Skip to main content
SpringerLink
Log in

Review of the Data Protection Directive: Is There Need (and Room) For a New Concept of Personal Data?

  • Chapter
  • First Online:
European Data Protection: In Good Health?

Abstract

The entry into force of the Lisbon Treaty brought some changes to the EU legal framework and some of them have a direct impact on data protection. In this new scenario, the movements requiring the review of the Data Protection Directive gained a new boost.

For the discussion of a possible review of the Directive, the analysis of the concept of personal data is fundamental, because the EU data protection framework has this concept as one of its foundations, since data which are not related to an identified or identifiable person do not fall within the scope of the Data Protection legislation.

Taking into account this scenario, this chapter initially analyses the concept of personal data as provided for by Directive 95/46 and the views of the Article 29 Working Party and of the European Data Protection Supervisor regarding the concepts of personal data and anonymous data. Then, it concentrates on the experiences of France, Italy and UK, seeking to identify the differences in the concept of personal data in these member states. After carrying out these analyses, the chapter proposes some changes on the concept of personal data which could be incorporated in the review of the General Data Protection Directive.

Mario Viola holds a PhD in Law and a Master of Research in European, International and Comparative Law from the European University Institute and an LLM in Private Law from Rio de Janeiro State University.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0335:0360:EN:PDF, Accessed 3 Aug 2011.

  2. 2.

    This article is included in Chap. 2 of the Treaty, entitled ‘Specific Provisions on the Common Foreign and Security Policy’.

  3. 3.

    “The concept of ‘personal data’ is one of the key concepts for the protection of individuals by the current EU data protection instruments (…).”

  4. 4.

    In this sense are the Spanish and Austrian Data Protection Laws (see Walden 2002, 235)

  5. 5.

    See, for instance, the debates about the PNR and SWIFT Agreements.

  6. 6.

    The main purposes of Directive 95/46/EC are: “(1) to allow for the free flow of data within Europe, in order to prevent member states from blocking inter-EU data flows on data protection grounds; and, (2) to achieve a harmonized minimum level of data protection throughout Europe”. (Kuner 2003, 27)

  7. 7.

    . “The requirement that the data relate to an ‘identifiable’ person in the General Directive similarly means that a set of data which, taken together, could be matched to a particular person, or at least make identification of that person considerably easier, is considered ‘personal data’.”

  8. 8.

    Recital 26 of Directive 95/46/EC.

  9. 9.

    Article 4(1)(n) of the Italian Personal Data Protection Code (Legislative Decree no. 196 dated 30 June 2003) considers anonymous data as “any data that either in origin or on account of its having been processed cannot be associated with any identified or identifiable data subject.

  10. 10.

    “The Commissioner considers anonymisation of personal data difficult to achieve because the data controller may retain the original data set from which the personal identifiers have been stripped to create the ‘anonymised’ data.”

  11. 11.

    Regarding the anonymisation of genetic data the situation is even more complicated (see Murray 1997, 63). “If a database contained sufficient information about the sequence, even if the person’s name were not attached to the file, it might be possible to identify the individual whose sequence it is, in a manner similar to the method of genetic fingerprinting. So, although the practise of removing identifying information is usually thought to confer anonymity by making records impossible to trace to an individual, that may not be the case with records containing significant chunks of DNA sequence data.

  12. 12.

    An example of the risks is the software produced by Phorm, called WebWise, which was hardly criticized by data protection advocates (see Clayton 2008).

  13. 13.

    In its opinion 4/2007, the Article 29 Working Party presents a definition of anonymous data that take into account ‘the means likely reasonably to be used’ for the identification of the data subject (see Article 29 Working Party 2007, 21).

  14. 14.

    Achieving effective anonymisation may be a challenging task, from both a technical and compliance perspective. Sophisticated data analysis and data mining techniques on supposedly anonymous data may eventually yield data that does ‘directly or indirectly’ relate to a specific individual (…).

  15. 15.

    18. The same analysis occurs with the notion of anonymity. Although, from a data protection view, the notion of anonymity would cover data that are no longer identifiable (see recital 26 of the Directive), from a statistical point of view, anonymous data are data for which no direct identification is possible. This definition implies that indirect identification of data would still qualify these data as anonymous, from a statistical point of view.

