1.
Introduction ^
2.
The concept of personal data within the EU data protection framework ^
2.1.
Identifiabilit ^
A person is identifiable, if they can be identified directly through data held by a data controller or indirectly through such data in combination with data held by others5 provided the data held by others is available to the data controller by means he is reasonably likely to use to identify the individual in question6. The obligations imposed on a data controller under the EU data protection framework only apply to the processing of personal data7. With certain exceptions8, the processing of data «rendered anonymous in such a way that the data subject is no longer identifiable»9 falls out with the scope of EU data protection law.
2.2.
Pseudonymous data ^
The Industry, Research and Energy Committee’s (ITRE) and the Committee on the Internal Market and Consumer Protection (IMCO), in their opinions on the draft Regulation13, go even further by suggesting that the processing of personal data should – as a general rule – be lawful if only pseudonymised data are processed14. To this end, the ITRE opinion suggests the inclusion of an additional legal ground, which would allow the processing of pseudonymised data to safeguard the legitimate interests pursued by a controller «except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child»15. Both Committees justify their amendments by a need to recognize different categories of personal data and to afford them different treatment. The IMCO Committee also argues that the use of pseudonymous data will encourage good business practice safeguarding the interests of data subjects16.
«Ensuring that personal data cannot be attributed to a data subject (since it cannot be related back to a data subject without use of additional data) helps to further promote business use of data while providing a high level of consumer protection.»17
Similarly, the LIBE rapporteur, Jan Albrecht, in his explanatory statement, clarifies that he sees the relevant amendments as a way to encourage the anonymous and pseudonymous use of services. Data controllers should be rewarded for the use of pseudonymous data through «alleviations with regard to [their] obligations»18.
2.3.
Removing personally identifiable information: a discredited approach? ^
«legislators have long relied on robust anonymization to deliver the best-of-both-worlds: the benefits of information flow and strong assurances of privacy […] [t]he failure of anonymization has exposed this reliance as misguided, and has thrown carefully balanced statutes out of equilibrium.»22
3.
The trouble with privacy harms: there’s just no there there ^
3.1.
Harm as individualised damage or distress ^
While the damages provisions in section 13 of the DPA have attracted widespread criticism28, the need for the existence of either individualized financial loss or distress is not generally questioned. At the same time, the absence of significant case law where data subjects have brought successful claims for damages under section 13 demonstrates the difficulties data subjects face when to rely on that cause of action in court. On the contrary, in the case of Douglas & Ors v Hello! Ltd & Ors, which concerns the unauthorized publication of photos of Michael Douglas and Catherine Zeta Jones’ wedding by Hello! Magazine, the High Court ruled that while the conditions of section 13 were certainly fulfilled, it did «not see it as adding a separate route to recovery for damage or distress beyond a nominal award [of £50]»29. Similarly, in the later case of Campbell v MGN Ltd., the House of Lords found that a claim under the DPA «adds nothing» to a claim for breach of confidence that was part of the same action30. More recently, in the case of Halliday v Creation Consumer Finance Ltd (CCF), the Court of Appeal gave some guidance on the way in which it assessed the element of distress. The appellant, Mr Halliday, had purchased a television set through a credit arrangement with Creation Consumer Finance Ltd (CCF). Protracted dealings and court proceedings between the parties resulted after CCF committed numerous data breaches, which included providing incorrect data concerning Mr Halliday to a credit referencing agency; that data was then made available to third parties for a period of four months. While the Court acknowledged that the appellant would have felt «frustration at these prolonged and protracted events», it found «no contemporary evidence of any manifestation of injury to feelings and distress» and consequently decided that «the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award»31. Similarly, in 2013 the First-tier Tribunal (Information Rights) overturned two monetary penalty notices issued by the Information Commissioner against data controllers on the basis that their breaches of the DPA did not create a likelihood of causing substantial damage or substantial distress.32 While the Tribunal accepted in Christopher Niebel v The Information Commissioner that the data protection breach – the sending of unsolicited text messages without consent – was likely to cause widespread irritation, it was unlikely that it would cause data subjects actual distress. This shows that the concepts of damage and distress do not form a sound basis for the enforcement of data protection principles and the protection of individuals from privacy harms.
4.
Invisible harms ^
4.1.
Purpose limitation ^
European data protection law is underpinned by the concept of purpose limitation. Data collected for one purpose must not be used for other incompatible purposes33. The principle is designed to ensure that data subjects are at all times aware who is using their data and in what context. In its 2013 Opinion on purpose limitation34 the Article 29 Working Party highlights the principle’s importance for maintaining an adequate «information power balance» between the data subject, the data controller and any third parties that might be interested in further processing the personal data in question. It also advises particular caution with regard to a change in purpose if «the data subjects, or any third party on their behalf, were obliged to provide the data under law»35 or if the data collection is based on a contractual relationship where one party is in a significantly weaker bargaining position. It emphasizes that in those cases «the balance of power between the data subject and the data controller […] should be examined»36.
4.2.
Data minimisation ^
5.
Conclusion ^
Judith Rauhofer
Lecturer in IT Law, University of Edinburgh, Scottish Centre for Research in Intellectual Property and Technology Law
Old College, South Bridge, Edinburgh EH8 9YL, UK
judith.rauhofer@ed.ac.uk; http://www.law.ed.ac.uk
- 1 18 December 2000,OJ C364/1.
- 2 25 January 2012, COM(2012) 11.
- 3 OJ L 281, p. 31–50.
- 4 Article 2(a), Data Protection Directive.
- 5 Ibid.
- 6 Recital 26, Data Protection Directive.
