Since 1981, when the Council of Europe opened for signature its Convention for the Protection of Individuals with regard to the automatic processing of personal data, Europe has been developing policies, legislation and jurisprudence in the field now broadly known as data protection.
Previously, the OECD’s 1980 Guidelines governing the protection of privacy and transborder flows of personal data had defined “personal data” as meaning “any information relating to an identified or identifiable individual”. In the Explanatory Memorandum to its Guidelines adopted in 1980 the OECD set out detailed comments on the definitions in the Guidelines and stated that “in principle, personal data convey information which by direct (e.g. a civil registration number) or indirect linkages (e.g. an address) may be connected to a particular physical person”. There is no further elaboration in these comments on the meaning of “related to” or any suggestion that information so linked should be excluded from the meaning of “personal data” on the grounds that the information in question does not compromise an individual’s privacy.
Broadly, the OECD’s definition of “personal data” was adopted in the Council of Europe’s 1981 Convention, the European Communities’ Directive 95/46 and the UK’s Data Protection Act 1998 which transposed that Directive into UK law.The definition of “personal data” as “any information relating to an identified or identifiable natural personal”, in the context in which it appears in Directive 95/46, is fundamental to the scope of Community, and so of current UK, data protection law.Information or data which do not fall within the Directive’s definition of “personal data” are, broadly, not affected either by the Directive or by the greater part of the UK’s Data Protection Act 1998 and its associated subordinate legislation. The meaning of “personal data” is accordingly central to the whole European, and so the UK’s, concept of data protection.
In Durant v FSA the Court of Appeal considered the significance of the term “relating to”, as it appears in Directive 95/46’s definition, by reference to the Shorter Oxford English Dictionary’s two alternative meanings given to “relate to”. The first of these meanings, “have a reference to, concern”, implies a more or less direct connection with an individual and the second, “have some connection with, be connected to” is much broader. The Court of Appeal preferred the first, narrower, meaning and went on to conclude that not all information retrieved from a computer search against an individual’s name or unique identifier should be classified as “personal data”.
The Court of Appeal also considered the meaning of the term “relevant filing system” as defined in the Data Protection Act 1998, Section 1(1). This difficult definition, derived from the Directive’s definition of “personal data filing system”, is important in relation to the application of the data protection regime to manual files only, but is not so fundamental as the definition of “personal data”.
To define “personal data” restrictively is to limit the scope of data protection at large, both in respect of automatically processed data and in respect of data held in manual files, and so is of key importance. It is also at variance with the Information Commissioner’s earlier guidance on interpretation of the term “personal data”. It thus goes to the heart of data protection law and substantially affects its scope and application.
Part of the Court of Appeal’s reasoning for its restricted interpretation of the meaning of “personal data” is related to the purpose of the Council of Europe’s 1981 Convention and of the Directive’s intention, recognised by the Court of Appeal as faithfully reproduced in the 1998 Act, to enable an individual to obtain from a data controller’s filing system, whether computerised or manual, his personal data, that is, information about himself and to check whether the data controller’s processing unlawfully infringes the individual’s right to privacy.
Although privacy is referred to in the 1981 Convention and in Directive 95/46, there is no explicit reference to, or mention of, privacy in the Data Protection Act 1998. The House of Lords has recently held that the concept of privacy is not a free-standing right recognised and protected by English law, but rather an underlying value of the same kind as freedom of speech. Privacy is notoriously difficult to define, and so a test based on the protection or alternatively infringement of privacy as determining whether or not given data are of such a kind as to be personal data for the purposes of the Data Protection Act 1998 may be difficult to apply.
Before the Court of Appeal’s judgment in Durant it had been assumed generally that “personal data” meant all data relating to an identifiable living individual and that “relating to” was to be broadly interpreted as “about” or “concerning” and “of concern to” that individual. The narrowing of that interpretation by the Court of Appeal restricts not only the scope of subject access under Section 7 of the Data Protection Act 1998 but also, broadly, the whole scope of that Act: this is a direct consequence of restricting the kinds or classes of information which may be included within the meaning of “personal data”. The Court of Appeal’s judgment reduces the burden on data controllers in the UK by restricting the classes of information which they are required to treat as personal data but it also reduces the rights of individuals.