  16. 16.

    According to the Article 29 Working Party, the reasonableness is “Another general limitation for the application of data protection under the Directive.” (see Article 29 Working Party 2007, 5).

  17. 17.

    Apud Ian Walden, Op. cit.: 226. The cost of the identification was recognised by the Article 29 Working Party as one of the factors to be taken into account when analysing whether an individual is identifiable or not (Article 29 Working Party 2007, 15).

  18. 18.

    See Article 2(a) of Directive 95/46/EC.

  19. 19.

    See Article 2(a) of Directive 95/46/EC.

  20. 20.

    Article 9(3) of the Italian Personal Data Protection Code.

  21. 21.

    The Italian Code of Conduct and Professional Practice applying to processing of personal data for statistical and scientific purposes lists in its Article 4(1) some means that can be considered as reasonable for identifying a data subject. www.garanteprivacy.it/garante/doc.jsp?ID=1115480. Accessed 23 Dec 2010.

  22. 22.

    Article 2, 2nd paragraph of the French Act 78–15.

  23. 23.

    The French Act, as the British one, did not adopt a definition of anonymous data, although in some of its provisions it refers to this kind of data. See, for instance, Article 25, § 1 of the French Act 78–15.

  24. 24.

    Article 100 of the French Decree n 2005–1309 requires that “the heir of a deceased person who wishes to update the data concerning the deceased” proves “his capacity as heir by producing an attested affidavit or a family record book.” In overseas regions such proof can be made through any means (Article 111, § 9 of the same Decree).

  25. 25.

    See Section 1(1) of the UK Data Protection Act 1998.

  26. 26.

    La protection de libertes fondamentales ne concerne que les personnes physiques. Les personnes morales sont exclues du regime de protection.

  27. 27.

    In that sense, see Autorisation Unique n AU-003 and Autorisation Unique n AU-024 of the French Data Protection Authority. http://www.cnil.fr/en-savoir-plus/deliberations/autorisations-uniques/. Accessed 4 Jan 2011.

  28. 28.

    It also did not include a definition of anonymous data.

  29. 29.

    The Italian Data Protection Authority recognises that in such cases there are personal data not only in the identification part of the opinion, but also in the conclusions and evaluations of the medical expert of the insurance company, and, indeed, Article 7 of the Data Protection Code applies to the evaluation and conclusions of the expert. Nevertheless, it does not mean that full access has to be given: information related to counselling given by the expert to the insurance company concerning the decision of paying or not paying an indemnity or the strategy in a future legal claim are not included.

  30. 30.

    The Act is only concerned with living individuals and so if the subject of the information is dead, then the information cannot be personal data.” In the same sense, see Information Commissioner’s Office (2009, 26).

  31. 31.

    A data subject must be a living individual. Organisations, such as companies and other corporate and unincorporated bodies of persons cannot, therefore, be data subjects.

  32. 32.

    See Sects. 158 and 169 of the Consumer Credit Act 1974. In the same sense see The Consumer Credit (Credit Reference Agency) Regulations 2000.

  33. 33.

    “Partnership” means “a partnership consisting of two or three persons not all of whom are bodies corporate” (Sect. 189(1)(a) of the Consumer Credit Act 1974 as amended by the Consumer Credit Act 2006).

  34. 34.

    “Unincorporated body of persons” means “an unincorporated body of persons which does not consist entirely of bodies corporate and is not a partnership” (Sect. 189(1)(b) of the Consumer Credit Act 1974 as amended by the Consumer Credit Act 2006).

  35. 35.

    See Sects. 38–54 of the Consumer Credit Act 1974 as amended by the Consumer Credit Act 2006.

  36. 36.

    Article 2(a) of Directive 95/46/EC (see Article 29 Working Party 2007, 13). “Concerning ‘directly’ identified or identifiable persons, the name of the person is indeed the most common identifier, and, in practice, the notion of ‘identified person’ implies most often a reference to the person’s name.” In the same sense are the findings of the European Court of Justice (2003) in the Lindqvist case. C-101 § 24.

  37. 37.

