On the case - October 2007October 2007
Exactly what is covered by the definition of "personal data"?
A recent opinion from
The document notes that since the Durant case in 2003 (which established a narrow definition of personal data) there has been “some diversity in practice among Member States….which may affect the proper functioning of the existing data protection framework.” What this opinion does is to broaden the interpretation significantly covering a number of areas which had been presumed as excluded.
Several examples are given, many of which touch the day to day operations of direct marketers.
“In” are recordings of conversations in a call centre and data about non-corporate businesses (including email addresses). The concept is also extended to information from which an individual might be identified either directly or indirectly.
Some IP addresses would be covered too because, “web traffic surveillance tools make it easy to identify the behaviour of a machine and, behind the machine, that of its user. Thus, the individual’s personality is pieced together”.
The rule of thumb used to be, “if you don’t have a name, it’s not personal data” but marketers can no longer rely on anonymous or pseudonymous data being exempt because, "a person may be identified directly by name or indirectly by a telephone number, a car registration number, a social security number, a passport number or by a combination of significant criteria which allows him to be recognized".
Albeit that a company, itself, may not have the wherewithal to piece together an identity it may be possible to access such information relatively easily (by reference to directories or public data). The example given here is a list of house prices which could help estimate an individual occupier’s net worth.
For B2B marketers it’s also worth remembering that the definition has already been stretched by some Member States (
Even the dead are no longer automatically exempt because information about a dead person may tell you something about a living person (such as inherited medical conditions or even that family members might be beneficiaries).
Whilst the opinion is just that, an opinion, warning bells should be ringing for companies that have argued that their data is exempt.
Suddenly, it’s all got very personal.
Other recent items: