In this fouth blog post of my exploration into the matter based on an upcoming publication for CRC Press, part of the Online Terrorist Propaganda, Recruitment, And Radicalization Book Project that I wrote together with Dr. Milda Macenaite, I will specifically explore the relationship between personal data protection and use of information.
The relationship between the protection and use of that very information is depends on whether or not the information is considered to be personal data. The absolute or objective approach views information as personal data if there is a possibility (even an abstract one) for any third party to determine the identity of the individual from it. This limits the possibility of identification to the actual legal and practical means at the disposal of the actor who has the information. Instead, the
subjective or relative approach followed by the CJEU in the Breyer case, can lead to hashed images and videos, domain names and URL addresses, IP addresses, fake emails and usernames, following a careful case-by-case analysis of law and context, might change the position of whether or not a piece of information should be considered personal data.
For example, an IP address alone acquired by a law enforcement authority or the EU IRU through open source research may not suffice to identify an individual, in combination with other information, may allow for identification or linking to an identifiable individual. The possibility to request additional information from an ISP’s logs is to be considered as the means that are reasonably likely to be used to identify an individual using that IP address. It’s particularly important in this context to realise that this possibility may be available to law enforcement authorities.
The aim of law enforcement is most obviously that of identifying and persecuting those who commit terrorist offences and therefore the identification of suspects is key. However, for the information to be treated as personal data, the full identification of an individual, i.e., to know his name and surname, is not necessary. As underlined by the Article 29
Working Party, the possibility to single out an individual suffices for the information to be treated as personal data (see Article 29 Working Party, Opinion 4/2007 on the concept of personal data). Information can relate to an individual not only because it is about an individual, but also because it allows to assess or to affect an individual and a law enforcement authority might have fake details of an account holder or a falsified username but the LEA can still gather information about an individual who created the
account. Therefore, even if a law enforcement authority is not able to know who the natural person using an email address is, email accounts may in principle still be considered personal data if an individual, even if unidentified, is treated differently from other persons as a result of the data processing.
When it is genuinely not possible to be sure without any uncertainty, whether a piece of information, such as an IP address, an email address, etc., relates to a natural person, a safe solution would be to consider such information as constituting
personal data in order to afford it a higher level of protection.
If it is concluded that a piece of information constitutes personal data, based on the EU data protection law, the following obligations and duties to the actors processing that information (data controllers) arise.
When processing personal data, data controllers shall respect the principles relating to
processing of personal data:
Lawfulness and fairness
- Purpose specification and collection limitation
- Data quality
- Data security
- Openness and individual participation
- Other obligations for data controllers
- Other processing restrictions