    The Information Commissioner formulated eight questions to help data controllers in identifying if a certain data is personal data. If the answer for one of those questions is affirmative, it is likely that the processing into question involves personal data in the Commissioner’s view. The questions are the following: 1) Can a living individual be identified from the data, or, from the data and other information in your possession, or likely to come into your possession? 2) Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession? 3) Is the data ‘obviously about’ a particular individual? 4) Is the data ‘linked to’ an individual so that it provides particular information about that individual? 5) Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual? 6) Does the data have any biographical significance in relation to the individual? 7) Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event? 8) Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

  38. 38.

    Austria and Switzerland have adopted the same approach (see Bygrave and Schartum 2009, 168).

  39. 39.

    The Court has even gone so far as to recognise privacy protection to firms and business activities, which is non-mandatory feature of data protection regulation (which optionally allows Members States to recognise data protection rights not only to natural persons but also to legal persons).

  40. 40.

    Some provisions of the e-privacy Directive 2002/58/EC extend to legal persons. Article 1 thereof provides that ‘2. The provisions of this Directive particularise and complement Directive 94/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.’ Accordingly, Articles 12 and 13 extend the application of some provisions concerning directories of subscribers and unsolicited communication also to legal persons.

References

  • Article 29 Working Party. 2007. Opinion 4/2007 on the concept of personal data. http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf. Accessed 2 Jan 2011.

    Google Scholar 

  • Article 29 Working Party. 2008. Opinion 1/2008 on data protection issues related to search engines. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp148_en.pdf. Accessed 2 Jan 2011.

    Google Scholar 

  • Bensoussan, Alain. 2008. Informatiques et libertes. Paris: Éditions Francis Lefebvre.

    Google Scholar 

  • Bianca, Cesare Massimo, Francesco Donato Busnelli. 2007. La Protezione dei Dati Personali. Tomo II. Milano: CEDAM.

    Google Scholar 

  • Bygrave, Lee A., and Dag Wiese Schartum. 2009. Consent, proportionality and collective power. In Reinventing data protection? ed. Serge Gutwirth et al, 157–174. Springer.

    Google Scholar 

  • Buttarelli, Giovanni. 2009. Speaking points of the Assistant European Data Protection Supervisor on the Council Working Group on e-Justice and interconnection of insolvency registers. http://www.edps.europa.eu/EDPSWEB/webdav/shared/Documents/EDPS/Publications/Speeches/2009/09-07-15_eJustice_insolvency_EN.pdf. Accessed 4 Jan 2011.

    Google Scholar 

  • Carey, Peter. 2000. Data protection in the UK. London: Blackstone Press.

    Google Scholar 

  • Carey, Peter. 2004. Data protection: A practical guide to UK and EU law. 2nd ed. Oxford: Oxford University Press.

    Google Scholar 

  • Clayton, Richard. 2008. The Phorm ‘Webwise’ system, http://www.cl.cam.ac.uk/~rnc1/080518-phorm.pdf. Accessed 7 Nov 2010.

    Google Scholar 

  • Committee of Ministers of the Council of Europe. 1997. Recommendation No. R (97) 5E on the Protection of Medical Data. https://wcd.coe.int/wcd/com.instranet.InstraServlet?command=com.instranet.CmdBlobGet&InstranetImage=564487&SecMode=1&DocId=560582&Usage=2. Accessed 4 Jan 2011.

    Google Scholar 

  • De Hert, Paul and Gutwirth, Serge. 2009. Data protection in the case law of Strasbourg and Luxemburg: Constitutionalisation in action. In Reinventing data protection?, ed. Serge Gutwirth et al., 3–44. Springer.

    Google Scholar 

  • Doneda, Danilo and Viola deAzevedo Cunha, Mario. 2010. Data protection as a trade resource in Mercosur in The Law of Mercosur, ed. Marcílio Toscano Franca Filho et al., 365–386. Oxford: Hart.

    Google Scholar 

  • England and Wales Court of Appeal. 2003. Durant case. http://www.hmcourts-service.gov.uk/judgmentsfiles/j2136/durant-v-fsa.htm. Accessed 5 Dec 2010.

    Google Scholar 

  • European Commission. 2010. Draft Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions [COM(2010) 609 final]. http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf. Accessed 3 Jan 2011.

