Elements of personal data
With the introduction of the GDPR in 2018, data protection has become a popular topic both from a legal and technical perspective. The importance of efforts around privacy and data protection is personal data and its protection. Under the EU GDPR, there are key elements in the definition of personal data.
Personal data is any information relating to an –
- identified or
- identifiable natural person (‘data subject’)
who can be identified
- directly or
- indirectly
Article 4 of the EU GDPR mentions some examples of personal data in its definition (Art.4.1). It states that personal data could be ‘ […] an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Based on the definition of personal data and the examples stated in the EU GDPR, it may easily be inferred that technical information relating to hardware constitutes personal data, something that the new e-Privacy Regulation is expected to further clarify.
Hardware identifiers
Technical information attributed to hardware could take the form of numeric, alphanumeric or alphabetic codes used to uniquely identify a device or a batch of devices alone or within a network; for instance, the serial number of a device, the IMEI number, model number, MAC address, etc. Serial numbers are unique and assigned by a manufacturer to a device. This device could be a mobile phone, a television, a tablet, audio/video equipment, etc. According to guidance from Samsung, Serial numbers help manufacturers organise and keep track of their products. The IMEI (International Mobile Equipment Identity) number is a number that uniquely identifies a mobile communication device and no two mobile devices have the same IMEI. The IMEI number can be described as the digital fingerprint of your device. The model number is used to identify what type of device you have and applies to a number of devices that share something in common such as the manufacture or release year. While the model number is a hardware identifier, it is not unique to a device as multiple devices can have the same model number.
How can hardware identifiers be personal data?
Since these various numbers are merely hardware identifiers, how could they also be personal data? Of particular interest is the IMEI number which is often seen as the digital fingerprint of your device. Taking the definition of personal data and the IMEI number into account, the IMEI number becomes personal data as soon as it is associated with a person. Consequently, the IMEI number of a smartphone would not be regarded as personal data until it is purchased. However, when a person purchases the smartphone and activates it – which often leads to providing personal details such as name, email address, password or biometrics, i.e. opting for face ID unlock, the IMEI number becomes personal data as it is now linked to other information from the owner/user of the smartphone.
At this point, the individual elements of the definition of personal data become important. Since personal data refers to information relating to an identified or identifiable person from direct or indirect inference, when various data points are capable of identifying a person, any data being combined with personal data, in turn, becomes personal data.
Practical examples
Section 171 and 172 of the European Data Protection Board (EDPB) Guidelines on processing personal data in the context of connected vehicles and mobility related applications, states that when a person’s smartphone is paired with the dashboard of a rental car while using Bluetooth or USB connections, a variety of data is processed by the rental car. These might include phone identifiers, voice and data communications, contact lists, web browsing data, personal contacts, schedules, choice of music, radio and other streamed audio or video content, which all reveal personal information. As such, they help draw a precise profile of the data subject. Since IMEIs are being used to lock devices to carriers, blacklist lost or stolen phones, track the location of a smartphone, it is obvious why the IMEI number of a device should be considered as personal data after its purchase and subsequent activation. In addition, Law enforcement agencies routinely use IMEI numbers to track down criminals as well as for other forensic purposes. The use of IMEI numbers to track individuals makes a good case for why the IMEI number is personal data as soon as it becomes associated with a person by purchase, activation or however else.
This conclusion also applies to all other hardware identifiers which are unique to the device and through which the device or its user may be traced.
What can I do if I process IMEI numbers in the course of my business operations?
When considering whether your business processes personal data in the form of hardware identifiers, a number of factors are to be taken into account such as whether these identifiers become linked to a person through the purchase of a device, its activation or use. If you are unsure whether such identifiers constitute personal data, request a more detailed assessment from TechGDPR and its experienced consultants who will take your unique business operations into consideration and tailoring your compliance solutions.