If you work in data protection, I bet you love questions like this:
I have some information which looks anonymous – but is it nonetheless ‘personal data’? (If it is, it saddles me with plenty of otherwise inapplicable legal duties blah moan). The test is whether there is a realistic prospect of someone being identified, but how do I apply that test? How do I tell whether the risk of someone being identified from this apparently anonymous information is sufficiently high?
And I bet you especially love questions like this:
I have some information which is anonymous in my hands: it would be absolutely impossible for me to identify anyone from this information. But someone else could – there is someone else who has the key which can unlock the identities behind this apparently anonymous (or pseudonymised) data. What now? Is it personal data or not?IP addresses are particularly good illustrations of this last sort of question. The internet service provider (ISP) is the one with the keys with which to identify the person behind the string of numbers. You might gather and hold IP addresses – for example of visitors to your website – but you yourself cannot identify anyone from that information. Personal data or not?
Thankfully, the CJEU is here to help (what would we ever do without it). Yesterday, it gave judgment in the case of Breyer v Bundesrepublik Deutschland (judgment is here Case C‑582/14; Anya’s post on the AG opinion is here). The primary issue in the case was whether the dynamic IP addresses (i.e. ones which change each time a device reconnects to the net) held by a German public authority in respect of visitors to its website amounted to personal data for the purposes of the Data Protection Directive.
Answer: yes.
But note the two stages in the CJEU’s analysis.
First, the ‘realistic prospect of identification’ test can be satisfied even if the keys to the identities are held by someone else. See paras 42-43:
“… recital 26 of Directive 95/46 states that, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person.
- In so far as that recital refers to the means likely reasonably to be used by both the controller and by ‘any other person’, its wording suggests that, for information to be treated as ‘personal data’ within the meaning of Article 2(a) of that directive, it is not required that all the information enabling the identification of the data subject must be in the hands of one person.”
Second, however, you need to consider not just the abstract possibility of identification. You also need to assess whether there is in fact a realistic causal chain which might lead to identification. See paras 45-46 (my emphasis on the words of the pivotal test):
“45. However, it must be determined whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject.
- Thus, as the Advocate General stated essentially in point 68 of his Opinion, that would not be the case if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.”
So, apparently anonymous information you hold can still be personal data if someone else holds the keys to identification provided that, in reality, the risk of those keys being used (by anyone) to identify the underlying people is more than “insignificant”.
The analysis here is not groundbreaking, but Breyer is a very useful illustration of the identifiability principle under the DPA and the Directive.
Data controllers will probably welcome the CJEU’s nod to realism, but some may find the threshold (“more than insignificant”) a little low for comfort.
Robin Hopkins @hopkinsrobin