On 18 July 2022, the Government published the Data Protection and Digital Information Bill with an ambition to reform certain aspects of the current data protection legislation and provide clarity around the use of personal data to benefit both businesses and users.
In this article, we aim to explore the proposed modification to one of the core elements of data protection legislation – the definition of ‘personal data’. We will analyse the implications of the proposed modification and their impact on the overall scope of application of the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act (“DPA”) 2018.
As a starting point, it is imperative to understand the current definition of personal data under data protection legislation. According to Section 3(2) of the DPA 2018, personal data is “any information relating to an identified or identifiable living individual”, and Section 3(3) of the 2018 Act characterises an ‘identifiable living individual’ as “a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or; one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.”
The proposed Bill seeks to include a new Section 3A to the DPA 2018, which will inform how this definition should be interpreted. Information will only constitute “information relating to an identifiable living individual”, as per the new provision, in the two following cases:
- where the living individual is identifiable by the controller or processor by reasonable means at the time of the processing, and
- where the controller or processor knows, or ought reasonably to know, that—
- another person will, or is likely to, obtain the information as a result of the processing, and
- the living individual will be, or is likely to be, identifiable by that person by reasonable means at the time of the processing.
The proposal seems to limit the otherwise broad concept of “personal data” and, in doing so, reduce the scope of application of the UK GDPR and the DPA 2018, by substantially changing the test applied to determine whether an individual is identifiable.
Under the UK GDPR, the identifiability test is established in Recital 26, which provides as follows: “To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”
Whilst distinguishing between identifiability carried out by “the controller” and that carried out by “another person”, the test in both instances involves an assessment of “all the means reasonably likely to be used” by them to identify individuals.
The notion of all the means reasonably likely to be used by the controller was interpreted by the Court of Justice of the European Union (“CJEU”) in its 2016 decision in Patrick Breyer v Bundesrepublik Deutschland (C-582/14).
In this case, the Court was asked to decide whether dynamic IP addresses registered by online media services constituted personal data if the additional information necessary to identify the user of a website was not held by the online media services provider, but rather by the internet service provider. The Court held that the identifiability test involved determining whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject. In the specific case, the identification of individuals was not prohibited by law or practically impossible (by requiring a disproportionate effort in terms of time, cost and man-power). Rather, because it was legally possible, under German law, for the online media services provider to identify individuals with the assistance of others (competent authority and internet service provider), the Court concluded that a dynamic IP address constituted personal data.
Since the Breyer case, “all the means reasonably likely to be used” by the controller has been interpreted as the factual or legal possibility, taking into account the context of each case, that the controller obtain access to additional data held by another person in order to identify individuals. In cases where, as mentioned, the obtention of this additional data by the controller is prohibited by law or practically impossible (by requiring a disproportionate effort in terms of time, cost and man-power), then the information could potentially fall short of the definition of personal data.
The notion of all the means reasonably likely to be used by another person has also been the object of interpretation. Tests such as the “motivated intruder test” have over time been proposed by certain supervisory authorities, including the Information Commissioner’s Office (“ICO”), to help assess the identifiability risk by ascertaining whether an intruder would be able to achieve identification if they were motivated to attempt it. The motivated intruder test is essentially a foreseeability exercise through which the controller needs to assess the risk of re-identification posed by individuals who may have the motives to attempt identification, the means to succeed and the intent to use the data in nefarious ways.
The Bill introduces a new element to the identifiability by another person test: the element of knowledge. The provision seeks to limit identifiability by another person to instances where the controller or processor knows or ought reasonably to know that another person will obtain the information about an individual as a result of the processing and that the individual will be, or is likely to be, identifiable by that person by reasonable means at the time of the processing.
Although it could still be technically possible to reconcile the foreseeability exercise deriving from the motivated intruder test with the “ought reasonably to know” element included by the new Bill, the use of such subjective terms is undesirable when addressing concepts such as “personal data” that go to the heart of the data protection legislation and inform its scope of application. Whilst it is uncertain at this point how this subjective element will be interpreted, it remains a possibility that discussions about whether the controller or processor knows or ought reasonably to know that another person will obtain information and identify individuals could pose as an obstacle to the application of the UK GDPR and DPA 2018, ultimately reducing the level of protection afforded to data subjects.
However, the most significant curtailment to the identifiability test, with respect to both “the data controller” and “another person”, arguably stems from the proposed Bill’s attempt to limit the risk assessment to the time of the processing, which would radically depart from the current model adopted under the UK GDPR. As it currently stands, the aforementioned Recital 26 of the GDPR provides that: “To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”
The identifiability test, which under the UK GDPR is a continuous exercise and requires controllers to periodically review their assessment, would become instantaneous and limited to the time of processing. As a consequence, data which would potentially be regarded as personal data due to the risk of identification posed by technological developments might now be deemed outside the scope of application of data protection legislation. Whilst making it easier for controllers to achieve anonymisation, this appears to come at the expense of the protection afforded to data subjects, by precluding the controller’s liability in the future, beyond their current processing of data.
In conclusion, although topics like legitimate interest, rights of data subjects and international transfers of data have received far greater attention from commentators to the proposed Data Protection and Digital Information Bill, further attention must be devoted to the proposed amendment to the identifiability test, which will impact the definition of personal data, the scope of application of data protection legislation and protection afforded thereby.