When is data personal (part 1)
We’re hearing a lot about personal data in recent times, in particular in the context of the recent demise of Safe Harbor, following the case taken by Max Schrems against Facebook recently which was escalated to the EU Courts of Justice. In Europe, Directive 95/46/EC, adopted in 1995, spells out the legislative protections afforded to the individual in relation to the collection and processing of their personal data. This directive outlines a number of basic principles:
- Notice: users should know when their data is being collected
- Purpose: data collected should only be used for the purpose stated
- Consent: users must give permission for the sharing of their data with 3rd parties
- Security: users' date must be adequately protected
- Disclosure: users should know who is collecting their data
- Access: users should have access to the data collected and have the right to correct it
- Accountability: users should be able to hold the data collectors accountable for failure to adhere to these principles
The Safe Harbor agreement between the European Union and the US Dept. of Commerce laid out a process whereby companies could “self certify” that they adhered to the principles of the EU Directive in their processing of data. The Safe Harbor system was premised on there being adequate protection of EU citizen personal user data in the US. Schrems’ argument was that the papers leaked by Edward Snowden showed that US security agencies were systematically accessing (or more accurately, compelling companies to disclose) personal data collected by social networks and other sites (the NSA’s Prism surveillance program was specifically cited). Therefore adequate protection of user data could not be guaranteed. This argument effectively led to the invalidation of the Safe Harbor program.
So this begs a simple question, and one that doesn’t exactly have a simple answer. What constitutes personal data?
This question isn’t simply important in the context of Safe Harbor of course. All of us In the industry have a duty of care for our users’ personal data, but specifically also need to be compliant with the data protection legislation in the jurisdictions we operate in. For some apps, additional legislation will apply (e.g. COPPA in the US when apps are being used by those under 13). In all cases, a definition of personal data underpins the legislation.
In EU legislation, personal data is defined as:
“...any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”
As you can see this is a pretty broad definition. The Data Commissioner in Ireland (who originally dealt with the Max Schrems case against Facebook, as Facebook have the EU HQ in Dublin) define personal data as:
“...data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.”
Without getting into further definitions of data controllers, you can see that this definition is a little more specific, and introduces the concept that personal data may not actually identify an individual in isolation but may be combined with other publicly available data sources to become personally identifiable.
The View From America
For a definition that is closer to something we can sink our teeth into, we can turn to COPPA. While these definitions are not legally interchangeable, each is trying to capture essentially the same concept, so it’s instructive to see different versions. Here’s COPPA’s definition:
“...individually identifiable information about an individual collected online, including:
- A first and last name;
- A home or other physical address including street name of a city or town;
- Online contact information as defined in this section;
- A screen or user name where it functions in the same manner as online contact information, as defined in this section;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and accross Web sites or online services. Suce persistent identifier includes, but is not limited to, a customer number held in a cookie, an internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
- A photograph, video, or audio file where such file contain's a child's image or voice
- Geolocation, information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition;*
This is pretty specific and declarative, in contrast to the European definitions. In our own investigations of our responsibilities in this area, we’ve found that in discussions about personal data with different legal experts, we are in general talking about the specific items listed in the COPPA definition when we refer to personal data collected from the users of mobile applications.
Not Just Personal - “Sensitive”
There are other classes of personal data for which more extreme measures need to be taken if you’re planning to collect any of it from your users. “Sensitive” personal data relates to an individual’s race, political opinion, religious or other beliefs, physical or mental health, sexual life, alleged or actual criminal history and trade union membership. In some cases there are specific additional rules governing this sensitive data. In the US the Health Insurance Portability and Accountability Act (HIPAA) covers medical information. For personal financial information the PCI Security Standards Council defines standards by which any service provider should adhere to, particularly in relation to credit card handling.
Swrve’s service was built on the principle that we wished the service to be deployable for any type of app. This means that we’ve taken specific measures to make it possible to deploy Swrve for apps requiring COPPA compliance. It is entirely possible (without compromising the capabilities of the system) to treat users entirely anonymously, but still leverage the full power of segmentation based on anonymised user profiles. In cases where personal data is being collected, we ensure the legal collection of this data, with strictly enforced data protection protocols, and have European data centres to enable customers to guarantee that EU end user personal data remains within the EU region.
Often questions remain about the specific nature of personal data, and in many cases the definitions start to become a little grey. Is a name considered personal information? What about just a first name? If I have location data on an individual is that personal data? What if I just know the city they are in? If you read the COPPA definition of personal data earlier in this article you’ll have some thoughts already but in the next part of this blog entry we’ll take a look at some of these questions, and tease out a little more the question “when is data personal?”