The 25th May 2018 has arrived and you as a data subject have been empowered with Europe's most ambitious and forward-thinking data protection regulation to date, the GDPR. As the ultimate steward of your personal data, you now have control over its use in most scenarios making data privacy a fundamental right. But what about instances where your personal data is available publicly? Is personal data fair game, once it is in the public domain?
What is the Public Domain?
The term public domain is generally thought to be anything which can be found on the internet or in media, which has no specific cost to access. Take for example a telephone number in a telephone directory, an email address on a LinkedIn profile or a name published in a newspaper article.
Colloquially this is not incorrect, however the term originates from intellectual property such as designs, music and other media. Where any of these found in the public domain are no longer considered to be owned and therefore free to use. A good example of this is the music compositions of Mozart, which is now in the public domain and free to use due to its age.
Confusion comes in applying this to personal data, where there is sometimes an assumption that personal data in the public domain also inherits this free-to-use characteristic. This of course is incorrect.
The GDPR and the Public Domain
Personal data in the public domain is not a fair game, in fact there is nothing contained within the articles of the GDPR which references the public domain as a factor. It simply requires all processing of personal data to be lawful, which can be achieved by demonstrating one of six lawful purposes:
- The processing of personal data is for legitimate interests pursued by the data controller.
- Processing has been consented to by the data subject.
- Processing is of vital interests to the data subject.
- Processing is in the interest of the public.
- Processing is required for the performance of a contract.
- Processing is required to comply with a legal obligation.
To compare this with the publication of a name and photograph in a newspaper covering a court case, the newspaper may have discovered the the name via public court records and sourced a photograph from the data subjects social media account. Both could be justified printing them would be in the public's interest.
Scraping websites such as LinkedIn for contact information or using a public directory of contacts is not necessarily illegal, it just requires that you as the data controller meet one of the legal purposes for processing.
[You may also like "How will GDPR affect how we use LinkedIn?"]
Processing is a Means to an End
To use an old cliche... at the end of the day, collecting personal data from a public location is likely to be for a purpose. Most likely in the case of collecting contact information, it will be for marketing purposes. Data controllers might be able to justify collecting said personal information but can they actually use it?
Enter the PECR, a regulation which since 2003 has governed electronic communications. A regulation which is arguably being made more famous as a consequence of the GDPR than it has ever achieved on its own. With a less generalised focus than the GDPR, the PECR restricts electronic communication to a number of scenarios such as:
- The data subject is not on a telephone preference or email opt-out list, depending on your method of communication.
- You have explicit permission to communicate with a data subject.
- You have an existing business relationship with the data subject, this could be an engagement of your services or a negotiation previously. This is known as the soft opt-in and only applies to certain types of data subjects.
[You may also like "Exercising Your Legitimate Interests with the GDPR"]
All Personal Data is Equal
Fundamentally, the term public domain has no relevance in data protection regulations. All personal data is equal in the sense that it can only legally be processed if processing meets one of six purposes.
This doesn't stop you from using personal data which you have gathered from public sources, but you may come unstuck when it comes to the true purpose of collecting that personal data, to use it and communicate. Without the ability to use it, publicly collected personal data is no more useful than any other type.