ANY INFORMATION

It is apparent that the notion of “any information” is indeed very broad.⁴⁶⁵ The Article 29 Data Protection Working Party (WP 29, current EDPB) has provided some guidance on the interpretation of the said wording. WP 29 sees that “any information” covers both objective and subjective information, it covers opinions and statements of the data subject as well as false information. Furthermore, WP 29 sees that the position of the data subject does not have significance in the interpretation. In other words, information relating to persons acting in their professional capacity is personal data.⁴⁶⁶ Objective information is probably the most typical type of personal data. An example of this would be someone’s height or weight. This is also the type of information which can relatively easily be proven true or false. As WP 29 noted, information does not need to be correct to be considered personal data. It is easy to agree with WP 29 on this particular point; data protection legislation does contain different provisions providing the data subject with the right to rectify incorrect information.

The most intriguing analysis carried out by the WP 29 relates to subjective information. Subjective information would cover, for example, opinions and statements of the data subject. An analysis of an employee provides an example of subjective information. However, WP 29 does not take stand on a question of whether subjective information should also cover opinions and statements by the data subject. However, WP 29’s quite far-reaching opinion stating that drawing can be considered personal data, because it reveals the mood of a child seems to indicate that opinions and statements by the data subject could also be considered personal data. Subjective information is evidently quite a challenging type of

Helsinki 30.12.2011, dnro 01026/11/1204; Decision of the Finnish Data Protection Board (tietosuojalautakunta) 2/2009, dnro 1/933/2008 and Case C-434/16, Nowak, ECLI:EU:C:2017:994.

463 Article 29 Data Protection working party, “Opinion 4/2007 on the concept of personal data”, 01248/07/EN WP 136, p. 6–21.

464 Ibid.

465 For terms data and information, see D. Erdos “From the Scylla to the Charybdis of License? Exploring the Scope of the ‘Special Purposes’ Freedom of Expression Shield in European Data Protection” in Common Market Law Review 52 (2015), 121–123.

466 Article 29 Data Protection working party, “Opinion 4/2007 on the concept of personal data”, 01248/07/EN WP 136, p. 6–7.

personal information. For example, a data subject’s right to rectify information is quite demanding to execute when it comes to subjective information.

Besides the type of information, WP 29 has also drawn attention to the format of the information. It has clarified that the format does not have significance when assessing whether the information is to be considered personal data. The information could be alphabetical, numerical, graphical, photographic, acoustic etc., to be considered personal data.⁴⁶⁷ This approach leans firmly on the CJEU’s case-law and national practice adopted in the Member States. In the Borax case, the CJEU decided that voices on audiotapes are personal data. Also, the nature of numerical and photographical information was assessed by national data protection authorities in several Member States when Google Street View launched its service in Europe. An example of this would be the Fonecta case examined by the Finnish Data Protection Board. This service and collection of the data is very much like Google Street View. The service provider argued that the collected data was not personal data at all.⁴⁶⁸ Contrary to the service provider’s argument, the Board held that pictures of people are personal data and this was also the case regarding licence plate numbers. This decision was later held by the Court of Appeal.⁴⁶⁹

2.1.3 “RELATING TO”

European data protection legislation defines personal data as information relating to a natural person. The Charter of Fundamental Rights in turn states that everyone has the right to the protection of personal data concerning him or her. Different wording does not lead to contradiction here. The former defines personal data and the latter clarifies that the protection of personal data is the right of the data subject.

It suffices to note that with the reference “relating to”, all information about the data subject is covered. WP 29 has specified “that in order to consider that the data

“relate” to an individual, a “content” element or a “purpose” element or a “result”

element should be present”.⁴⁷⁰ Wachter and Mittelstadt provide an intriguing analysis of the interpretation of the concept of personal data by the CJEU. A particular focus has been on information, which relates to the data subject, such as correction marks on an examination taken by the data subject.⁴⁷¹ Not entirely satisfied with the CJEU’s general line of interpretation, the authors doubt in particular the CJEU’s approach

467 Ibid.

468 Decision of the Finnish Data Protection Board (tietosuojalautakunta) 4/2010, dnro 1/933/2010 and 4/932/2010; Decision of Administrative Court of Helsinki 30.12.2011, dnro 01026/11/1204.

