Article 4(1) defines “personal data” as follows (all emphasis added unless otherwise stated):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition is broad and fairly all-encompassing. It includes a) any information relating to an identified individual (i.e. which makes such info personal to that individual), or b) any information relating to someone who could be identified based on a variety of identifiers.
The definition is relatively straightforward for “identified” persons. For example, you may be an identified person to data controllers like your school, your employer, or your landlord if your identity has been established via your driver’s license, work authorization, criminal background check, credit score pull, etc. Any information these data controllers have on you, such as your date of birth, address, phone number, salary, and rent would therefore all constitute protected personal data under the GDPR.
It gets a bit confusing for “identifiable” persons. A person may be identifiable through direct or indirect means. Let’s look at a John Smith who buys coffee every morning before work at the corner Big Coffee Co. If John pays with a credit card, his card info makes him directly identifiable to the merchant, which means data on his coffee purchasing history (e.g., store location, date & time, amount paid, coffee preference) is personal data, thus entitling him to certain rights and protections. If John pays with cash, he may still be indirectly identifiable if he redeems a targeted coupon that was emailed to his inbox at firstname.lastname@example.org, which can be traced back to his name through John’s blog on different coffee blends.
The more indirect the identifiers, the more it may depend on surrounding circumstances to determine whether the information qualify as protected personal information. For instance, we expect the increasingly popular adoption of in-store wifi tracking technology to be deemed as identifiable. Here, retailers use wifi scanners to “listen” to shoppers’ smartphones as they walk in and around the store, and collect data on variables such as device type, MAC address, whether the same device has been to the store before or not (repeat shopper vs. new), in which section of the store does the shopper spend more time, how many more people come in after a major TV ad campaign, etc. None of this data by itself explicitly identifies an individual, but in combination should qualify as personal data processing given the following two considerations:
1. Behavioral analysis
Recital 24 states:
The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Data collection and processing to track and understand shoppers’ behaviors therefore likely qualifies as personal data.
2. Online identifier definition
Recital 30 clarifies “online identifier” as mentioned in the Article 4 definition of personal data as below:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Device MAC addresses therefore likely qualifies similar to IP addresses.