The judgment also risks being in potential conflict with the data protection laws of other EU Member States, where courts may have conflicting interpretations under their respective national laws. The Court of Appeal has not referred the interpretation of “personal data” under Directive 95/46 to the European Court of Justice, with a view to establishing a common understanding of the term within the EEA under the authority of that court. There may now be uncertainty about the interpretation of the term “personal data” by other Member States’ national courts, with consequent risks of disharmony and resulting effects on flows of personal data within the European Economic Area.
The Court of Appeal’s Decision in Durant v FSA
Mr Durant was in dispute with Barclays Bank and made a complaint to the Financial Services Authority (FSA). He made a subject access application to the FSA, which refused to disclose to him certain records held by the FSA in manual files relating to Mr Durant’s complaint. Mr Durant applied unsuccessfully to the Edmonton County Court for an Order that the FSA disclose the files sought, and appealed from that decision to the Court of Appeal. His appeal was ultimately rejected on the basis that the information which he sought was not “personal data” and that the manual files in which the information was held were not “relevant filing systems”.
Lord Justice Auld, giving the lead judgment in the Court of Appeal, considered the legislative purposes of the Data Protection Act 1998 and of Directive 95/46 in the light of the antecedent 1981 Council of Europe Convention. In particular, he examined the meaning of “personal data” as defined both in Directive 95/46 and in the Data Protection Act. He also considered the nature of the information held in the FSA’s manual files.
He paid particular attention to the personal data issue, referring back to Article 2(a) of the 1981 Convention which defined “personal data” as “any information relating to an identified or identifiable individual”. This definition was carried forward in substantially similar form into Article 2(a) of Directive 95/46 and again into Section 1(1) of the Data Protection Act 1998.None of these definitions expanded on the meaning of “relating to” in this context.
Submissions to the Court of Appeal on the FSA’s behalf referred to the Shorter Oxford Dictionary’s alternative definitions of “relate to” as either “having reference to, concern” or more broadly “having some connection with, be connected to”. Of these Auld LJ preferred the first, which was more restricted: in this context, he referred to a dictum by Lord Hoffman, in relation to a prosecution under the Data Protection Act 1984 in R v Brown, where he described personal data as “data concerning a living individual”. Auld LJ considered the intention of the Directive, which he described as faithfully reproduced in the Data Protection Act 1998, as being to enable an individual to obtain from a data controller’s filing system, whether computerised or manual, the individual’s personal data, that is, information about himself. This was not, he said, an entitlement to be provided with original or copy documents as such but, as Section 7(1)(c)(ì) and Section 8(2) of the 1998 Act make clear, to be provided with information constituting personal data in intelligible and permanent form. This information was to be redacted (i.e. edited) if necessary to remove matters which did not constitute personal data and/or to protect the interests of other individuals under Section 7(4) and Section 7(5) of the 1998 Act. Auld LJ identified the purpose of Section 7 as entitling an individual to have access to information in the form of his “personal data” in order to enable him to check whether the data controller’s processing of that information unlawfully infringed the individual’s privacy. It was not an automatic key to any information, readily accessible or not, or of matters in which the individual may be named or involved.
Auld LJ went on to say that whether or not any particular information amounts to “personal data” depends on where it falls in a continuum of relevance or proximity to the data subject, as distinct from, say, transactions or matters in which the data subject may have been involved to a greater or lesser degree. There were two notions which Auld LJ considered to be of assistance: the first was whether the information was biographical in a significant sense, that is going beyond the recording of the data subject’s involvement in a matter or an event that has no personal connotations, a life event in which his privacy could not be said to be compromised. The second was one of focus: the information should have the data subject in its focus rather than some other person with whom the data subject may have been involved on some transaction or event in which he may have figured or in which he may have had an interest, for example, as in that case an investigation into some other person’s conduct that he may have instigated.
Auld LJ then considered the meaning of “relevant filing system” and related issues but these were subsidiary to the “personal data” issue.If readily accessible specific information held in a relevant filing system was not “personal data” then, whether or not the file in question was computerised or manual, the information would not be accessible within the terms of Section 7. Such information would also not be subject to the data protection principles or to most of the remaining provisions of the 1998 Act.
