- Marie is a keen, if unsuccessful, blogger (with a very limited following) who writes mostly about online gambling. Marie’s most recent blogs want to dispel the myth that online gamblers are addicts. She describes a number of her friends—a reputable dentist living in the Kensington area, a journalist who has recently been nominated for a prestigious award, and a teacher in a primary school close to Marie’s home, and outlines how they use online gambling sites for multiple purposes, including socializing with other gamblers. Although Marie does not name these individuals, she is contacted by one of them and asked to edit her blog post to remove some of this information. She refuses and her friend complains to the Information Commissioner’s Office (ICO). When investigating, the ICO also realizes that Marie is an avid ‘Go-Pro’ user and posts her ‘Go-Pro’ footage, filmed all over London, on her blog.
Marie seeks your advice as to whether she is in fact processing personal data within the meaning of data protection law and, if so, whether there are any exemptions that she could invoke to avoid data protection regulation.
To answer this question I would expect the student to discuss in order:
- The first part of the question invites the student to discuss whether or not Mariella has processed personal data. This will involve a discussion of Bodil Lindqvist. Students should note the CJEU in facts similar to those of Mariella found that processing did take place.
- The second part of the question invites the student to discuss the outcome of the Ryneš case.
- Both parts of the question are designed to make the student consider and discuss the household activity exemption. They should note than in Bodil Lindqvist the CJEU noted that “The act of referring, on an internet page, to various persons and identifying them by name or other means constituted the processing of personal data within the meaning of Art. 3(1) and that the processing of personal data such as that described in answer to the first question was not covered by any of the exceptions given in Art. 3(2).” They may also not that in Ryneš the court found that “The processing of personal data comes within the exception provided for in the second indent of Article 3(2) of Directive 95/46 only where it is carried out in the purely personal or household setting of the person processing the data. Accordingly, so far as natural persons are concerned, correspondence and the keeping of address books constitute, in the light of recital 12 to Directive 95/46, a ‘purely personal or household activity’ even if they incidentally concern or may concern the private life of other persons. To the extent that video surveillance such as that at issue in the main proceedings covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46.”
- Students should consider whether the data would be classified as personal data under the Directive. This is determined by s.1 of the Data Protection Act. Essentially to be personal data it must be data related to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. It seems clear the data on her friends is personal data however this is less clear for data relating to individuals captured on her Go-Pro.
- In the current setting, the broad definitions of personal data, processing of personal data, and controller are likely to cover an unprecedented wide range of new factual situations due to technological development. The scope of EU data protection law is therefore too broad and should have been limited in the data protection reform process.
This is a very open ended question and there are a number of ways to approach it. It asks students to address the material scope of the GDPR which extends to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”. Personal data extends to “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (art.4(1)). Discussion of the Durant, Edem and Nowak cases helps to contextualise this as does a discussion of content and purpose. Similarly a discussion of the definitions of data controller and processor show a wide scope – data controllers being “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”, a discussion of Facebook Fan Page would be helpful here. Based on this the question of whether the GDPR is overbroad may be carrid out against the data protection principles to produce an evaluation and answer.