Personal information is more than you think!

| April 8, 2015

A UK court recently ruled on what constitutes personal information in the landmark case Google v. Vidal-Hall. Malcolm Crompton says why this might be the most important Court judgment on privacy in years.

One of the most important court rulings on privacy in a long time has just been handed down by the England and Wales Court of Appeal: Google v. Vidal-Hall.

I have seen two articles about it that are very useful reads. One is “The European Privacy Judicial Decision of a Decade: Google v. Vidal-Hall” by Omer Tene, on which I comment below, and another is by Alexander Hanff, “UK Court of Appeal issues game changing judgment in Google Safari case” in IT Security, 27 Mar 2015.

The ruling has worldwide ramifications for all the reasons outlined by Omer Tene.

In particular, the judgment confirms the position I took as Privacy Commissioner and have held ever since on the wide interpretation of what constitutes personal information and on what constitutes harm.

While taken within the context of the EU data protection Directive, I am sure the ruling on what constitutes personal information will be picked up elsewhere.  After all, the US Federal Trade Commission in 2012 indicated it was taking a wider interpretation of what constituted personally identifiable information in the US context. The New South Wales Civil and Administrative Tribunal decision in Office of Finance and Services v APV and APW [2014] NSWCATAP 88 (21 November 2014) has also reaffirmed a wide interpretation.

Meanwhile the Privacy Commissioner of Australia is being asked to rule on whether metadata is considered to be personal information in the context of the complaint laid against Telstra by Ben Grubb. Indeed, during the course of this dispute and against the additional backdrop of the debate over the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, Telstra has already conceded that it will begin to make metadata available to individuals who ask for it. The Commissioner has yet to issue his decision on the complaint, but the direction in which the wind is blowing is obvious.

One of the biggest impacts will be on the targeted advertising industry. They have run an increasingly indefensible argument that they are not tracking individuals nor targeting them for reasons such as claiming that they are not dealing in personally identifiable information because they don’t know the name or because they are tracking a device not an individual.

There will also be knock on impact on other sectors including health which is struggling to deal with acceptable de-identification of health records so that they can be used for wider research and government wishing to ramp up its insight into individual and community behaviour from traffic management to better targeted financial assistance.

The impact of the judgment on what constitutes harm is just as great. While its impact beyond the EU may be more limited because it depends on the wording and intent of the European data protection Directive and the EU Charter of Fundamental Rights, the judgment ruled that emotional distress, or “moral damage,” is recoverable under privacy law. In the words of judges ruling on the case, “Since what the Directive purports to protect is privacy rather than economic rights, it would be strange if the Directive could not compensate those individuals whose data privacy had been invaded by a data controller so as to cause them emotional distress (but not pecuniary damage).”

Two extracts from the article by Omer Tene are particularly apposite:

The court conducted thorough analysis of the notions of identifiability, anonymization and pseudonymization, holding that “identification for the purposes of data protection is about data that ‘individuates’ the individual, in the sense that they are singled out and distinguished from all others. It is immaterial that the BGI does not name the user.”

Importantly, the court held that information that allows a company to identify an individual based on matching or aggregating with other information in its possession is personal, regardless of whether the company in fact matches or aggregates. In doing so, it discarded an argument often made by online providers that persistent identifiers single out a device as opposed to an individual user. Presaging the discussion of cross-device tracking, which has emerged at the center of privacy policy-making, the court holds that “the concept of ‘multiple users’ is, in effect, an outdated one. The general position is that devices are used exclusively by a single individual (smartphones and tablets, to take two examples). In practice this means it is typically possible to equate an individual device user with the device itself.”

And Tene’s conclusion:

One thing is clear: The Vidal-Hall case is a resounding declaration that privacy matters. On privacy skeptics, the UK court decision lands a knockout in three rounds; first in its (overdue) embrace of a privacy cause of action; second in its clarification of the definition of personal data in an age of big data and multiple connected devices and third in its expansion of the concept of compensable harm. If not overturned on appeal, Vidal-Hall, with its broad notions of privacy, harm and personal data, may portend a sea change in privacy jurisprudence, emboldening individuals and regulators in their quest to rebalance the data terrain.