Geographic data as personal data in four EU Member States

Abstract

Directive 95/46/EC is the Directive to protect personal data in the European Union, this Directive is implemented in national legislation. The interpretation of this Directive is different in the various Member States, this hinders the internal market of the European Union. The research shows the differences in EU Member States when it comes to considering geographic data as personal data. The used definition is the definition in Directive 95/46/EC on the processing of personal data. Governments play an important role in the opening of geographic data. Governmental bodies produce a lot of geographic data and with two Directives on the reuse of governmental data, the EU supports the opening up of data by supporting reuse policies. It is an obligation for governments to open up the data necessary for their public task, so the data can be reused.

The differences between Member States stem from the differences in interpretations on when geographic data leads to identifiability of a natural person. The research is based on four different EU Member States, The Netherlands, Belgium, Germany and the United Kingdom. Four key stakeholders (Data source holder, Legislator, Data Protection Authority and, Jurisprudence) are identified and their opinions or judgements on the interpretations of the extent to which geodata should be considered personal data are analysed. The focus of the thesis is on two types of geographic data: Mobile mapping, geographic data collected from a movable object is considered and secondly the INSPIRE themes of topographic maps and building registers are assessed.

The research found a variety of interpretations of data protection legislation to geographic data. The variety was found among the different cases (EU and Member States), the different stakeholders and the different types of geographic data. The EU, the Netherlands, Belgium, Germany and the United Kingdom are case-studies in this research.

An example of the differences is that in the Netherlands the Data Protection Authority states that panoramic images of streets are considered personal data. In the discussions on the processing of 360 degrees images of houses within the Parliament the legislation does not mention the use of Google Street View and jurisprudence judges that dissemination of these images is possible when certain features are blurred and there is no link to an address. This shows that there are differences between the actors inside the Member States on to which extent geographic data is considered personal data.

Another example is the studied topographic datasets. The datasets do not contain personal data, according to the Dutch Data Protection Authority, while the German Data Protection Authority and the Belgian Data Protection Authority judge that topographic maps of a large scale can contain personal data, and have requirements for the processing of topographic maps.

The patchwork of differences in data protection legislation can be harmonised by using a traffic light model. This model uses another definition of personal data. It has a focus on the context of processing of the data and categorizes the data from non-identified data to identified sensitive data, in this way access to the data is categorized. This categorization is based on an assessment of the processing of the data. This leads to a more harmonised interpretation of personal data definition.