The EC Article 29 Data Protection Working Party, set up under Article 29 of the Data Protection Directive (94/46/EC) as an independent advisory body on data protection and privacy issues, has published an opinion which attempts to summarise the "common understanding of the concept of personal data" in the EU member states, and the manner in which national data protection legislation should be applied. The Opinion is not binding, but is intended to provide a basis for consistent interpretation of the Directive throughout the EU.

The leading authority on the interpretation of "personal data" in the UK is the English Court of Appeal case of Durant v Financial Services Authority of December 2003. The court construed "personal data" narrowly, holding that there are two factors affecting whether information is "personal data": (1) whether the information relates to the individual in a way which might affect his personal or business privacy; and (2) whether the information has the data subject as its focus and is information of a biographical nature.

The UK received a letter of notice in 2004 from the European Commission setting out five areas of concern with regard to its application of the Directive. It is thought that one aspect of concern was in relation to the UK's restrictive interpretation of "personal data".

The Opinion calls for a wide interpretation of the term "information", regardless of its nature or the technical format in which it is presented. It also emphasises that a number of factors need to be taken into account when establishing whether an individual can be identified from the information held by the data controller. However, it is the Working Party's view of how information may "relate" to an individual that differs most from the UK approach. It can be sufficient that the individual can be treated differently, that certain interests may be affected, regardless of whether they have a "major impact". This illustrates the Opinion's relatively broad approach, which may affect the rigidity of the boundaries set by Durant. UK data controllers could therefore see the UK courts interpreting their obligations more onerously in the future.

Good Practice Note on Personal Information Through Websites

Whilst there is potential uncertainty regarding personal data, the UK Information Commissioner's Office (ICO) has in the meantime updated its Good Practice Note on collecting personal data through the use of websites. The Note underlines the applicability of fundamental data protection obligations and outlines the requirements upon website operators collecting personal data directly from individuals to process information fairly and inform individuals of the use. This article shall provide a brief overview of the ICO's recommendations.

For all purposes, other than strictly personal, website operators must provide notification to users where their personal data is processed and an outline of how the information shall be used. A privacy notice or statement on the website is recommended, informing the individual of the exact usage of their personal information. However, a 'privacy statement' link, outlining a privacy policy, is insufficient – at least some basic summary of how the information will be used must be provided. Where access to a site is gained through a direct hyperlink rather than a home page then the information must be provided at any point on the site where personal information is collected.

The Note also considers the specific implications of online programs. The use of scavenging-type programs to collect data is noted as likely to breach the Act unless the data is then used for the same purposes as was intended when it was provided. Operators are also obliged to inform visitors to their site whether a cookie or other relevant tracking system is in operation and must provide an opportunity to refuse continued use.

The Note can be viewed in full here.