Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
provision, in relation to that provider, where the latter has the
legal means which enable it to identify the data subject with
additional data which the internet service provider has about
that person.”
118.
Thus, the only incidents excluded were where the risk of identification
“appears in reality to be insignificant”.
Individuation
119.
The second possible route is to the effect that a person is sufficiently identified
for the purpose of the definition of personal data if the data ‘individuates’ that
person.
120.
In Vidal-Hall v Google Inc. [2016] QB 1003, in the context of an application
for permission to serve proceedings out of the jurisdiction, the Court of Appeal
had to consider whether it was arguable that browser generated information
(“BGI”) (i.e. information about the claimants’ internet usage), was personal
data. The defendant contended that the BGI was anonymous in that it neither
named nor identified any person. At paragraph 115 of its judgment the court
rejected that submission:
“115. We think the case that the BGI constitutes
personal data under section 1(1)(a) of the 1998 Act is
clearly arguable: it is supported by the terms of the
Directive, as explained in the working party’s opinion,
and the decision of the Court of Justice in the Lindqvist
case (Case C-101/01) [2004] QB 1014. The various
points made by Mr White in response do not alter our
view. The case for the claimants in more detail is this. If
section 1 of the 1998 Act is appropriately defined in line
with the provisions and aims of the Directive,
identification for the purposes of data protection is
about data that “individuates” the individual, in the
sense that they are singled out and distinguished from
all others. It is immaterial that the BGI does not name
the user. The BGI singles them out and therefore
directly identifies them for the purposes of section
1(1)(a) having regard to the following: (i) BGI
information comprises two relevant elements: (a)
detailed browsing histories comprising a number of
elements such as the website visited, and dates and
times when websites are visited; and (b) information
derived from use of the “double-click” cookie, which
amounts to a unique identifier, enabling the browsing
histories to be linked to an individual device/user; and
the defendant to recognise when and where the user is
online, so advertisements can be targeted at them, based