- 7 Article 3(1), Data Protection Directive.
- 8 For example, Article 5(3) of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, p. 37–47) restricts the use of cookies without the internet user’s informed consent. This is regardless of whether the information collected by the cookie in question can ultimately be linked to an identifiable individual.
- 9 Recital 26, Data Protection Directive.
- 10 Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)), Committee on Civil Liberties, Justice and Home Affairs’ Rapporteur: Jan Philipp Albrecht, Brussels, 21 November 2013.
- 11 Emphasis by the author.
- 12 Article 6(1)(f), Data Protection Regulation.
- 13 Opinion of the Committee on the Internal Market and Consumer Protection on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)); Rapporteur: Lara Comi, 21 January 2013, Amendment 75; and Opinion of the Industry, Research and Energy Committee on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)); Rapporteur: Seán Kelly, 23 February 2013, Amendment 101.
- 14 However, it should be noted that In the case of the ITRE opinion, the new legal ground would only apply «where the data is adequately protected», see ITRE opinion, Fn. 13, Amendment 101.
- 15 Ibid.
- 16 IMCO opinion, Fn. 13, Amendment 107.
- 17 Ibid.
- 18 LIBE report, Fn. 10, Explanatory Statement, p. 200.
- 19 Ohm, Broken promises of privacy: Responding to the surprising failure of anonymization, (2010) UCLA Law Review, Vol. 57, p. 1701.
- 20 Ibid.
- 21 Ibid., p. 1706.
- 22 Ibid., p. 1725.
- 23 Ibid., p. 1735.
- 24 Ibid., p. 1739.
- 25 SeeNarayanan/Shmatikov, Robust De-Anonymization of Large Sparse Datasets, IEEE Symposium on Security and Privacy (2008), p. 111, at 9.
- 26 Article 23(1), Data Protection Directive.
- 27 Section 55A, DPA.
- 28 Most recently from Lord Justice Leveson in his report on the culture, practices and ethics of the press, who proposed that the DPA should be amended so that compensation can be awarded regardless of pecuniary loss, seeLeveson LJ, An inquiry into the culture, practices and ethics of the press, The Stationer Office, 29 November 2012, Part H, Chapter 5, para 2.61; available at http://www.official-documents.gov.uk/document/hc1213/hc07/0780/0780.asp; last visited on 6 January 2014. Leveson’s proposal has also been welcomed by the Information Commissioner, who highlights that the European Commission have questioned whether the UK has properly implemented the Data Protection Directive in this respect, see ICO, The Information Commissioner’s Response to the Leveson Report on the Culture, Practices and Ethics of the Press, 7 January 2013, p. 11; available at http://www.ico.org.uk/about_us/consultations/ ~/media/documents/consultation_responses/ico_response_to_leveson_report_012013.ashx, last visited on 6 January 2014. The need to have suffered financial damages before a claim on the basis of distress can be made was also questioned by Tugenhat J in Vidal-Hall and others v Google Inc [2014] EWHC 13 (QB), 16 January 2014.
- 29 Douglas & Ors v Hello! Ltd & Ors [2003] EWHC 786 (Ch) (11 April 2003), at para. 239.
- 30 Campbell v MGN Ltd [2004] UKHL 22 (6 May 2004), at para. 130.
- 31 Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333 (15 March 2013), at para. 35. Emphasis added by the author.
- 32 Scottish Borders Council v The Information Commissioner, EA/2012/0212, 21 August 2013 and Christopher Niebel v. The Information Commissioner (EA/2012/2060), 14 October 2013.
- 33 Article 6(1)(b), Data Protection Directive.
- 34 Opinion 03/2013 on purpose limitation, WP203, 2 April 2013; available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf; last visited on 6 January 2014.
- 35 Ibid., p. 24.
- 36 Ibid.
- 37 Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, COM(2011) 32 final, Brussels, 2 February 2011.
- 38 Proposal for a directive on the use of passenger name record data in the EU:- press conference by Cecilia MALMSTRÖM, European Commissioner for Home Affairs, 2 February 2011. An audio recording of the press conference (Reference 75222) can be accessed via the European Commission’s Audio-visual Service at http://ec.europa.eu/avservices/audio/audioDetails.cfm?ref=75222&sitelang=fr; last visited on 6 January 2014.
- 39 Ibid., at 2:38, 29:57 and 28:39.
- 40 Solove, Nothing to Hide: The False Tradeoff between Privacy and Security, Yale university Press, New haven and London, (2011), p. 28.
- 41 Article 5(1)(c), draft Data Protection Regulation.
- 42 For a detailed exploration of this phenomenon seePariser, The Filter Bubble: What The Internet Is Hiding From You, Penguin Books, London, (2011).
- 43 For a more recent exploration of these issues, seeNewman, The Costs of Lost Privacy: Consumer Harm and Rising Economic Inequality in the Age of Google (2013); available at SSRN: http://ssrn.com/abstract=2310146, last visited on 6 January 2014.
- 44 The crime maps can be accessed by postcode viahttp://www.police.uk, last visited on 6 January 2014.
- 45 This brings to mind the American Civil Liberties Union’s famous spoof «pizza video», in which the customer of a pizza delivery service is charged a surcharge because the driver is forced to deliver to an orange zone. The video can be accessed at https://www.aclu.org/ordering-pizza, last visited on 6 January 2014.
- 46 Geer, Tradeoff in Cyber Security, Keynote delivered to the University of North Carolina Cyber Security Symposium, 9 October 2013; available at http://geer.tinho.net/geer.uncc.9x13.txt, last visited on 6 January 2014.