What counts as “personal data”?

Senior Security Consultant, Shaun Wakefield, highlights what really counts as personal data.

Imagine creating a business that scrapes documents from the public internet and stores them in a database. The business’s unique selling point is its algorithms, which examine the writing style and meta data to determine authorship, intended purpose, where they wrote it, and more.

The business then builds a profile of each writer and sells its services to people who want to learn more about the provenance of a certain document. The use cases vary widely from legitimate to ethically questionable.

Perhaps law enforcement wants to determine who wrote a ransom note. Or perhaps an employer wants to identify a whistle-blower. Perhaps the authoritarian regime wants to identify the journalist behind a critical article that was penned anonymously.

To protect the business from scrutiny, it would probably be set up in a jurisdiction with less stringent controls on personal data – but what would the GDPR consequences of this be? Is a document ever “personal data” in a meaningful sense?

While this text analysis business is hypothetical, a business that carries out a similar process using photographs is entirely real. This business was recently fined £7.5 million by the UK ICO. The company was also required to delete and stop processing data on UK citizens. As the UK is now outside of the EU, a parallel investigation is taking place in France, and the country’s information commissioner is likely to apply similar sanctions.

The ICO judgement concluded that the New York-based business acts as a “Data Controller” and violates the GDPR twice: first by accepting probe images to match against its database, and second by searching the database for matches.

The organisation has, apparently, not made any money from its solution in the UK. Given that the ICO has jurisdiction where data on UK citizens is concerned, it won’t be making any money in the future, either. 

This ruling should also be seen as a warning shot to all organisations that collect data – such as location data – for insurance purposes, even if they consider the dataset to be anonymised. The important principle reinforced by this ruling is that individual permission to hold and process data is an absolute requirement.

In other words, further data processing is only possible if it is in line with the original user’s acceptance. The practice of taking existing data – online photos – and processing it in a new way – to identify people without their consent – turns the publicly available data into personal data. This is an important ruling with significant implications for many businesses, and we can only wait and see who else the commissioners may have in their sights…

If you would like any further information or would like advice on how to protect personal data held by your business, get in touch to arrange a chat with one of our experts today.