This Wisdom of the Crowd, compiled from questions and responses posted on the IT, Privacy, and eCommerce eGroup,* addresses whether the transfer of business contact "personal" data is subject to data privacy protections under European Union (EU) Law.
(*Permission was received from ACC members quoted below prior to publishing their eGroup Comments in this Wisdom of the Crowd Resource.)
Question: I have a hypothetical and a question for our group:
The Hypothetical:
Assume data about companies in Europe is to be transferred to the United State (US) for use by US companies, including the name of a contact person at each such European company, their job title, and their business phone number. Sometimes, the business phone number they provide may also turn out to be their personal phone line (i.e., – a cell phone the person uses for business and personal matters).
The Question:
Is the identification of an European Union (EU) citizen's business title and business phone number (particularly if the number is one they also use for personal matters) "personal data" under EU law, and therefore subject to the data privacy restrictions on transfer of that data? Also, where might I find supporting law on point?
Thanks!
Wisdom of the Crowd:
Response #1: Business contact data also qualifies as personal data and is subject to EU data protection laws (it does not matter whether the business contact data is also used for private purposes or not). Article 2a of EU Directive 95/46/EC provides a definition for personal data:
For the purposes of this Directive:(a) "personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.1Response #2: This one is pretty easy. *Any* information that relates to an identified or identifiable natural person is personal data, full stop. Under EU law -- both the current Directive and the forthcoming General Data Protection Regulation (GDPR) -- there is no distinction between business and private information when defining personal data. This includes business email address, title if they are the only person with that title, organizational charts, business phone number, etc… (I don't have a legal citation handy but there is a decent ACC article from the United Kingdom firm Bird & Bird a few years back that specifically mentions business contact information).This is a concept that a lot of US companies struggle with. It is hard for Americans to get their heads around the idea that privacy rights and restrictions under the Directive and GDPR apply to things like work email addresses and Human Resource (HR) files on the employee. We tend to view employee information as 'owned' by the company with few, if any, employee rights regarding that data.That said, it is important to understand the EU 'derogations' (exceptions) to limitations on use of personal data. In general, business contacts are viewed to have consented to the use of their contact information to contact them for business reasons. This consent doesn't necessarily cover transfer out of the EU (though consent is a valid basis for transfer if done right) but it gets you a legitimate basis for processing the data, which is a necessary first step. Just note that consent would only cover uses consistent with why the business contacts gave you their information in the first place (e.g., don't add them to your consumer-directed 'widget of the month' email blast).Your best and simplest bet to legitimize the transfer is probably to execute internal Standard Contractual Clauses between your EU and US entities. Depending on the EU jurisdiction you may have to notify/file with the local authorities (this goes away EU-wide in 2018 under the GDPR) but that is not the case in the United Kingdom (UK), where the highest number of EU-US transfers originate.2Response #3: Yes, in the EU this data is personal data. The supporting law is the definition of personal data in each European Union (EU) country, for instance in the United Kingdom (UK) under the Data Protection Act of 1998:'Personal data' is defined as data relating to living individuals who can be identified:1. from the data, or,2. from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.3Response #4: The short answer is *yes*--absolutely! You can cite Article 2(a) of the European Union (EU) Directive on Personal Data - the definition:"(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;"Any information that identifies or could be used to identify a data subject is personal data protected by the directive. This can be things more obtuse than phone numbers. The Court of Justice of the European Union (CJEU) just decided in Patrick Breyer v. Bundesrepublik Deutschland (Case C-582/14. October 29, 2016) that the dynamic Internet Protocol (IP) address of a website's visitor constitutes personal data with respect to the operator of the website if "it has the legal means enabling it to identify the visitor with the help of additional information which that visitor's internet service provider has." IP addresses can be personal identifiable information (PII) too. Names and phone numbers are absolutely PII that need to be protected.4Response #5: We are not in the main business of collecting or using consumer information. We are a business-to-business organization (B2B), and any information we receive is incidental to account setup. I have asked this question at every luncheon presentation on the GDPR that I have been to, and have received the same response. That the personal information is protected, and that we should spend tens of thousands of dollars hiring the speaker's firm to design a robust data security program in compliance with requirements (and then hire them again after the ones that are in place today are found void tomorrow).What I am doing is counseling my company to treat this information with the same level of security that we treat all other personal information to limit access to those who need it, to not ship it around if you do not absolutely have to, to lock it down against hackers, etc. However, I am not setting up some gigantic effort to comply with the GDPR for a few hundred email addresses and phone numbers (and IP addresses, of course, if your website analytics capture those).Unless your company is otherwise in the compliance crosshairs of a Deferred Prosecution Agreement (DPA) in the EU, I think that the risk that one of them will come after you for technical non-compliance is possibly not worth the effort and expense. But you might reach a different conclusion.5
______________________________
1Nicola Gabriela Amann, Director Legal EMEA, Senior Counsel, SuagrCRM, Germany (December 8, 2016)
2Andy Blair, Vice President, Privacy Officer, Universal Music Group (December 8, 2016)
3Jean-Pierre Mistral, Vice President & Director, Gemalto, Inc. (December 8, 2016)
4Kevin Fay, Senior Corporate Counsel, Vmware (December 8, 2016)
5Deborah Schwarzer, General Counsel, Aeris Communications, Inc. (December 8, 2016)
Region:
European Union, United States
The information in any resource collected in this virtual library should
not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.