Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
different, says SWP, in respect to those such as the Claimant whose images are
captured and processed by the AFR equipment with a view to finding a match
with any of the images on the watchlist. SWP could not and does not attempt
to identify any of those persons (save where there is a match with a watchlist
face). Thus, the information about them is not personal data.
113.
Starting from the definition of personal data in the DPA 1998, it is apparent
that the scope of information that is personal data is not limited simply to
information about persons whom a data controller has identified by name. The
definition is formulated in wider terms as to whether a person “can be
identified” either from the data in issue, or from that data and other
information held by the data controller, or from that data and other information
likely to come into the data controller’s possession. Thus, the definition in the
DPA 1998 reflects the definition in Directive 95/46/EC (“the 1995 Directive”)
at Article 2 (a), which is as follows
“personal data shall mean any information relating to an
identified or identifiable natural person (data subject);
an identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an
identification number or to one or more factors specific
to his physical, physiological, mental, economic,
cultural or social identity.”
114.
Extracting from that definition the matters particularly pertinent to the case
before us, we can see no distinction between the definition in the DPA 1998
and the notion in the 1995 Directive that an “identifiable natural person” is one
who “… can be identified directly or indirectly… by reference to…factors
specific to his physical … identity”.
115.
In our view, there are two possible routes that merit examination in order to
determine whether the data in issue in this case can be considered “personal
data”: (a) indirect identification and (b) individuation.
Indirect identification
116.
The first route is indirect identification – if the data obtained by SWP through
the use of AFR Locate does not itself qualify as personal data, does SWP now
have, or might it in future obtain other information which when taken together
with the information obtained from AFR Locate, be sufficient to render the
latter personal data?
117.
In its judgment in Breyer v Bundesrepublik Deutschland (Case C-582/14)
which concerned whether dynamic IP addresses were personal data within the
definition in the 1995 Directive, the CJEU took an expansive approach to
indirect identification.