PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - October 2007

October 2007

Exactly what is covered by the definition of "personal data"?


A recent opinion from Europe’s data protection Tsars (the Article 29 Working Party) will challenge widely held beliefs of what is – and what is not – personal data. It could have significant impact for European marketers.


The document notes that since the Durant case in 2003 (which established a narrow definition of personal data) there has been “some diversity in practice among Member States….which may affect the proper functioning of the existing data protection framework.” What this opinion does is to broaden the interpretation significantly covering a number of areas which had been presumed as excluded.


Several examples are given, many of which touch the day to day operations of direct marketers.


“In” are recordings of conversations in a call centre and data about non-corporate businesses (including email addresses). The concept is also extended to information from which an individual might be identified either directly or indirectly.


Some IP addresses would be covered too because, “web traffic surveillance tools make it easy to identify the behaviour of a machine and, behind the machine, that of its user. Thus, the individual’s personality is pieced together”.


The rule of thumb used to be, “if you don’t have a name, it’s not personal data” but marketers can no longer rely on anonymous or pseudonymous data being exempt because, "a person may be identified directly by name or indirectly by a telephone number, a car registration number, a social security number, a passport number or by a combination of significant criteria which allows him to be recognized".


Albeit that a company, itself, may not have the wherewithal to piece together an identity it may be possible to access such information relatively easily (by reference to directories or public data). The example given here is a list of house prices which could help estimate an individual occupier’s net worth.


For B2B marketers it’s also worth remembering that the definition has already been stretched by some Member States (Italy, Austria and Luxembourg) to give protection to data about legal persons (i.e. companies).


Even the dead are no longer automatically exempt because information about a dead person may tell you something about a living person (such as inherited medical conditions or even that family members might be beneficiaries).


Whilst the opinion is just that, an opinion, warning bells should be ringing for companies that have argued that their data is exempt.


Suddenly, it’s all got very personal.

Other recent items: