The document outlines the evolution of data protection (DP) legislation in Europe from the 1970s to the implementation of the EU GDPR in 2016, highlighting key resolutions, conventions, and directives that shape current laws. It discusses the treatment of data relating to both living and deceased individuals, including the limitations on the protection of legal persons and the potential future trends in indirect inclusion of deceased person data. The conclusion suggests a need for a balanced approach to data protection that considers the interests of deceased individuals while remaining mindful of societal rights.

1. Dr David Erdos
Trinity Hall
University of Cambridge

2. EEA, UK & Swiss DP: General Development
 1970s: CoE Resolutions
 7 States adopt DP law
 1980s & 90s: DP Convention 108 & Recommendations
 5 more by 1990 incl UK & 8 more pre-1995 incl Switzerland
 1995 onwards: EU Directive 95/46 & A29 WP Opinions
 All EEA States adopt DP law
 2016: EU GDPR 2016/679 (& DP Convention 108+)
 All EEA States bar Slovenia have updated law

3. Pan-European DP: Legal Persons
 1970s & 1980s: DP Resolutions & Convention 108
 Core Scope: “Individuals” (“physical persons”)
 Conv. 108 Optional Scope: Legal persons etc. (art. 3(2)(b))
 1995 onwards: EU Directive 95/46
 Core Scope: “Natural persons”/“Individuals”
 Recital 24: “protection of legal persons … not affected”
 2016: EU GDPR 2016/679 (& DP Convention 108+)
 Core Scope: “Natural Persons”
 GDPR Recital: Not cover personal data concerning legal persons
 Convention 108+: removes optional scope extension

4. National DP: Legal Persons
 1970s: DP Resolution-era (n=7)
 No= 3; Partial=1; Yes = 3
 1980-1995: CoE Convention 108-era (n=20)
 No=14; Partial=1; Yes=5
 1995 onwards: EU Directive 95/46 (n=32)
 No =2325; Unclear=1; Partial=1; Yes=5 3
 2016: EU GDPR 2016/679 (& DP Convention 108+) (n=32)
 No=31; Yes=1

5. Pan-European DP: Deceased Persons
 1970s & 1980s: DP Resolutions & Convention 108
 Core Scope: “Individuals” (“physical persons”)
 108 Explanatory: Health data could be re: “deceased”
 1995 onwards: EU Directive 95/46
 Core Scope: “Natural persons”/“Individuals”.
 2016: EU GDPR 2016/679 (& DP Convention 108+)
 Core Scope: “Natural Persons”
 GDPR Recital: “does not apply personal data of deceased persons”;
“should not apply to deceased persons”.
 108+ Explanatory: “not meant to apply to personal data relating to
deceased persons”

6. National DP: Deceased Persons
 1970s: DP Resolution-era (Total=7)
 Unclear: 7
 1980-1995: CoE Convention 108-era (Total=20)
 No=2; Unclear=1413; Partial=12; Yes(?)=2
 1995 onwards: EU Directive-era (Total=32)
 No=45; Unclear=19 18; Partial=8; Yes=1
 2016: EU GDPR-era (Total=32)
 No=21; Partial=11

7. Indirect Inclusion: Overview
 Personal Information (1981 Convention)
 C-131/14 Breyer (2016) on “identifiability”:
 C-434/16 Nowak (2017) on “relating to”:
any information relating to an identified or identifiable
individual/natural person
“satisfied where the information, by reason of its content, purpose or
effect is linked to a particular person.”
r2hox (Flickr
Any information unless “the risk of identification” of a natural person
by any person “appears in reality insignificant”.

8. Indirect Inclusion: Legal Person Data
 1970s: Discussed during draft of CoE Resolution (73) 22.
 1990: Coverage in CoE Payments Recommendation report:
 1990s & 2000s: Fairly stable including in A29 WP Op. 4/2007.
 2010: CJEU Schecke appear to restrict approach.
 2016: Further restriction in GDPR, Recital 14.
“In those countries where legal persons are expressly excluded from the ambit of
national data protection legislation, specific care should be taken in regard to
those situations in which small traders, one-man companies, etc. are the
recipients of a funds transfer operation … may not be easy to distinguish between
personal data relating to individuals and data relating to corporate bodies.”

9. Indirect Inclusion of Legals: Schecke & GDPR
 Schecke
 Facts: Claim to DP re: agricultural payments to sole traders &
incorporated persons (i.e. legal persons stricto senso)
 Held: Incorporated persons only within scope where “the
official title identifies one or more natural persons” (& even
then disproportionate to check).
 GDPR
 Recital 14 goes even further stating that:
“This Regulation does not cover the processing of personal data
which concerns legal persons … including the name and the form of
the legal person and the contact details of the legal persons.”

10. Indirect Inclusion: Deceased Person Data
 Early 1990s: Discussions about voluntary “implicit” protection
“in the interests of … relatives”.
 1997 Recommendation: Medical data included “genetic data”
shared by two individuals.
 A29 WP Opinion 4/2007: Linked genetic data to this principle:
 A29 WP Opinion 3/2013 expansively interpreted:
“[W]here the information which is data on the dead can be considered to relate
at the same time also to the living … the personal data of the deceased may
indirectly enjoy the protection of data protection rules.”
“[I]nformation that a deceased individual had been a secret agent or
collaborator of an oppressive regime, a paedophile, perpetrator of crimes,
suffered from a mental illness giving rise to a stigma, or suffered from a
hereditary disease may also have a negative impact on the family (e.g. surviving
spouse, children, or other descendants) of the deceased individual.”

11. Indirect Inclusion of Deceased Data & GDPR
 Recital 27:
 Recital 158 (public interest archiving):
“This Regulation does not apply to the personal data of deceased
persons. Member States may provide for rules…”
“this Regulation should not apply to deceased persons … Member States
should also be authorised to provide for further processing of personal
data for archiving purposes, for example with a view to providing specific
information related to … crimes against humanity, in particular the
Holocaust. ”

12. Conclusions and Future Trends
 Whilst DP role vis-à-vis legal persons is now limited &
residual, it has a growing future re: deceased person data.
 Expansive approach to indirect inclusion may further
destabilize personal data concept.
 Almost half EEA population now covered by some explicit
direct protection here.
 So may be desirable to try & craft a ‘soft’ recommendation
here building on principles in national law & scholarship:
 Role for specific DP ‘control’ rights & diffuse confidentiality.
 Protection time-limited & less for ‘control’ rights.
 Even confidentiality case quite weak after living memory period.
 Balance with important societal rights & interests most difficult.
 But clear that weight of protection here reduces over time.