What’s covered and what’s not
In this fourth podcast about the General Data Protection Regulation that becomes law in the European Union (EU) on May 25, 2018, we ask what personal data are covered by the GDPR and what are not. The GDPR defines personal data very broadly. But it is not an all-encompassing effort to protect all personal data from every conceivable use or misuse.
“Personal data” is defined by Article 4.1 as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This defines personal data to include relatively non-sensitive information such as a phone number or email address, as well as more sensitive information such as biometric, genetic and other information about a person.
The GDPR does not protect the data of legal entities. Only personal data of natural persons are addressed. Business, non-profit organization and government data are not covered. (Recital 14). Only data that relate to an identified or identifiable natural person are regulated by the GDPR. (Article 4.1)
Articles are the text of the Regulation, and Recitals are the expression of intent, akin to administrative history and explanation. Recital 14 has the intriguing statement, “This Regulation does not cover the processing of personal data which concerns legal persons….” But what is personal data “which concerns legal persons?” This does not mean that legal entities that hold personal data can ignore the GDPR entirely by claiming that the personal data of individuals that they collect and process “concern” the legal entities. Instead, the data of and about legal entities are not “personal data” at all, according to the Article 4 definition of personal data, so long as the data do not consist of information that identifies a natural person. For example, the financial statements of a business are not personal data, but a database of its employees and their healthcare records certainly is.
A second broad exception is that the GDPR does not govern personal data used “by a natural person in the course of a purely personal or household activity.” (Article 2.2.c) So, people who keep personal data for their own private purposes need not comply with the GDPR. That does not, however, exempt businesses that collect or process information from persons who use the data for their own private purposes, because organizations are not natural persons. (Recital 18)
Several organizational types are exempt from complying with GDPR rules to the extent that their societal function demands it by EU or member state law. For example, courts must gather, collect, process and publish names and details about people involved in judicial proceedings, and so the GDPR does not dictate or control how courts act in their judicial capacity (Recital 20). Member state organizations are free to protect national security and do other things that “fall outside the scope of Union law,” such as carrying out foreign and security policies of the EU, without having to comply with the GDPR’s controller and processor rules. (Recital 16). Article 23 lists numerous subjects for which the EU itself or a member state can restrict the application of GDPR rules.
Anonymous data enjoys a wholesale exception. Anonymous data are data incapable of identifying an individual. (Recital 26) But pseudonymous data is covered, though recognized as posing a low risk of being abused. (Article 4.5, Recital 28) The difference is that pseudonymous data can be traced back to the individual involved, whereas anonymous data cannot.
The personal data of deceased persons is not covered, but member states can have their own laws about dead people and their post-mortem privacy. (Recital 27)