Lord Justice Buxton, in his shorter supporting judgment, elaborated on the purpose of the Directive as being to protect privacy, so that only information relating to Mr Durant could be within the Directive’s protection. In his view, the information sought by Mr Durant related not to him but to a complaint made by him to the FSA. It was therefore not personal data.
The Information Commissioner’s Responses to the Judgment
In December 2003, shortly after the Court of Appeal’s judgment in Durant had been given, the Information Commissioner issued an early comment on the judgment welcoming the Court of Appeal’s guidance on the meanings of “personal data” and “relevant filing system” and also welcoming the Court of Appeal’s recognition of the fundamental link between data protection and privacy rights.
The Commissioner issued a fuller Guidance Note in early February 2004 focusing on:
· what makes data “personal” within the meaning of “personal data” and
· what is meant by a “relevant filing system”
As to the first of these concerns, the Commissioner gave the following examples of “personal data” as being within the Directive’s, and the Data Protection Act’s, definition of that term, namely:
· information about the medical history of an individual;
· an individual’s salary details;
· information concerning an individual’s tax liabilities;
· information comprising an individual’s bank statements; and
· information about individuals’ spending preferences.
These types of information were to be contrasted, said the Commissioner, with the following examples of information which would not normally be personal data:
· a mere reference to a person’s name where the name was not associated with any other personal information;
· incidental mention in the minutes of a business meeting of an individual’s attendance at that meeting in an official capacity;
· where an individual’s name appeared on a document or e-mail indicating only that it had been sent or copied to that particular individual, the content of that document or e-mail would not amount to personal data about the individual unless there was other information about the individual within it.
The Commissioner’s Guidance went on to examine the manual file issues raised by the Court of Appeal’s judgment and pointed out the different rules which apply to “accessible records” under Section 68 of the Data Protection Act 1998. He also pointed to the fact that the Freedom of Information Act 2000, when it comes into force in 2005, will amend the Data Protection Act 1998 so as to expand the meaning of “data”.
The Commissioner said that, when information was held in a system using individuals’ names as file names, the system may not qualify as a “relevant filing system” if the file was not structured so as to allow the retrieval of personal data without leafing through the file, for example if the file was structured in purely chronological order and had no index or other system allowing the retrieval of personal data. Such files would be “relevant filing systems” if they were subdivided or indexed to allow retrieval of personal data without a manual search, as for example in relation to sickness, absence, or other content details. The Commissioner concluded that, following the Durant judgment, very few manual files would be covered by the Data Protection Act.
The European Law
The Court of Appeal, in its Durant judgment, has stressed the importance of privacy as an essential element in data protection, and the Commissioner has welcomed reiteration of this link.
Recital 2 of Directive 95/46 refers to the need to respect for fundamental rights and freedoms, notably the right to privacy, of natural persons. Similar expressions appear in Recitals 10 and 11 and in Article 1(1), which requires Member States to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
Article 2(a) defines “personal data” as meaning “any information relating to an identified or identifiable natural person”.
In Durant the Court of Appeal referred to the European Court of Justice’s judgment in Lindqvist. This was a decision in response to a reference from a Swedish court relating to the posting of personal data to a website accessible through the internet from third countries outside the EEA. In response to questions referred by the Swedish court for a preliminary ruling, the ECJ held that:
· the term “personal data” used in Article 3(1) of Directive 95/46 covers, according to the definition in Article 2(a), any information relating to an identified or identifiable natural person. The ECJ said that the term undoubtedly covers the name of a person in conjunction with his telephone co-ordinates or information about his working conditions or hobbies. The remaining comments by the ECJ on this issue are directed to the nature of processing rather than the meaning of the term “personal data”;
· as to whether it is permissible for a Member State to provide for greater protection for personal data or a wider scope than is required under Directive 95/46, the ECJ replied that the Directive is intended, as appears from its eighth Recital, to ensure that the level of protection of the rights and freedoms of individuals with regard to the processing of personal data is equivalent in all Member States. The ECJ points out that the tenth Recital in the Directive adds that the approximation of the national laws applicable in this area must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community. Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of the Directive and with its objective in maintaining a balance between freedom of movement of personal data and the protection of private lives. However, says the ECJ, nothing prevents a Member State from extending the scope of its national legislation implementing the provisions of the Directive to areas not included in its scope provided that no other provision of Community law precludes it.
