Personal Data in Europe
According to Article 2 lit a) of the Data Protection Directive 95/46/EC any information related to an identified or identifiable individual (‘data subject’) is considered personal data. Legal entities such as governmental institutions and companies and their business secrets are not protected by the EU Data Protection Directive.
“’Identified’ individual means doubtlessly distinguishing this individual among a group of several persons. “Identifiability” opens up the possibility to distinguish an individual that has not been identified yet. Since the latter is the lower level in regard to the identification of an individual, it is to be considered as the threshold condition in regard to this element of the personal data definition.1 Identifiability in the sense of the Directive is given if the information conveys a connection to a particular physical person, no matter if this connection happens directly or indirectly, already took place or is still a mere possibility. Even statistical or thought to be anonymized data may become identifiable when combined.” (Marnau/Schlehahn, TClouds D1.2.2, page 7)
Personal datain the International Transfer of Data
Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Art. 2(a) of the Data Protection Directive. This definition is meant to be broad. The principles of protection must apply to any information concerning an identified or identifiable person. In order to determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify the said person. Some examples of “personal data” are a person’s address, credit card number, bank statements. See Opinion No 4/2007 on the concept of personal data issued by the Article 29 Working Party (WP 136).
Personal or Consumer data and the Public Sector Information
Personal data shall mean any information relating to an identified or identifiable natural person (so called ‘data subject’): an identifiable person is one who “can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Article 2, a) of Directive 95/46/EC).
Processing of personal data and the Public Sector Information
Processing shall mean “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction” (Article 2, b) of Directive 95/46/EC).
Since 2000, firms and companies operating across the Atlantic have used the US-EU Safe Harbor agreement as a means to lawfully transfer data concerning European Union citizens to the US. However, on October 6, the European Court of Justice (ECJ) ruled that the Safe Harbor agreement is invalid.
The EU Data Protection Act (DPA) attempted to ensure consistent protection of EU data by prohibiting the transfer of personal information to non-EU countries unless they meet the “adequacy” standard for privacy protection — and the US does not. Rather than crafting specific legal restrictions guaranteeing EU Data Protection Act compliance for every data transfer, many US firms adopted the US-EU Safe Harbor Framework, which was effectively an agreement to abide by the EU data protection principles irrespective of jurisdiction. This Safe Harbor agreement had been in effect since 2000; however, the US NSA leaks brought the whole US privacy position under severe scrutiny, with Safe Harbor being central to the analysis.
- Directive on the re-use of Public Sector Information (PSI Directive)