469 Ibid.

470 Article 29 Data Protection working party, “Opinion 4/2007 on the concept of personal data”, 01248/07/EN WP 136, p. 12–15.

471 See Case C-434/16, Nowak, ECLI:EU:C:2017:994.

in the YS e.a case⁴⁷², where the data subject was not given full access to information related to him, but only to a summary of it.⁴⁷³ The authors approach can be argued by the principle of good governance. However, when the definition of the scope of personal data is considered in very broad terms, it simultaneously widens the tension between public access to documents and protection of personal data. While the broad approach might ensure better data subject’s rights in general, it could simultaneously lead to an unnecessary restriction of public access to documents.

2.1.4 IDENTIFIABLE

The third element of the concept of personal data is “identifiable”. Someone is identifiable when this person can be distinguished from other persons. To meet the requirements laid down in European data protection legislation the person is either already recognized or, alternatively, it is possible to identify that person.⁴⁷⁴

To assess whether the person is identifiable, two elements should be taken into account. First, identification might take place in the future. Naturally, identification should be reasonably foreseeable. In other words, the endless possibilities of technological innovations do not suffice as such to make any information personal data. This is in particular the case when the information will not be stored for long period of time.

Second, identification does not need to happen directly. Identification might take place for instance when a particular piece of information is combined with other information. A decision by the Finnish Data Protection Board provides a practical example of this. The Board concluded in its decision⁴⁷⁵ that licence plate numbers are personal data. In this particular case, the prospective data controller did not plan to have other information related to natural persons in its register.⁴⁷⁶ However, this did not play a central element in the Board’s assessment. The information needed for identification would have been easy to fetch from the nationwide register with very reasonable costs. Therefore, the Data Protection Board concluded that licence plate

472 Joined cases C-141/12 and C-372/12, YS e.a., ECLI:EU:C:2014:2081.

473 S. Wachter & B.Mittelstadt “A Right to reasonable interference: Re-thinking data protection law in the age of big data and AI” in Columbia Business Law Review 2 (2019), 29–50.

474 Article 29 Data Protection working party, “Opinion 4/2007 on the concept of personal data”, 01248/07/EN WP 136, p. 12.

475 Decision of the Finnish Data Protection Board (tietosuojalautakunta) 1/2010, dnro 2/932/2009. Borax had appealed Commission decision. Commission had refused to disclose audio tapes from a meeting held by Commission and experts and industry representatives in the chemicals’ field. Commission had refused access to audio tapes based on articles 4(1)(b) and 4(3) of the Regulation 1049/2001.

476 For more detailed analysis of the concept of personal data by Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data.

numbers are personal data. Even if this decision is based on national legislation⁴⁷⁷, several decisions and opinions taken by different data protection authorities in other EU Member States in Google Street View cases reflect a similar approach;

in most cases Google is required to blur the licence plate numbers on its Street View service.⁴⁷⁸

Another example of indirect identification is provided by the General Court’s decision in the Borax case.⁴⁷⁹ In this case, the Commission had refused to grant access to audio tapes based on two grounds. Among other things, the Commission argued that the individuals on the audio tapes were identifiable even if their names were erased. Identification was possible as these particular individuals spoke different languages, had different accents and they made references to their national context in the course of the discussion. Even though the General Court annulled the Commission’s decision, it did not differentiate from the Commission’s interpretation of personal data. The General Court simply stated that it does not suffice to establish that the exception relating to the protection of personal data is applicable in principle, it also has to be satisfied that the disclosure of the document would concretely, not only hypothetically, undermine the interests protected by the related exception of the Transparency Regulation.

The examples provided in this section illustrate that the concept of personal data is very wide indeed; dynamic IP addresses, licence plate numbers and audio tapes without name references to the voices played on the tape are all personal data.