New EU General Data Protection Regulation – Advice Note 2 (Territorial Scope and New Definition of Personal Data)
Territorial Scope and New Personal Data Definition
A number of our non-EU clients have expressed considerable alarm about the GDPR, probably due to the volume of articles being generated in the technology industry press but be aware that whilst the final text of the GDPR is unlikely to be widely different from the draft language already provisionally agreed, (a) formal adoption of the GDPR is not expected until June or July 2016, and (b) it will not become law for a further two years. The good news is that this gives everybody plenty of time to get used to the new regime and start preparing for it.
In this our second blog about the new draft EU General Data Protection Regulation (“GDPR”), I am going to look at the proposed extension to territorial scope of European law on data privacy and the definition of what constitutes personal data. I am also going to compare the GDPR provisions with the corresponding provisions of the current EU Directive 95/46 EC (the “Original EU Data Protection Directive”).
Territorial Scope – It got bigger and it got clearer
Under the Original EU Data Protection Directive, the geographical scope provisions were never very clear. The old Article 3 just provided that the Directive would apply to the processing of personal data wholly or partly by automatic means. The European Union has been playing catch up since 1995 in terms of clarifying how and when non-EU based providers would be caught by the fell hand of the EU data protection regime.
Article 3 of the GDPR makes very clear that the GDPR applies to the processing of personal data of data subjects who are in the EU, if the processing relates either to the offering of goods or services in the EU or the monitoring of behaviour of data subjects in the EU. It applies irrespective of where the data controller is based and it applies even if the processing occurs outside of the EU.
Personal Data – What is covered?
The meaning of “personal data” in the Original EU Data Protection Directive is given as “any information relating to an identified or identifiable natural person (data subject); and an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Arguing about what constitutes personal data in the real world pursuant to that definition has spawned a veritable industry of legal challenges and court cases, in terms of (for example) whether a fixed IP address should constitute personal data in the hands of a telecommunications service provider or anyone with the ability to cross reference an IP address with a particular computer or set of computers, and loads of equally fun stuff. It has made so many lawyers so much money, I should probably mourn its potential passing but since there will always be room for another legal challenge somewhere else, I am quietly confident that none of us will go short of food as a result of this one changing.
In the GDPR, “personal data” is defined as “any information relating to a data subject”, and a “data subject” is defined as “an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.
Significantly the new language catches the use of IP addresses and tracking cookies to identify natural persons, and is intended to catch all current and future wheezes used by data mining companies and other organisations to understand (in particular) the online behaviour of individuals as well as their various interactions in the real world.
If you would like to understand more about the EU data protection regime, please contact [email protected] .