When is personal data not “personal data” - The impact of Durant v. FSA

The Data Protection Act 1998 (the “Act”), which implements the EU Data Protection Directive (95/46/EC), applies to personal data and governs the activities of data controllers and data processors in relation to such data. In Michael John Durant v. Financial Services Authority (2003), the scope of the Act was restricted. In particular, key provisions, including “personal data” and “relevant filing system”, became the subject of narrow judicial interpretation when the Court of Appeal sought to limit the “unjustifiable burden and expense” imposed on data controllers in complying with the Act. Although questioned by commentators and subject to investigation by the European Commission, the significant shift in approach initiated by Durant has been endorsed in two subsequent cases: (1) David Paul Johnson v. The Medical Defence Union (2004) and (2) Terence William Smith v. Lloyds TSB Bank Plc (2005). This article considers the main principles of the Act, how the Information Commissioner, the courts and the European Commission have responded to Durant and what happens next.