In this guest blog post, Brendan Van Alsenoy – legal researcher at the Centre for IT and IP Law, University of Leuven – analyses the scope of the personal use exemption under the new EU General Data Protection Regulation (GDPR).
A note with regard to the relevance of the GDPR to the UK: this post was written before the EU referendum result on 24th June. For the ICO’s statement on the potential regulatory implications of a UK exit from the EU please see this link.
The blog post was originally posted on the CiTiP blog at KU Leuven. It is based on a draft paper included in the CiTiP Working Paper Series. You can follow the CiTiP on Twitter here.
In less than 30 years, individuals have transcended their role as passive “data subjects” to become actively involved in the creation, distribution and consumption of personal data. Unless an exemption or derogation applies, individuals are – at least in theory – subject to data protection law.
The evolving role of the individual
We use information and communication technologies every day. Mobile devices tell us where to eat, who to meet and how to get there. We share pictures, post videos and tweet reviews. We google everything and everyone.
With all these processing capabilities at our fingertips, the question can be asked: are we subject to EU data protection law?
Historically, data protection laws emerged to protect individuals against risks resulting from the processing of personal data by governmental and commercial institutions. Individuals have therefore traditionally been viewed as the “beneficiaries” of data protection.
Over time, however, the role of the individual has shifted. Processing capabilities previously reserved for powerful organisations are now available to anyone with a smart device and an internet connection.
The position of the Court of Justice of the European Union
Unless an exemption or derogation applies, individuals are – at least in theory – subject to data protection law when processing personal data about others. This hypothesis was confirmed early on by the Lindqvist ruling and more recently in Ryneš.
Central to both cases was the question of whether the processing activities of an individual fell within the scope of article 3(2) of Directive 95/46, which exempts processing “by a natural person in the course of a purely personal or household activity”. In both instances, the Court of Justice took a restrictive view, stating that the personal use exemption should be construed narrowly.
The reasoning of the Court of Justice in Lindqvist has had particularly far-reaching consequences as far as the processing of personal data online is concerned. In particular, the Court of Justice considered that the personal use exemption cannot be applied to “the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. As a result, merely tweeting “at” another human being can be enough to trigger the applicability of EU data protection law.
Proposal for change
During the discussions surrounding the GDPR, it was suggested that the scope of the personal use exemption should be expanded. The Article 29 Working Party, for example, considered that the personal use exemption contained in Directive 95/46 has an “unrealistically narrow scope” and has become “anachronistic”. Applying data protection law to online activities such as online social networking seemed particularly troublesome.
As an alternative approach, the Working Party proposed a number of criteria (e.g., publicity, scale and frequency, adverse impact) to determine whether or not the personal use exemption should be applied.
There are several reasons why the proposal of the Article 29 Working Party made sense. Data protection law is geared towards organisations, not towards individuals acting in a private capacity. Data protection law is highly procedural in nature, it focuses on “data management” (not social interaction) and proper compliance requires expertise and resources which are typically only available to organisations. A clear mismatch exists between the legal obligations of “controllers” and social practices of individuals.
In other words: it does not only appear impractical to apply several data protection requirements to private individuals, it can also be excessively burdensome.
Legislative development
During the legislative process, the Council of the European Union appeared inclined to endorse the expansion of the scope of the personal use exemption. Most notably, the Council proposed to strike the word “exclusively” from the text, thereby encouraging a much broader interpretation.
The European Parliament, however, seemed intent on keeping the scope of the exemption narrow. In the end, a compromise was struck: according to article 2(2) GDPR, the personal use exemption still only applies to the process of personal data “by a natural person in the course of a purely personal or household activity”. The language of the personal use exemption itself thus remained identical to the text of Directive 95/46.
The corresponding recital, however, was modified significantly. Recital (18) indicates that the GDPR should not apply to “social networking and online activity” undertaken within the context of a personal or household activity “with no connection to a professional or commercial activity”. As a result, it could be argued that the scope of the personal use exemption has been expanded ever-so-slightly after all.
A missed opportunity?
It is unfortunate that the EU legislature was unable to further modernise and clarify the scope of the personal use exemption.
In my view, the personal use exemption should apply to all activities which may reasonably be construed as taking place in the course of an individual’s private or family life, which includes the development of one’s personal identity and the cultivation of relationships with others.
In addition, an individual should not be excluded from the personal use exemption purely on the basis of the number of recipients involved. Only when interference with the privacy interests of others clearly transcends the boundaries of ordinary social interaction and everyday ICT use (e.g., due to the scale or frequency of the processing, combined with the recipients and nature of the data), might it be proportionate to bring the activities of private individuals within the scope of data protection law.
It remains to be seen whether the Court of Justice will soften its earlier stance and give the personal use exemption a broader interpretation under the GDPR. Given that the language of the exemption itself has not changed, the precedential value of both Lindqvist and Ryneš in principle remains intact. Nevertheless, the subtle hint dropped by the EU legislature in recital (18) might be enough to stimulate a more progressive and balanced approach.
Further information
The article offers the author’s personal view and does not represent the position of the Information Law and Policy Centre, CiTiP, nor the University of Leuven.
Brendan Van Alsenoy is a legal researcher at CiTiP, KU Leuven— iMinds. His research focuses on data protection, privacy, intermediary liability, and trust services.