    Google Scholar 

  • European Court of Human Rights. 2002. Société Colas Est v. France case. Application n 37971/97. http://cmiskp.echr.coe.int/tkp197/view.asp?item=1&portal=hbkm&action=html&highlight=37971/97&sessionid=64275468&skin=hudoc-en. Accessed 4 Jan 2011.

    Google Scholar 

  • European Court of Justice. 2003. Lindqvist case (C-101). http://curia.europa.eu/jurisp/cgi-bin/gettext.pl?lang=en&num=79968893C19010101&doc=T&ouvert=T&seance=ARRET. Accessed 5 Jan 2011.

    Google Scholar 

  • European Data Protection Supervisor. 2008. Opinion of 20 May 2008 on the proposal for a Regulation of the European Parliament and of the Council on European Statistics (COM(2007) 625 final). http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2008/08-05-20_Statistics_EN.pdf. Accessed 25 Jan 2010.

    Google Scholar 

  • European Data Protection Supervisor. 2007. Opinion of 5 September 2007 on the proposal for a Regulation of the European Parliament and of the Council on Community statistics on public health and health and safety at work (COM(2007) 46 final). http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2007/07-09-05_Statistics_health_data_EN.pdf. Accessed 4 Jan 2011.

    Google Scholar 

  • European Data Protection Supervisor. 2011. Opinion of 18 January 2011 on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions—“A comprehensive approach on personal data protection in the European Union”. http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-01-14_Personal_Data_Protection_EN.pdf. Accessed 9 Jan 2011.

    Google Scholar 

  • European Parliament. 2010. SWIFT: MEPs to Vote on Backing or Sacking EU/US Data Sharing Deal, http://www.europarl.europa.eu/news/public/story_page/019-68537-039-02-07-902-20100205STO68536-2010-08-02-2010/default_en.htm. Accessed 19 Feb 2010.

    Google Scholar 

  • French Act. 1978. n 78–17 on data processing, data files and individual liberties, http://www.cnil.fr/fileadmin/documents/en/Act78–17VA.pdf. Accessed 1 Aug 2011.

    Google Scholar 

  • Garante per la protezione dei dati personali, Relazione. 2004. L’attuazione del Codice nel quadro della Costituzione per l’Europa. http://www.garanteprivacy.it/garante/document?ID=1093820. Accessed 15 Dec 2010.

    Google Scholar 

  • Garante per la protezione dei dati personali Provvedimento del 25 luglio. 2007. http://www.garanteprivacy.it/garante/doc.jsp?ID=1434791. Accessed 22 Dec 2010.

    Google Scholar 

  • Gediel, José Antônio Peres and Corrêa, Adriana Espíndola. 2008. Proteção jurídica de dados pessoais: A intimidade sitiada entre o Estado e o Mercado. Revista da Faculdade de Direito—UFPR 47: 141–153.

    Google Scholar 

  • Information Commissioner’s Office. 2001. Data Protection Act 1998. Legal guidance, http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_act_legal_guidance.pdf. Accessed 4 Jan 2011.

    Google Scholar 

  • Information Commissioner’s Office. 2007. Data protection technical guidance determining what is personal data. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_data_flowchart_v1_with_preface001.pdf. Accessed 5 Dec 2010.

    Google Scholar 

  • Information Commissioner’s Office. 2008. What is personal data?—A quick reference guide. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/160408_v1.0_determining_what_is_personal_data_-_quick_reference_guide.pdf. Accessed 5 Dec 2010.

    Google Scholar 

  • Information Commissioner’s Office. 2009. The guide to data protection. http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/the_guide_to_data_protection.pdf. Accessed 4 Jan 2011.

    Google Scholar 

  • Kuner, Christopher. 2003. European data protection law and online business. Oxford: Oxford University Press.

    Google Scholar 

  • Kuner, Christopher. 2007. European data protection law—corporate compliance and regulation. Oxford: Oxford University Press.

    Google Scholar 

  • Lacoste, Jean-Marc. 2008. Pour une pleine et entière reconnaissance du droit à la protection des données à caractère personnel. Dissertation, Université deToulouse.

