When is Personal Data 'About' or 'Relating to' an Individual? A Comparison of Australian, Canadian, and EU Data Protection and Privacy Laws
Author | Normann Witzleb & Julian Wagner |
Position | Associate Professor at the Faculty of Law, Monash University, Melbourne/Lecturer at the Faculty of Law (Chair of Prof Dr Spiecker gen. Döhmann, LLM), Goethe University, Frankfurt am Main |
Pages | 293-329 |
When is Personal Data “About”
or “Relating to” an Individual?
A Comparison of Australian,
Canadian, and EU Data Protection
and Privacy Laws
Normann Witzleb* & Julian Wagner **
e denition of “personal information” or “personal data” is foundational to the
application of data protection laws. One aspect of these denitions is that the information
must be linked to an identiable individual, which is incorporated in the requirement
that the information must be “about” or “relating to” an individual. is article examines
this requirement in light of recent judicial and legislative developments in Australia,
Canada and the European Union. In particular, it contrasts the decisions rendered
by the Federal Court of Australia in Privacy Commissioner v Telstra Corporation
Ltd and by the European Court of Justice decisions in Scarlet Extended and Patrick
Breyer v Bundesrepublik Deutschland as well as the new General Data Protection
Regulation with Canadian law. is article also compares how the three jurisdictions
deal with the vexed issue of IP addresses as personal information where the connection
between the IP address and a particular individual often raises particular problems.
* Normann Witzleb (Dr, LLB) is an Associate Professor at the Faculty of
Law, Monash University, Melbourne, Australia. His research focus is on
Australian and European private law, and in particular, the area of privacy
rights, torts and remedies.
** Julian Wagner (Dr, LLM Eur.) is a Lecturer at the Faculty of Law (Chair
of Prof Dr Spiecker gen. Döhmann, LLM), Goethe University, Frankfurt
am Main, Germany. His research focuses on European law, environmental
law and privacy law. His work was supported by a postdoc fellowship of
the German Academic Exchange Service (DAAD).
294
Witzleb & Wagner, When is Personal Data “About” or “Relating to” an Individual?
I. I
II. T N L I I
A. Australian Law
1. e Telstra Determination by the Privacy Commissioner
2. e AAT Decision in Telstra
3. e Full Federal Court Decision in Telstra
4. Practical Consequences of the Telstra Litigation
B. Personal Information Under Canadian Law
C. European Union Law
2. Personal Data in the Case Law of the European Court of
Justice
3. Changes Under the New General Data Protection
Legislation
III. H D A, C, E U D IP
P I
A. Australian Approach
B. Canadian Approach
C. European Approach
IV. C
I. Introduction
Data protection laws aim to protect personal privacy by regulating
the collection, processing and transfer of “personal information”
(Australia and Canada), “personal data” (European Union) or “personally
identifiable information” (United States). While the definitions of these
terms vary across jurisdictions, what they have in common is that they
are of fundamental significance. Data that does not contain information
about an identified or identifiable individual in the sense of the respective
definition falls outside the scope of data protection laws.
Differences in the definition of “personal information” have
relevance not only for the application of domestic data protection laws
but also affect data transfers between countries. Many domestic data
protection regimes impose restrictions on the export of personal data to
295
(2018) 4 CJCCL
a third country, particulary if the data protection level in that country is
weaker than the law of the exporting state. is is intended to prevent
the bypassing of national data protection laws by the transfer of data
to a third country without an adequate level of protection. However,
even if the substantive data protection laws of a third country provide
a comparable level of protection overall, a closer look at the scope of
application of its data protection regime may also be necessary. If a third
country adopts a narrower understanding of the term “personal data”,
that country’s privacy laws will not apply to some data that would be
protected by the laws of the exporting country.
is article will analyse recent developments relating to these
definitions in Australia and the European Union and provide a comparison
with Canadian data privacy law. e article is prompted by an Australian
appellate decision on the definition of “personal information” under the
Privacy Act.1 In its decision, Privacy Commissioner v Telstra Corporation
Ltd,2 the Full Court of the Federal Court of Australia also considered
relevant Canadian jurisprudence. In particular, it referred to the decision
of the Federal Court of Appeal in Canada (Information Commissioner) v
Canada (Transportation Accident Investigation & Safety Board).3 is
article will also consider recent developments in the European Union
and, in particular, the new General Data Protection Regulation (“GDPR”)4
and two recent decisions of the European Court of Justice. e practical
consequences of the differences between the terms will be explained using
the example of the classification of Internet Protocol (“IP”) addresses as
personal information or as personal data, respectively.
1. Privacy Act 1988 (Cth) (Austl) [Austl Privacy Act].
2. [2017] FCAFC 4 [Telstra FCAFC].
4. EC, Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and
OJ, L 119/1 [GDPR].
To continue reading
Request your trial