Feeds

When cookie spewers single you out, it IS personal, barks watchdog

Identifiers should be classed as 'personal data' – EU body

Designing a Defense for Mobile Applications

Information that can lead to individuals being "singled out and treated differently" should generally be classed as "personal data", an EU privacy body has recommended.

The Article 29 Working Party has outlined changes (45-page/410KB PDF) to how it wants 'personal data' to be defined, and to what information the term should apply to, within the European Commission's proposed General Data Protection Regulation. The draft text was published in January.

Whether information is deemed to be "personal data" is a fundamental issue in relation to data protection laws because the framework of rules governing data protection issues only apply to information that qualifies as personal data.

The Working Party's plans to change how "personal data" is defined by altering the definition, in the Commission's draft text, for the term "data subject". The definition of "personal data" is dependent on how "data subject" is defined. Under the draft Regulation "personal data" is defined as "any information relating to a data subject".

The Working Party recommended that the term "data subject" refer to: "an identified natural person or a natural person who can be identified, directly or indirectly, or singled out and treated differently, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person."

The draft Regulation also contains "recitals" which, although themselves not legally binding, flesh out in more detail what is to be meant by the definitions and other terms contained in the text.

The Working Party said that organisations should generally have to treat "cookie identifiers" and "Internet Protocol addresses" as personal data, according to changes it wants to make to one of the draft recitals.

It wants one of the recitals to read: "When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify or single them out. It follows that identification numbers, location data, online identifiers or other specific factors as such should as a rule be considered personal data."

The Working Party's proposals differ markedly from the tone of what has been proposed by the Commission. The same recital it had drafted stated that "identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances."

In its opinion the Working Party defended the "new and positive elements" that have been drafted into the proposed new Regulation on rules around "consent". Obtaining individuals' consent to the processing of their personal data is one way in which organisations can legitimately conduct such activities.

Under the draft Regulation organisations would be required to obtain a "freely given specific, informed and explicit indication" of individuals' wishes through either a "statement or by clear affirmative action" in order to be said to have obtained that person's consent to the processing of their personal data.

The Working Party said that although others had challenged how feasible it is to obtain "explicit" consent, imposing such a requirement was "necessary to truly enable data subjects to exercise their rights". This is especially the case "on the internet where there is now too much improper use of consent," it said, claiming that it would be "highly undesirable should this important clarification be deleted from the text".

Under the draft reforms the European Commission would be able to draft a series of "implementing" or "delegating" acts in order to provide more detail on the precise workings of some of the measures included in the Regulation text. The Working Party said, though, that it has "some reservations with regard to the extent the Commission would be empowered to adopt such acts".

It has suggested that, whilst some implementing or delegated acts may be justified for some aspects of the Regulation, it may be better for the body that is set to replace it following the reforms – the European Data Protection Board (EDPB) – to instead issue "guidelines" on how organisations should interpret those aspects of the legislative text.

The EDPB should be tasked with producing guidance that helps set out when organisations can claim to have an overriding "legitimate interest" in processing personal data, even where individuals have not consented to the activity, the Working Party suggested. Guidance on the issue, it said, would provide for "the necessary flexibility" and be instead of a "delegated act".

"It would seem more appropriate that the EDPB issues guidelines regarding in which circumstances the ground ‘legitimate interest’ can be invoked and how to assess whether such interests are overridden by the interests or fundamental rights and freedoms of the data subject, amongst others by providing concrete examples," the Working Party said.

A further example of guidance the EDPB could issue, the watchdog said, would be on what is meant by "safeguards" organisations would have to have in place, under the terms of the draft Regulation, in order to process sensitive personal information, such as individuals' health records.

"Since establishing what constitute appropriate safeguards can only be done on a case by case basis, it would be impossible to provide further guidance in a legally binding document," the Working Party said. "Therefore a more flexible instrument would be most appropriate to provide further guidance on what could be appropriate safeguards."

The privacy body said that "non-exhaustive examples" of the safeguards could also be written into one of the recitals of the Regulation, whilst the legislative text should also set out more detail on the circumstances in which it would be said to be legitimate to process sensitive personal data when that processing is in the public interest, it added.

This is the second time the Working Party has published its views on the Commission's proposed data protection reforms. EU ministers, business groups and regulators have been among those to raise concerns with aspects of what the Commission has drafted.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Using blade systems to cut costs and sharpen efficiencies

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Microsoft: We're making ONE TRUE WINDOWS to rule us all
Enterprise, Windows still power firm's shaky money-maker
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.