D11.1: Collection of Topics and Clusters of Mobility and Identity – Towards a Taxonomy of Mobility and Identity

Title: DATA PROTECTION TERMS

Data Protection Terms

An overview of data protection terminology

In the general frame of taxonomy, a short presentation of the basic terms related to data protection is deemed necessary. Therefore, the term ‘personal data’ is defined as ‘any information relating to an identified or identifiable natural person (‘data subject’)’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

Although the Data Protection Directive tried to harmonise the processing of personal data and the free movement of such data, there are still enough differences between the Member States with regard to the term of ‘personal data’ and especially when it refers to an ‘identified of identifiable natural person’. Despite the efforts of the European legislator to give a pan-European meaning to this term, there is still a categorisation into ‘relative’ and ‘non-relative’ concept of personal data. According to the relative concept, data are ‘personal’ for someone who can link them to an identified individual, but not for someone who cannot make such a link. This approach seems to be supported by Recital 15 which states that the processing of sound and image data is only subject to the Directive if that processing is automated or if the data processed are contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question.

The concept of ‘identifiability’ plays an important role for the legal status of all not fully (or not immediately) identifiable data, such as encoded or pseudonymous data, as well as sound and image data and IP addresses. The possibility of matching data processed by a computer to a specific person will depend on a number of factors, such as who is doing the matching and what their technical capabilities are, what type of data is involved, whether other data are available to aid the matching etc. As far as the Internet or other type of network that adopts an IP address architecture is concerned, the attribution of data to a specific person can be made easier with the implementation of static (instead of dynamic) IP addresses. Indeed, a fixed IP address is more likely to be qualified as personal data in the same way as license plate numbers or telephone numbers have qualified as personal data by the national data protection authorities.

In interpreting the term ‘personal data’, the most expansive approach should be followed. Recital 26 of the Data Protection Directive for example reads that in deciding whether data could be used to identify a particular person ‘account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person’. Moreover, the term ‘personal data’ should include all data about a person (including economic, professional etc. data) and not only data about the person’s personal life (Dammann and Simitis, 1997, p. 109). This breadth of the conception of personal data means that data is usually presumed to be ‘personal’, unless it can be clearly shown that it would be impossible to tie the data to an identifiable person (that is, unless the data is truly anonymous) (Kuner, 2003, p. 51).

An argument often raised by European Internet Service Providers in order to avoid the application of data protection legislation is that from the time a user sends his/her data via the Internet, these data are considered ‘public’ and not ‘personal’ and therefore do not fall under the scope of the European data protection legislation. However the Italian Data Protection Authority (DPA) held that participation in Internet newsgroups does not render the e-mail addresses of the participants public and therefore their collection and processing is only allowing according to the data protection legislation. (Kuner, C., 2003, pp. 52-53)

Although the directives do not include a definition of the term ‘sensitive data’, Article 8 of the Data Protection Directive describes them as ‘personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life’. This clarification is of seminal importance for the processing of the aforementioned data.

According to Article 2 (b) of the Data Protection Directive, ‘data processing’ is defined as ‘any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’. It follows that the definition of processing is extraordinarily broad, so that it is difficult to conceive any operation performed on personal data which would not be covered by it. It is important to note that mere storage of personal data by the providers of publicly available electronic communications services or of a public communications network constitutes ‘data processing’, so that simply storing data on a server or other medium is deemed to be processing, even if nothing else is being done with the data.

In addition, the relevant data protection legislation defines three distinctive categories of parties:  

• Data subject: the individual which is the subject of the personal data.

• Data controller: a person (natural or legal) which alone or jointly with others “determines the purposes and means of the processing of personal data”

• Data processor: a third party who simply processes personal data on behalf of the data controller without controlling the contents or use of the data.

The classification of a natural/legal person as ‘data controller’ or ‘data processor’ is of great importance for several issues, such as who shall carry the obligations appointed to the ‘data controller’ by the Data Protection Directive and who is to define the details of the data processing. As a rule of thumb it can be said that the data controller is liable for violations of the Data Protection legislation, while the role of the data processor is reduced.

Under the regime established by the Data Protection Directive, a key concept is that of the ‘data subject’s consent’. If the data controller obtains the data subject’s consent then he/she is broadly free to process the personal data. The Directive defines ‘data subject’s consent’ as being freely given, specific and informed. It supplements this in the substantive provisions when referring to consent as being ‘unambiguously’ given. Indeed, the definition of ‘consent’ in the Data Protection Directive is quite restrictive, requiring that the data subject be clearly informed in advance of what he/she is consenting to and that any processing of the data going beyond what is disclosed to him/her will be deemed not to have been consented to, meaning that it will be invalid. Particular risks arise in the online environment since there is an increased danger that the data subject might not have been fully informed or might not understand exactly what he/she is consenting to.

Data Protection terminology in mobile networks

As regards the field of mobile electronic communications, the term communication is of utmost importance. ‘Communication means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information’.

Furthermore traffic data means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof. Such data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. Traffic data, that are needed for billing and interconnection payments may be processed until the end of the period during which the bill may lawfully be challenged or payment pursued. The Working Party 29 stipulated that this should ordinarily involve a routine storage period for billing of maximum 3-6 months, with the exception of particular cases of dispute where the data may be processed for a longer period. Processing of traffic data is also allowed for the purposes of marketing electronic communications services or for the provision of value added services, if the subscriber or user to whom the data relate has given his/her consent. However any natural/legal person that already has the e-mail addresses (traffic data) of its customers may use them for direct marketing of its own similar products or services, without the consent of the customer. Suffice it to say that the customer may withdraw his/her consent at any time.

Location data means any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service. Although the ePrivacy directive does not make use of the term ‘Location Based Services’, article 2(g) of the Directive defines the term ‘value added service’ as ‘any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof’. Thus we could say that a Location Based Service (LBS) is a value added service which processes location data other than traffic data for purposes other than what is necessary for the transmission of a communication or the billing thereof.

It is worth mentioning that according to the recent data retention directive traffic and location data can be retained for longer periods by derogation from the aforementioned provisions of the ePrivacy directive. Specific categories of traffic and location data, as described in detail in article 5 of the data retention directive, shall be retained for periods of not less than six months and not more than two years from the date of the communication for the purpose of the investigation, detection and prosecution of serious crime. What falls under the term ‘serious crime’ will be determined by each Member State in its national law.