Material scope of EU data protection law

Langley’s human computers at work (Photograph published in Winds of Change, 75th Anniversary NASA publication (page 48), by James Schultz) (1947) — NASA Commons DESCRIPTION: In the terminology of that period, ‘computers’ were employees typically female that performed mathematical computations

GENERAL RULE

As a general rule, all computerized processing of personal data is within the material scope of EU data protection law and all entities are required to abide by it (including non-for-profits, public entities, and private organizations regardless of their size).

Article 2 (1) of GDPR defines the material scope of EU data protection law as follows:

“This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”

There are three interconnected building blocks that this article will analyze separately:

  1. ‘Computerized’ (which under EU data protection law goes beyond information in electronic form to include ‘filing systems’)
  2. ‘processing’ of
  3. Personal data

FIRST BLOCK: What constitutes ‘computerized’ under EU data protection law?

Early “computers” at work, summer 1949 — NASA on The Commons. The late 1940s saw increased flight activity, and more women computers were needed . A call went out to the NACA Langley, Lewis, and Ames laboratories for more women computers. Pictured in this photograph with the snowman are some of the women computers who responded to the call for help in 1948 along with those who were already there. Standing left to right: Mary (Tut) Hedgepeth, from Langley; Lilly Ann Bajus, Lewis; Roxanah Yancey, Emily Stephens, Jane Collons (Procurement), Leona Corbett (Personnel), Angel Dunn, Langley.

The scope of EU data protection law expands beyond information in electronic form to cover processing of personal data in two ways:

  1. personal data processed wholly or partly by automated means (that is, information in electronic form); and
  2. personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).

By expanding beyond data in electronic form, GDPR prevents situations where data protection law could be by-passed by keeping information in paper form during a particular stage of processing. For example, the rules that apply to cross-border data transfers cannot be by-passed by exporting information in paper form as part of a filing system which then can easily be transferred into electronic form once outside the borders of the European Union.

Un-structured paper records are outside of the scope of EU data protection law [1] but the line between structured and unstructured filing systems in practice can be blurry.

You can read a detailed explanation, including examples and helpful guidelines, here.

SECOND BLOCK: What constitutes ‘processing’ under EU data protection law?

Early “computers” at work, summer 1949 — NASA on The Commons

Article 4(2) of GDPR defines processing to mean:

“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

‘Computerized’ processing under EU data protection law

The reference “any operation or set of operations” indicates the regulator’s intent to provide a broad definition for the concept of processing. “Processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:

  • organization, adaptation or alteration of the information or data,
  • retrieval, consultation or use of the information or data,
  • disclosure of the information or data by transmission,
  • dissemination or otherwise making available, or
  • alignment, combination, blocking, erasure or destruction of the information or data.

THIRD BLOCK: What is ‘personal data’ under EU data protection law?

Early “computers” at work — NASA on The Commons. NOTE: The women of the Computer Department at NACA High-Speed Flight Research Station are shown busy with test flight calculations. There were no mechanical computers at the station in 1949, but data was reduced by human computers. Shown in this photograph starting at the left are: Geraldine Mayer and Mary (Tut) Hedgepeth with Friden calculators on the their desks; Gertrude (Trudy) Valentine is working on an oscillograph recording reducing the data from a flight. Across the desk is Dorothy Clift Hughes using a slide rule to complete data calculations. Roxanah Yancey completes the picture as she fills out engineering requests for further data.

The definition of personal data under GDPR is identical to the definition under the 1995 Data Protection Directive.

Article 4 (1)
“Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’) . . . .”

The definition contains four closely related building blocks, each of which should be separately analyzed for the sake of clarity. Those blocks are: “any information” “relating to” “an identified or identifiable” “natural person”.

Personal data: 4 building blocks

Any information:

The concept of personal data includes information available in whatever form. Both objective and subjective statements can be ‘personal data’ and it is not required that the information be true or proven. Additionally the concept of ‘personal data’ is wider than the concept of ‘private data’, and includes not only information considered to be “sensitive”, but also information that is not sensitive and even public information (e.g. “Hillary Clinton is a democrat”).