Other than references to the protection of privacy, which references are not specific in relation to the meaning of “personal data”, there is nothing in the ECJ’s judgment which suggests that a Member State may cut down provisions of the Directive. While the ECJ makes clear that the mention of a person’s name or telephone number is within the Directive’s definition of “personal data” it is difficult to see how the judgment may be read as justifying a restrictive interpretation of that term. The judgment stresses the importance of Member States’ conforming to the Directive’s requirements as a minimum in order not to create barriers to the free transfer of personal data between Member States.
The Recitals to and Articles of Directive 95/46 are consistent in referring to fundamental rights and freedoms, notably the right to privacy. There is nothing in the Directive, beyond reference in the Recitals to the European Convention on Human Rights, to suggest that the Directive’s definition of “personal data” as meaning any information relating to an identified or identifiable natural person should be construed restrictively by reference to the right to privacy. The ECJ has said in its judgment in Lindqvist that a Member State may extend its national protections beyond the Directive’s provisions, but has not suggested that such provisions may be restricted or that a purposive or restrictive interpretation of the Directive’s definition of personal data may be made by reference to the European Convention on Human Rights and the right to privacy under Article 8 of the Convention.
The Marleasing principle requires the courts of EU Member States to interpret their respective national laws so as to conform to the clear terms of Directives and the ECJ has held that Member States which fail to do so may be obliged to compensate their citizens who suffer loss in consequence of failure to do so.
The Data Protection Act 1998
The Court of Appeal has found that the Data Protection Act 1998 faithfully transposes the provisions of Directive 95/46 into UK law. The Data Protection Act itself makes no reference to privacy. The Court of Appeal’s judgment in Durant refers back to the Directive and the 1981 Convention as the basis for applying a purposive and restrictive interpretation of the term “personal data” by reference to the objective of protecting privacy.
The Human Rights Act 1998 imports into UK law the Convention rights under the European Convention on Human Rights, including the Article 8 right to respect to the private life, and requires the courts to interpret UK statutes, including the Data Protection Act 1998, in a way which conforms to the Convention rights. The European Communities Act 1972 gives precedence to European Community law over UK statute and common law, to the extent that any issue before a UK court is within the competence of the European Union.
There is accordingly double statutory authority for UK courts to have regard both to Directive 95/46 and to the European Convention on Human Rights in interpreting and applying UK national law, notwithstanding the absence of any reference to privacy in the Data Protection Act, and notwithstanding the House of Lords’ judgment, in Wainwright and Wainwright v Home Office, that English common law does not recognise or protect any free-standing right to privacy. A UK court is required and entitled to apply clear provisions of European law and to follow the jurisprudence of the ECJ in cases which engage the subject matter of Directive 96/46. When doing so, they may adjudicate on issues which may later come before either the ECJ or the European Court of Human Rights, but may reach conclusions with which those courts may not agree.
There is a possibility that the restrictive interpretation of the term “personal data” given by the Court of Appeal in Durant may not be adopted by the courts of other EEA States, with a risk of disharmony as between UK law and the laws of other Member States. This, in turn, may result in restrictions being sought to be imposed by those States on flows of data to other Member States on the basis that different interpretations are applied by the courts of those States to the term “personal data”, which is key to the European Union’s statutory scheme for harmonising data protection laws within the EEA.Any restriction on the free flow of personal data between Member States would be in contravention of Article 1(2) of Directive 95/46.
As to interpretation of the Data Protection Act 1998, if it is accepted that the Court of Appeal’s restrictive interpretation of the term “personal data” is justified by an implied limitation to data which are either biographical or focused on the prospective data subject it is difficult to see why some of the exceptions provided for under Schedule 7 to the Data Protection Act 1998 are necessary or appropriate, in particular the exceptions given for management forecasts etc (paragraph 5), in relation to corporate finance (paragraph 6) and in relation to negotiations with a data subject (paragraph 7). These exceptions would hardly be necessary if the information covered by them was outside the scope of the data protection regime under the Act as not being either biographical or focused on the prospective data subject, and so not “personal data”. In that case, the information sought, not being personal data, would be outside the scope of the Act and would not be required to be disclosed even though the information was of concern to the prospective data subject.
