The adoption of the term personal data in the law of 6 January 1978 overturned the regulatory system due to an ambiguity in practice limiting the scope of the law in question.
Changing terms does not imply changing the meaning of the concept, but rather avoiding possible confusion.
However, these terms appear to refer to the same fact as evidenced by the Council of Europe Convention of 28 January 1981 or the 1995 Directive superimposing the two concepts.
In this context, how should the link between data and identity be evaluated?
Regarding the name, phone number or address, this is determined without difficulty. However, the answer is not easy for the NIR number (social security number) or driver's license number.
The assessment that needs to be made regarding the link between identity and data is marked by strong differences in interpretation expressed by the CNIL, the Council of State, the Court of Cassation and the Court of Justice of the European Union.
The opacity of the original text of Article 4 of the 1978 law on this concept of personal data was clarified by the 2004 amendment taking into account personal data.
In this way, data related to identity, image, sound, health and even the human genome are also included in the scope of these personal data, which is processed in line with the concept of privacy.
The location of the various institutions mentioned above appears to be regulated in practice. But the situation is more complex with data that only allows indirectly to identify a person.
The IP address exception is the best example of this. Recognition as personal data by Cnil and the Council of State does not require the same treatment by the Supreme Court.
Second, he didn't decide directly on the question. But indirectly, he came to two decisions. One does not consider it as personal data, the other gives it this character.
Finally, the CJEU, in its decision of 29 January 2008, resolves the issue by accepting that the IP address does indeed implicitly constitute candidate or personal data within the meaning of the 1995 directive.
The draft European directives and regulations on the use of personal data submitted on 25 January 2012 have a dual purpose.
First of all, it is necessary to take into account that the social, economic and technological environment has changed considerably since the last directive on the subject was published in 1995.
There is the explosion of the Internet, the proliferation of smartphones, the use of geolocation, the trivialization of biometrics, and the diversification of video surveillance, information accumulation, consumption patterns that seriously jeopardize the protection of Internet users.
After these developments, there have been digital developments regarding personal data, thanks to companies such as Google, Twitter and Facebook creating their economic models.
It was on the agenda to introduce a regulatory framework adapted to commercial activities. This initiative has been praised by the European Data Protection Supervisors.
The draft directive aims to define the legal framework for the protection of personal data processed for the purposes of judicial activities related to the prevention and detection of criminal offenses, investigation and prosecution.
The draft that will repeal the 1995 directive is put into regulation. It defines a uniform legal framework for the protection of personal data within the European Union. It aims to avoid transfers under different national laws.
According to the draft regulation, the data subject becomes someone who can also be identified using geographic data or a login ID.
This innovation brings IP address, GPS coordinates and MAC address into the privacy domain, among others.
Adopting these two issues will create strong obligations, strengthen others, and also facilitate the trade of personal data. Thus, new rules of the game will be introduced for companies.
In order to collect personal data, clear and unequivocal consent of individuals should be obtained, it should be explained for how long and for what purposes this data will be stored, and the right to be forgotten should be guaranteed.
In this new context, it is recommended that communication professionals publishing websites employ managers responsible for compliance with the data protection in question.
In fact, the risks of abuse are many: fraudulent interception of data, reckless use of social tools, abuse by certain Web companies, etc.
The most proven example concerns Facebook, which invites its users to sacrifice their privacy in favor of the social community.
Google has also been the subject of much controversy: Under the pretext of photographing streets for its street view service, their cars were collecting private information about local residents via unsecured Wi-Fi networks.