Relating to:

The “relating to” building block is often overlooked yet crucial. Data can “relate” to an individual by virtue of its “content”, “purpose” OR “result”. These three elements are considered alternative conditions (only one element has to be present for the information to ‘relate to’ a data subject). The “content” element is present where, in the light of the surrounding circumstances, the information is “about” the person. The “purpose” element exists when, considering the surrounding circumstances, the data is used or is likely to be used for the purpose of evaluating, treating in a certain way or influencing the status or behavior of an individual. A third kind of ‘relating’ to specific persons arises when a “result” element is present, even in the absence of the “content” or “purpose” elements (i.e. where the result of the information is that a particular individual is treated differently, the data is considered personal data even where it does not directly identify an individual and was not intended to be used for the purpose of identifying an individual).

An identified or identifiable:

EU data protection law only excludes anonymous data (pseudonymous data is personal data but subject to more flexible data protection rules). Identification is normally achieved through particular pieces of information which we may call “identifiers” and always depends on the circumstances of the case. o determine whether a natural person is identifiable under EU law, one must consider all the means reasonably likely to be used by the controller of by another person” to achieve identification. EU data protection authorities take the controversial position that IP addresses should be treated as personal data, even where the controller does not have access to records reflecting which particular individual is using which particular IP addresses on the basis that the ISP provider (“another person”) holds those records.

Anonymous data is excluded from the material scope of EU data protection law.

Natural person:

Finally, as a general rule, EU data protection law does not apply to information related to dead individuals, unborn babies, or legal entities.If the information in those categories indirectly identifies natural persons, however, then it will be subject to EU data protection laws.

For a detailed explanation of what constitutes personal data under EU data protection law, including examples and a comprehensive discussion of each block, click here.


ACTIVITIES REGULATED BY EU DATA PROTECTION LAWS OTHER THAN GDPR

Early “computers” at work, summer 1949 — NASA on The Commons. NOTE: The nick-name for this ‘early computers’ was Galloping Gerties because of their movement when using the roles of celluloid film and strips of oscillograph paper.

GDPR is not the only data protection law of the European Union. Also, there are limits to the ability of the European Union to legislate based on the international agreements that are the foundational documents of the EU. For those reasons, GDPR explicitly excludes from its material scope certain activities.

Article 2.2 of GDPR establishes that:

2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
[…]
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

This means in practice that:

  1. The processing of personal data by competent authorities for law enforcement purposes is outside the scope of GDPR (e.g. the Police investigating a crime), but subject to EU data protection law under Directive 2016/680, and may also be subject to Member State level data protection regulations
  2. Personal data processing for the purposes of safeguarding national security or defence is outside the scope of EU data protection law but may be subject to data protection regulations enacted by individual Member States

In addition, Article 2.3 of GDPR establishes that:

3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

This means that personal data processing by EU institutions is not subject to GDPR. Regulation No 45/2001 was derogated in 2018. The processing of personal data by the EU institutions is currently subject to Regulation EU 2018/1725.


EXCLUSIONS

Household matches [float] from Sesquicentenary Manufacturers’ Parade, Sydney, 1938 — State Library of New South Wales

The processing of personal data in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the scope of EU data protection law.

Article 2.2 of GDPR establishes that:

2. This Regulation does not apply to the processing of personal data:
[…]
(c) by a natural person in the course of a purely personal or household activity;

This means in practice that EU data protection law does not apply if you only use personal data for such things as writing to friends and family or taking pictures for personal enjoyment. This is a narrow exception.

Early “computers” at work — NASA on The Commons. NOTE: The late 1940s saw increased flight activity, and more women computers were needed . A call went out to the NACA Langley, Lewis, and Ames laboratories for more women computers. Pictured in this photograph with the snowman are some of the women computers who responded to the call for help in 1948 along with those who were already there. Kneeling left to right: Dorothy (Dottie) Crawford Roth, Lewis; Dorothy Clift Hughes, and Gertrude (Trudy) Wilken Valentine, Lewis.

End notes:

[1] Some countries have expanded the scope of their national data protection laws to include unstructured data in certain situations. For example, under the UK Data Protection Act 2018 (DPA 2018), unstructured manual information processed by public authorities only constitutes personal data, including paper records that are not held as part of a filing system. While this information is personal data under the DPA 2018, it is exempt from most of the principles and obligations in the GDPR to ensure that it is appropriately protected for requests under the Freedom of Information Act of 2000.

Resources:

Article 29 WP opinion 4/2007 on the concept of Personal Data

ICO Freedom of Information Act 2000 (FOIA) Decision Notice