Title: THE FIRST STEP: COLLECTION OF PERSONAL DATA AND OTHER INFORMATION

The collection of information, other than personal data

Any information can be used to construct profiles. Weather reports, environmental data, context, statistics, economical fluctuations, time, date, location of the AmI environment, do not fall within data protection law, as they do not relate to an identified or identifiable natural person (Data Protection Directive 95/46, article 2.a). Most of this information belongs to mankind and is part of our public domain, to use a term often used in copyright law.

The collector and/or processor of these data however, has to take into account that intellectual property rights may be at stake in case the information is part of a database or in case it is described or arranged in an original way such that it falls under copyright. Even the methods to collect information (and to process it in an intelligent way) may be an object of software patents or patented business models. In all these cases, when intellectual property rights on the data or on the databases exist, the collector must obtain a licence to use the data or the database. We will not further discuss the difficult issue of intellectual property law at this point in order to focus on the collection of personal data.  

The collection of personal data

Personal data form the corner stone for profiling in AmI environments. Two things should be questioned: First, what are personal data and second, when does data protection law apply to the collection of personal data to construct a profile. The legal basis for personal data protection in the EU can be found, mainly, in two directives: Data Protection Directive 95/46 and Directive 2002/58 on Privacy and Electronic Communications.

What are personal data and when is data protection law applicable?

Personal data are defined in the Data Protection Directive 95/46 as “any information relating to an identified or identifiable natural person (‘data subject’)”. An identifiable natural person is “one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”(article 2.a.). Following the preamble of the directive, to determine whether a person is identifiable or not, “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person” (considerans 26). In other words, the directive only does not apply in cases where no reasonable possibility exists of linking the personal data to an identified person.

Personal data are amongst others: one’s name, address and ip-address, phone number, number plate of a car, DNA, location, picture, telecommunication data, shopping record, etc. as far as the data can be linked directly or indirectly to an individual. The IP-address and mobile phone number can be linked with the user who is often the subscriber.

It is legally seen not relevant who can identify the data subject directly or indirectly (the data controller or another person) neither at what moment data subjects can be identified directly or indirectly (instantly or later). Two important questions arise.  

First, what if the data of persons are collected, while they cannot be linked to an individual? It can be the case when e.g. presence only is detected, or length or weight is measured, or when the movements of people in a supermarket are monitored. This can occur when RFID tags are integrated in shopping trolleys. By collecting these anonymous data, profiles of shopping people can be built.

Second, when does the directive apply and when is it not applicable? The legal definition of personal data must be read together with other provisions in the directive that exclude the application of the directive in some particular situations when personal data are collected, namely the collection of data

1. concerning legal persons (this follows from article 2 that restricts the application to data relating to natural persons);

2. carried out by a natural person in the exercise of activities which are purely personal or domestic, such as correspondence and the holding of records of addresses (article 3 par. 2);

3. carried out for the purposes of public security, defence, national security or in the course of State activities in areas of criminal law and other activities which do not come within the scope of Community law (article 3 par. 2);

4. rendered anonymous in such a way that the data subject is no longer identifiable (article 2, read together with considerans 26).

This is obviously of importance for the applicability of the directive on profiling practices because many group profiles can be built upon anonymous data. Constructors of group profiles are often not interested in a particular individual and do not need to process personal data that identify or can identify a particular individual. Often, identifiable characteristic(s) of an unidentifiable person can be of more value than the identified person itself. 

However, a combination of several anonymous data could make a person identifiable at the end of the day. This implies that all data collection and processing may eventually lead to the possible identification of a person. This could mean that, with hindsight, the directive should be applicable. At this moment it is still unclear how the courts will interpret the directive on this point. 

If anonymous data are valuable for the construction of group profiles and if identifiable characteristics can be even more important than identifiable persons, we can conclude that AmI environments that make use of group profiles do not need to identify persons. In that case the data protection directive will probably not be applicable. This would mean that natural persons will have no right or claims on the basis of the data protection directive to prevent group profiling. This has as a consequence that a subject has no control over the construction of group profiles that may (at a later stage) concern him of her.