This post is the first in a series of posts that the Fieldfisher Privacy, Security and Information team have published on forthcoming changes under Europe’s new General Data Protection Regulation (the “GDPR“). Originally published while the EU legislative “trilogue” procedure was ongoing (for an explanation of the trilogue, see here), it has now been updated to reflect the final agreed version of the GDPR text.
The GDPR, like the Directive today and – indeed – any data protection law worldwide, protects “personal data”. But understanding what constitutes personal data often comes as a surprise to some organizations. Are IP addresses personal data, for example? What about unique device identifiers or biometric identifiers? Does the data remain personal if you hash or encrypt it?
What does the law require today?
Today, the EU definition of “personal data” is set out in the Data Protection Directive 95/46/EC. It defines personal data as “any information relating to an identified or identifiable natural person” (Art. 2(a)), and specifically acknowledges that this includes both ‘direct’ and ‘indirect’ identification (for example, you know me by name – that’s direct identification; you describe me as “the Fieldfisher privacy lawyer working in Silicon Valley” – that’s indirect identification).
The Directive also goes on to say that identification can be by means of “an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity“. This has caused a lot of debate in European privacy circles – could an “identification number” include an IP address or cookie string, for example? The Article 29 Working Party has previously issued comprehensive guidance on the concept of personal data, which made clear that EU regulators were minded to treat the definition of “personal data” as very wide indeed (by looking at the content, purpose and result of the data). And, yes, they generally think of IP addresses and cookie strings as personal – even if organizations themselves do not.
This aside, EU data protection law also has a separate category of “special” personal data (more commonly referred to as “sensitive personal data”) . This is personal data that is afforded extra protection under the Directive, and is defined as data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life. Data relating to criminal offences is also afforded special protection. Oddly, though, financial data, social security numbers and child data are not protected as “sensitive” under the Directive today.
What will the General Data Protection Regulation require?
The final text of the GDPR agreed between the Commission, Council and Parliament on 15 December 2015 tries to clear up some of the ambiguities that exist today, and even to widen the personal data net in a couple of instances – for example, with respect to sensitive personal data. In particular:
- Personal data and unique identifiers: The GDPR makes clear that the concept of personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and the like are all personal and must be protected accordingly. This means that these types of data will now be subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of ‘ordinary’ personal data.
- Pseudonymous data: The GDPR introduces a new concept of “pseudonymous data” – in simple terms, personal data that has been subjected to technological measures (like hashing or encryption) such that it no longer directly identifies an individual without the use of additional information. Pseudonymous data is still considered a type of personal data and so is subject to the requirements of the GDPR. On the plus side though, organizations that pseudonymize their data will benefit from relaxations of certain provisions of the GDPR, in particular with respect to data breach notification requirements (because loss of pseudonymised data is unlikely to create risk of harm – Arts 33 and 34), possible exemption from the need to comply with data subject access, correction, erasure and data portability requests (Art 11), and greater flexibility to conduct data profiling without data subject consent (since processing of pseudonymised data is unlikely to ‘significantly affect’ a data subject – Art 22). The GDPR also encourages pseudonymization in the interests of enhancing security and as a privacy by design measure. Put simply, organizations will have very strong incentives to employ data pseudonymisation technologies under the GDPR to mitigate their compliance obligations and manage their risks.
- Genetic data and biometric data: The GDPR introduces specific definitions of “genetic data” (e.g. an individual’s gene sequence) and “biometric data” (i.e. fingerprints, facial recognition, retinal scans etc.). Genetic data and biometric data are both treated as sensitive personal data under the GDPR, affording them enhanced protections and generally necessitating individuals’ explicit consent where these data are to be processed. Large scale processing of genetic data and biometric data (and, indeed, any other category of sensitive personal data) will trigger a requirement for controllers to undertake a data protection impact assessment to identify potential risks involved in processing this data and measures taken to ensure compliance.
What are the practical implications?
For many institutions, the changes to the concept of personal data under the GDPR will simply be an affirmation of what they already know: that Europe applies a very protective approach when triggering personal data requirements.
Online businesses – especially those in the analytics, advertising and social media sectors – will be significantly impacted by the express description of online and unique identifiers as personal data, particularly when this is considered in light of the extended territorial reach of the GDPR. Non-EU advertising, analytics and social media platforms will likely find themselves legally required to treat these identifiers as personal data protected by European law, just as their European competitors are, and need to update their policies, procedures and systems accordingly – that, or risk losing EU business and attracting European regulatory attention. However, they will likely take (some) comfort from GDPR provisions allowing for data profiling on a non-consent basis if data is pseudonymized.
Beyond that, all organizations will need to revisit what data they collect and understand whether it is caught by the personal data requirements of the GDPR. In particular, they need to be aware of the extended scope of sensitive data to include genetic data and biometric data, attracting greater protections under the GDPR – particularly the need for explicit consent, unless other lawful grounds processing exist.
Finally, some of the relaxations given to processing of pseudonymized data will hopefully serve to incentivize greater adoption by organizations of pseudonymization technologies. Inevitably, some will grumble at the cost of pseudonymizing datasets – but if doing so potentially reduces data breach notification requirements and the need to comply with data subject access, correction, erasure and portability rules, then this will serve as a powerful adoption incentive.