IAPP-GDPR Web Banners-300x250-FINAL

Readers are encouraged to submit their questions to


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

. We will tap the expertise of IAPP members to answer your questions.

Stewart Room

Q: How does the recent Article 29 Working Party Opinion on the meaning of "personal data" affect our understanding of the scope of the European Data Protection Directive?

A: Opinion 4/2007 "on the concept of personal data" (WP 136) was adopted by the Article 29 Working Party on June 20. Although it does not contain anything new as far as "seasoned" European data protection professionals are concerned, from the UK perspective it can be regarded as being a landmark publication, because it leads to only one conclusion about the decision of the Court of Appeal in the well-known case of Durant v. Financial Services Authority, namely that the Court of Appeal's interpretation of the meaning of personal data is unsustainable. How the UK courts will go about reconciling Durant with Opinion 4/2007 remains to be seen.

For data protection professionals working in the U.S. and elsewhere, the opinion may well prove to be very helpful, as it addresses some common misunderstandings about the meaning of "identifiable"; to summarize, one of the key components within the meaning of personal data is that it should relate to an "identified or identifiable" natural person.
From the writer's own experiences in private practice, it can be said that many data controllers labor under the misapprehension that identifiability means that data should be capable of identifying a person by name. The opinion tackles this misapprehension head on, saying that "it should be noted that, while identification through the name is the most common occurrence in practice, a name may itself not be necessary in all cases to identify an individual."

The essence of identifiability is the ability to distinguish one person from another, so that, for example, one person can be singled out for special treatment. This "singling-out" component can be satisfied without the need for a name in certain cases, with one of the most obvious being precision online marketing where data relating to browsing patterns are analyzed in order to serve-up bespoke advertising content to the user of the terminal equipment. The precision marketing company may never know the name of the user of the terminal equipment, but the user is still singled out for special treatment all the same. In this kind of scenario the Data Protection Directive is likely to apply.

Of course, a closely related issue is anonymization, because if data cannot single out a person for special treatment, it will not satisfy the identifiability component. Many would-be data controllers strive to take advantage of anonymization techniques to take themselves outside the scope of the data protection regime.

The opinion closely scrutinizes the concept of anonymization, making distinctions among pseudonymization, key-coded data and truly anonymous data. The essence of pseudonymization is the disguising of identities, but if the disguise can be unravelled so that a person can be identified, the directive is likely to apply. Key-coded data is a form of pseudonymization, where a person is identified by a code rather than by name and the key is held separately. The issue with key-coded data is the risk of the code and the key being combined so as to identify the person concerned. If the risk is a real one, the directive is likely to apply. True anonymization speaks for itself.

The opinion deals with much more than identification. In fact, identification forms the third part of the discussion, and the opinion addresses the concepts of "any information," "relating to," "identified or identifiable" and "natural person."

The discussions about the meaning of "any information" and "relating to" go to show that the directive is intended to have a wide scope and so in most cases of confusion the analysis of the directive's application is likely to turn on identifiability.

Returning to the opening comments about the Durant case, it is the discussion of the meaning of "relating to" that is most relevant for U.S. data controllers operating in the UK, because the Court of Appeal in Durant built the largest part of its analysis around these words, holding that files held by the Financial Services Authority did not relate to Mr. Durant, but to Mr. Durant's complaint about a UK bank. To many commentators, this was a distinction without a difference, which the opinion now confirms.

Stewart Room is a Partner in the Privacy and Information Law Group at Field Fisher Waterhouse Solicitors. He is the author of Data Protection and Compliance in Context (November 2006 ISBN 1-902505-78-6) and the Chairman of the National Association of Data Protection Officers. He can be reached at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


This response represents the personal opinion of our expert (and not that of his/her employer), and cannot be considered to be legal advice. If you need legal advice on the issues raised by this question, we recommend that you seek legal guidance from an attorney familiar with these laws.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»