data that is afforded extra protection under the Directive, and is defined as data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life. Data relating to criminal offences is also afforded special protection. Oddly, though, financial data, social security numbers and child data are not protected as “sensitive” under the Directive today.
What will the General Data Protection Regulation require?
While the GDPR is still being debated between the Commission, Council and Parliament through the trilogue procedure, what is clear is that the net cast for personal data will not get any smaller. In fact, the legislators are keen to clear up some of the ambiguities that exist today, and even to widen the net in a couple of instances – for example, with respect to sensitive personal data. In particular:
- Personal data and unique identifiers: The trilogue parties broadly agree that the concept of personal data must include online identifiers and location data – so the legal definition of personal data will be updated under the GDPR to put beyond any doubt that IP addresses, mobile device IDs and the like must be treated as personal. This means that these data will be subject to fairness, lawfulness, security, data export and other data protection requirements just like any other personal data.
- Pseudonymous data: The trilogue parties are considering the concept of “pseudonymous data” – in simple terms, personal data that has been subjected to technological measures (like hashing or encryption) such that it no longer directly identifies an individual. There seems to be broad acceptance that a definition of “pseudonymous data” is needed, but that pseudonymous data will still be treated as personal data – i.e. subject to the requirements of the GDPR. On the plus side though, organizations that pseudonymize their data will likely benefit from relaxed data breach notification rules, potentially less strict data subject access request requirements, and greater flexibility to conduct data profiling. The GDPR will encourage pseudonymization as a privacy by design measure.
- Genetic data and biometric data: GDPR language under debate also introduces the concepts of “genetic data” and “biometric data” (i.e. fingerprints, facial recognition, retinal scans etc.). The trilogue parties seem to agree that genetic data must be treated as sensitive personal data, affording it enhanced protections under the GDPR (likely due to concerns, for example, that processing of genetic data might lead to insurance disqualifications or denial of medical treatment). There’s slightly less alignment between the parties on the treatment of biometric data, with the Parliament viewing it as sensitive data and the Council preferring to treat it as (non-sensitive) personal data – but data that, nevertheless, triggers the need for an organizational Data Protection Impact Assessment if processed on a large scale.
What are the practical implications?
For many institutions, the changes to the concept of personal data under the GDPR will simply be an affirmation of what they already know: that Europe applies a very protective approach when triggering personal data requirements.
Online businesses – especially those in the analytics, advertising and social media sectors – will be significantly impacted by the express description of online and unique identifiers as personal data, particularly when this is considered in light of the extended territorial reach of the GDPR. Non-EU advertising, analytics and social media platforms will likely find themselves legally required to treat these identifiers as personal data protected by European law, just as their European competitors are, and need to update their policies, procedures and systems accordingly – that, or risk losing EU business and attracting European regulatory attention. However, they will likely take (some) comfort from GDPR provisions allowing for data profiling on a non-consent basis if data is pseudonymized.
Beyond that, all organizations will need to revisit what data they collect and understand whether it is caught by the personal data requirements of the GDPR. In particular, they need to be aware of the extended scope of sensitive data to include genetic data (and, if the Parliament has its way, potentially biometric data), attracting greater protections under the GDPR – particularly the need for explicit consent, unless other lawful grounds processing exist.
Finally, some of the relaxations given to processing of pseudonymized data will hopefully serve to incentivize greater adoption by organizations of pseudonymization technologies. Arguably, the GDPR could do more on this front – and some organizations will inevitably grumble at the cost of pseudonymizing datasets – but if doing so potentially reduces data breach notification and data subject access request responsibilities then this will serve as a powerful adoption incentive.