A more important consequence of excluding from being “personal data” information relating to an identifiable individual, where the information is neither biographical nor focused on the individual, would be to exclude such information from the obligations of fair and lawfully processing under the first data protection principle even though the information may be of concern to that individual. This right applies to all processing (as widely defined under Directive 95/46 and under the Data Protection Act 1998) of information relating to an identifiable individual. It has been read as a fundamental right of the kind referred to in Directive 95/46 not limited to concepts of privacy and as attaching to all information relating to and concerning, in the sense of being of concern to, an identifiable individual. By linking data protection to privacy in a restrictive way this consumer-type fundamental right of individuals will be substantially cut down in the UK.
The Court of Appeal’s judgment in Durant, and in particular its restrictive interpretation of the meaning of “personal data” both under Directive 95/46 and under the Data Protection Act 1998, introduces a factor which is novel and which, in the UK, substantially curtails the scope of the 1998 Act and the elaborate scheme of subordinate legislation under it.
The Court of Appeal’s judgment has been welcomed as clarifying the 1998 Act and in particular as cutting down the burdens which the Act places on data controllers in relation to subject access. At the same time, the decision cuts down the rights of data subjects and the extent to which the 1998 Act’s scheme affects the processing of information which may be of concern to individuals but which is not either biographic or focused on them.Will this restrictive interpretation of “personal data” be adopted by the courts of other EEA States? Will it be endorsed by the European Court of Justice? May disharmony result between the laws of the UK and the laws of other EEA States as to the scope of national laws, and may attempts thereafter be made to restrict flows of personal data within the EEA? Could the UK become a data haven of the kind that the Council of Europe’s 1981 Convention was aimed at countering, as providing a less protective jurisdiction to which data relating to identifiable individuals may be transferred and thereafter treated as outside the scope of UK data protection law? May such data then be transferred from the UK to third countries without regard to the restrictions imposed on such transfers under Article 25 of Directive 95/46?
These possibilities apart, it is not clear that the Court of Appeal’s interpretation of “personal data” does not itself raise new and difficult issues of interpretation depending on the nature of particular items of information, and the manner in which and purposes for which they may have been obtained or may be used. The broader interpretation of “related to” individuals, which the Court of Appeal has rejected, would have included all, or almost all, information linked to an identifiable individual.In his recent post-Durant guidance the Information Commissioner has suggested examples which would no longer be personal data. While these are examples only, they beg the question of whether privacy, a right not recognised by English law or referred to in the Data Protection Act, has been infringed. While applying a broad definition inclusively to all information linked to an identifiable individual is simple, leaving the numerous exemptions allowed by Directive 95/46 and the Data Protection Act 1998 to be applied, applying a difficult and restrictive interpretation of “personal data” to a wide variety of information linked to identifiable individuals may create more difficulties than it solves. To take the Commissioner’s example of attendance at a meeting in an official capacity as not being “personal data”, the fact of attendance may be of concern to an individual as identifying that individual with a given course of action or as denying that individual’s presence at another place. The receipt of an e-mail may also be of concern, depending on the nature, content and sender of the e-mail.In many other cases, the need to examine the nature and content of information, its source, its purposes, its likely effect and its intended use or disclosure may put on data controllers a greater burden of interpretation than the previously accepted broad understanding of the meaning of “personal data”.
In British Horseracing Board v William Hill, the Court of Appeal referred to the ECJ questions about the interpretation of the Database Directive with a view to obtaining preliminary rulings on interpretation of provisions of that Directive from a court with EEA-wide jurisdiction.Such rulings would be binding on all Member States and could then be applied by those States’ respective courts to establish a harmonised EEA jurisprudence. That course has not been taken here.
First published in Computer Law and Security Report Vol 20 no. 3 2004.
 See Directive 95/46 Article 2(a)
  EWCA Civ 1746
 transcript para 25
 Ibid para 26
 Ibid para 27
 Wainwright and Another v Home Office  UKHL 53
 1986 1 All ER 545
 Judgment para 26
 Ibid para 28
 paragraphs 78, 79 and 80
 Case C-101/01
 Marleasing SA v La Comercial Internacionale de Alimentacion SA Case C-106/89  ECR 1-4135
 Francovich v Italian State ECJ Case C-6/90 1991 ECR 5357
 Durant v FSA para 26
 See, in particular, paras 78 et seq (Buxton LJ)
  UKHL 53
  EWCA Civ 1268