    Google Scholar 

  • Laffaire, Marie-Laure. 2005. Protection des données à caractere personnel. Paris: Éditions d’organisation.

    Google Scholar 

  • Mallet-Poujol, Nathalie. 2006. Protection de la vie privée et des données personnelles (Unofficial translation by the author). Legamedia, Février 2006, http://www.educnet.education.fr/chrgt/guideViePrivee.pdf. Accessed 1 Aug 2011.

    Google Scholar 

  • Murray, Thomas H. 1997. Genetic exceptionalism and ‘Future diaries’: Is genetic information different from other medical information? In genetic secrets: Protecting privacy and confidentiality in the genetic era, ed. Mark A. Rothstein, 60–76. New Heaven: Yale University Press.

    Google Scholar 

  • Nouwt, Sjaak. 2009. Towards a common European approach to data protection: A critical analysis of data protection perspectives of the Council of Europe and the European Union. In Reinventing data protection?, ed. Serge Gutwirth et al., 275–292. Springer.

    Google Scholar 

  • Nugter, A. C. M. 1990. Transborder flow of personal data within the EC: A comparative analysis of the privacy statutes of the Federal Republic of Germany, France, the United Kingdom and the Netherlands and their impact on the private sector. Deventer: Kluwer Law and Taxation.

    Google Scholar 

  • Ohm, Paul. 2009. Broken promises of privacy: Responding to the surprising failure of anonymization. University of Colorado Law School Legal Studies Research Paper No. 09–12, http://ssrn.com/abstract=1450006. Accessed 7 Nov 2010.

    Google Scholar 

  • Reding, Viviane. 2011. The upcoming data protection reform for the European Union. International Data Privacy Law 1 (1): 3–5.

    Article  Google Scholar 

  • Sarmento e Castro, Catarina. 2005. Direito da informática, privacidade e dados pessoais. Coimbra: Almedina.

    Google Scholar 

  • Sweeney, Latanya. 2000. Foundations of Privacy Protection from a Computer Science Perspective, http://dataprivacylab.org/projects/disclosurecontrol/paper1.pdf. Accessed 22 Feb 2011.

    Google Scholar 

  • Tribunale di Roma, Sent. 2000. http://www.ictlex.net/?p=784. Accessed 1 Aug 2011.

    Google Scholar 

  • Viola de Azevedo Cunha, Mario et al. 2010. La re-identificazione dei dati anonimi e il trattamento dei dati personali per ulteriori finalità: sfide alla privacy. Ciberspazio e Diritto 11 (4): 641–658.

    Google Scholar 

  • Walden, Ian. 2002. Anonymising personal data. International Journal of Law and Information Technology 10 (2): 224–237.

    Article  Google Scholar 

Download references

Acknowledgement

I would like to acknowledge and thank Mike Wiesmeier for his valuable proofreading assistance which helped to make the text much more readable. However, any mistake and lack of clarity remains entirely my fault.

Author information

Authors and Affiliations

  1. European University Institute, Via Boccaccio 121, 50133, Firenze, Italy

    Mario Viola De Azevedo Cunha

Authors
  1. Mario Viola De Azevedo Cunha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mario Viola De Azevedo Cunha .

Editor information

Editors and Affiliations

  1. Pleinlaan 2, Brussel, 1050, Belgium

    Serge Gutwirth

  2. , TILT, Tilburg University, Warandelaan 2, Tilburg, 5037 AB, Netherlands

    Ronald Leenes

  3. Center for Law, Science, Technology, and Society Studies (LSTS), Vrije Universiteit Brussel, Pleinlaan 2, Brussels, 1050, Belgium

    Paul De Hert

  4. Research Centre for Information, Technology & Law, University of Namur, Rempart de la Vierge 5, Namur, 5000, Belgium

    Yves Poullet

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer Science+Business Media B.V.

About this chapter

Cite this chapter

Viola De Azevedo Cunha, M. (2012). Review of the Data Protection Directive: Is There Need (and Room) For a New Concept of Personal Data?. In: Gutwirth, S., Leenes, R., De Hert, P., Poullet, Y. (eds) European Data Protection: In Good Health?. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-2903-2_13

Download citation

Publish with us

Policies and ethics

Search

Navigation