The European Court of Justice’s Key Decision Endorsing a Narrow Definition of ‘Personal Data’

The European Court of Justice (ECJ) July 17, 2014, issued a significant decision on the meaning of “personal data” in Joined Cases C-141/12 and C-372/12, YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v M and S. The ECJ’s decision suggests personal data should be limited to the facts and/or information necessary for the data subject to exercise his or her rights.

The decision, which broadly follows the ECJ Advocate General’s recent opinion on these cases see analysis at WDPR, February 2014, page 15, endorses a narrower definition than previously advocated by some regulators, including the EU Article 29 Data Protection Working Party.

The decision’s most immediate impact is to limit the information that must be provided in response to a subject access request, although it will have wider ramifications as well.

Access to Immigration Files

The applicants made subject access requests to the Dutch immigration office for details of their immigration applications. The immigration office held a draft decision (a “minute”) for each applicant. The minute contains:

• factual information about the application, being: “name, telephone and office number of the case officer responsible for preparing the decision; boxes for the initials and names of revisers; data relating to the applicant, such as name, date of birth, nationality, gender, ethnicity, religion and language; details of the procedural history; details of the statements made by the applicant and the documents submitted; the legal provisions which are applicable”; and

• the legal analysis of the applicant’s case.

The immigration office used to provide applicants with a copy of the minute, but found this created a significant additional workload when applicants challenged its contents. It therefore adopted a policy of refusing to provide a copy of the minute, including in response to subject access requests. The applicants challenged this refusal, and the matter eventually came before the ECJ.

What Is Personal Data?

The key issue for the ECJ was whether the minute contained personal data.

Unsurprisingly, it found that factual data about the applicants, i.e., “name, date of birth, nationality, gender, ethnicity, religion and language”, was their personal data.

In contrast, the ECJ determined that the legal analysis, whilst it may contain personal data, was not itself personal data. In particular, it said:

• The legal analysis “is not information relating to the applicant for a residence permit, but at most, in so far as it is not limited to a purely abstract interpretation of the law, is information about the assessment and application by the competent authority of that law to the applicant’s situation”; and

• Providing access to the legal analysis would not assist the applicants to guarantee the protection of their personal data — i.e., to confirm their personal data is accurate or processed in a lawful manner or to exercise their rights to rectification, erasure or blocking. Instead, it would, in effect, provide a right to access to administrative documents, which is not guaranteed by the EU Data Protection Directive (95/46/EC).

However, this position is not absolute, and there may still be elements of personal data contained in the legal analysis, albeit the legal analysis as a whole is not personal data.

How Does This Decision Change Things?

The definition of personal data is a core part of EU data protection law. It determines the ambit of that law and the activities that fall inside or outside its scope. Accordingly, it has been considered on a number of occasions by both courts and regulators.

One of the more significant developments in this context was the Article 29 Working Party’s Opinion 4/2007 on the concept of personal data (WP 136). This advocated a four stage test to determine what constitutes personal data, namely: 1) Is it information? 2) Does it relate to a person? 3) Is that person identified or identifiable? 4) Is that person a living individual?

The second question, whether the information relates to an individual, has been a controversial issue. The Article 29 Working Party’s opinion advocates a broad approach by reference to the information’s:

• content — Is the information actually about an individual?

• purpose — Is the information collected with the intention of evaluating, affecting or influencing a particular individual?

• result — Is the use of that information likely to have an impact on that particular individual?

The ECJ’s decision casts significant doubt on the Article 29 Working Party’s analysis. For example, the legal analysis would clearly “result” in a significant impact on the individuals making the subject access request, as it could determine their immigration status. Equally, the “purpose” of the legal analysis is to affect or influence those individuals.

U.K. Gold Plating

The decision also has implications for the interpretation of the term personal data in the United Kingdom.

The leading U.K. decision in this context is Durant v Financial Services Authority [2003] EWCA Civ 1746, which suggested that, for information to be personal data, it must affect the individual’s privacy, whether personally or professionally, and that subject access rights should not be used as a proxy for litigation disclosure. A further gloss to this definition was added by the decision in Edem v Information Commissioner [2014] EWCA Civ 92, which suggested that the concepts in Durant were relevant only to borderline situations, and did not apply where information is “obviously” personal data see analysis at WDPR, March 2014, page 11.

Durant has been extremely controversial, and was one of the reasons for the European Commission’s infringement proceedings against the U.K. for failing to properly implement the EU Data Protection Directive. It is therefore somewhat ironic to see the ECJ now issuing a decision that mirrors some aspects of Durant, such as the fact that subject access requests should not be used as a means to obtain access to administrative documents¹, and that the definition of personal data should be shaped by the context in which it is used — i.e., access should be limited to information needed to assist the individuals to ensure the protection of their personal data under the EU Data Protection Directive.

However, perhaps more ironic is the fact that U.K. data controllers may obtain limited benefit from this decision. In particular, the definition of personal data in the U.K. expressly includes “any expression of opinion about the data subject”, which is arguably wider than the equivalent definition in the EU Data Protection Directive. This could mean that the legal analysis is potentially personal data in the U.K., albeit likely to be exempt from disclosure in response to a subject access request because it is legally privileged².

Further Limits on Subject Access Rights

The ECJ also confirmed that it is not necessary to provide documents to those making subject access requests. Instead, it is permissible to provide a “full summary” of personal data that allows the individual to check it is accurate and processed in accordance with the EU Data Protection Directive and to exercise his or her rights.

The decision may have other implications for subject access requests and provide further grounds to push back against onerous or unreasonable search requests. For example, it is not uncommon for subject access requests to ask for very broad searches of e-mails. The decision provides some grounds to push back on such requests, on the basis that:

• the e-mails are unlikely to contain many additional “facts” about the data subject. The other information in the e-mail is likely to be “assessment” or “application” of those facts to the data subject and therefore not personal data; and

• any information uncovered is unlikely to help the data subject identify inaccurate information, to determine if his or her personal data is processed fairly or to exercise his or her rights (though this will depend on the facts).

The decision may also provide grounds to resist subject access requests made in the context of litigation. The ECJ expressly stated that the subject access right is not intended to allow access to administrative files, which, by analogy, would also suggest that the subject access right is not intended to be a proxy for disclosure.

Wider Implications

The wider implications of this decision remain to be seen, but the narrow approach to personal data taken by the ECJ is likely to be applicable in other circumstances as well³.

It is also interesting to note that the ECJ has not adopted a broad definition of personal data, suggesting that its recent decisions in the Digital Rights Ireland case (Joined Cases C-293/12 and C-594/12) see analysis at WDPR, May 2014, page 9 and the Google Spain case (C-131/12) see analysis at WDPR, May 2014, page 4 do not indicate a one way flow towards broader and stronger privacy rights.

Peter Church is an Associate in the London office of Linklaters LLP and a member of the World Data Protection Report Editorial Board. He may be contacted at peter.church@linklaters.com.