Author: Niko Tsakalakis
Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
A. General remarks
I. Purpose
Art. 87 deals with the processing of National Identification Numbers (NINs) and other identifiers of general application. It is placed in Chapter IX, which comprises provisions relating to specific processing situations. Identification numbers are personal data as per Art. 4 para. 1. Other identifiers are equated to identification numbers when they enjoy ‘general application’. Hence, identifiers of general application are also considered as personal data. NINs and other identifiers of general application remain under the competence of Member States.[1] Art. 87 does not attempt to regulate the introduction or use of national general identifiers but rather to establish a minimum level of protection for their processing. It grants Member States the discretion to determine specific conditions for the deployment of such identifiers. However, such processing shall be compatible with the obligations imposed by the GDPR.
II. Legislative history
Processing of identifiers of general application was previously regulated under Art. 8 para. 7 of the DPD. Art. 8 was concerned with ‘special categories of data’. However, Art. 8 para. 7 did not expressly qualify NINs as sensitive data, although NINs might raise similar concerns as data “capable by their nature of infringing fundamental freedoms or privacy”[2] to warrant additional protection.[3] During the trialogue negotiations, some Member States supported the inclusion of NINs under the remit of Art. 9 para. 1.[4] Early drafts of Art. 87 resembled more the wording of the DPD.[5] The word ‘further’ was added after scrutiny from Member States[6] to clarify that the GDPR should be conceived as a common baseline.
B. Material scope
I. National Identification Numbers and identifiers of general application
Art. 87 comprises in its scope two types of identifiers: NINs, which are designed as single unique global identifiers[7] used in several layers of the public sector; and identifiers of general application that in practice function as NINs.
NINs are identifiers assigned to physical persons, according to the rules of each Member State. NINs uniquely identify persons across public administration. The format of NINs varies across Member States.[8] The CJEU has yet to opine on the nature of NINs. However, in Rīgas satiksme, the CJEU confirmed that ID numbers, which are used by some Member States as a form of NINs, are personal data.[9]
Other identifiers designed for unique identification can serve as a de facto NIN through extensive reuse (‘functionality creep’).[10] Art. 87 includes in its scope other identifiers of general application. ‘General application’ is not qualified. However, identifiers used in practice across sectors should enjoy the same treatment as NINs. Examples of de facto general identifiers can be found in Regulation No 910/2014[11] and Regulation 2015/847.[12]
[…]
[1]Art. 4 para. 2 TEU; Arts. 74 and 77 para. 3 TFEU. See also Judgement of 12 May 2011, Malgožata Runevič-Vardyn and Łukasz Paweł Wardyn v Vilniaus miesto savivaldybės administracija and Others C-391/09, EU:C:2011:291 paras. 83–87.
[2]DPD, recital 33. Cf. Ref. Ares (2011) 444105, Advice Paper on special categories of data (“sensitive data”), adopted on 20 May 2011, 6; WP 136, Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, p. 15.
[3]FIDIS, D13.3: Study on ID number policies, 2007 (29); Vandezande, ‘Identification numbers as pseudonyms in the EU public sector’ (2011) 2 European Journal of Law and Technology, 1 (4).
[4]Council-R.
[5]“Member States may determine the specific conditions”: Comm-P, Art. 80b; Council-R, Art. 80b.
[6]Council, ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Preparation for trilogue – whole Regulation’ 27 November 2015, Art. 80b: https://data.consilium.europa.eu/doc/document/ST-14481-2015-INIT/en/pdf.
[7]FIDIS, D13.3: Study on ID number policies, 2007 (23).
[8]See FIDIS, D13.3: Study on ID number policies, 2007 (101); Study prepared by the Committee of experts on data protection (CJ-PD) under the authority of the European Committee on Legal Co-operation (CDCJ), The introduction and use of personal identification numbers: the data protection issues (Strasbourg, 1991), p. 7.
[9]Judgement of 4 May 2017 in Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ C-13/16, EU:C:2017:43 para. 24; Opinion of Advocate General Bobek on 26 January 2017 in Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ C-13/16, EU:C:2017:43 at paras. 27 and 88: “Member States shall not therefore be obliged to process identification numbers, unless it is absolutely necessary for bringing civil proceedings”.
[10] Vandezande, ‘Identification numbers as pseudonyms in the EU public sector’ (2011) 2 European Journal of Law and Technology, 1 (5).
[11]See Implementing Regulation (EU) 2015/1501 ANNEX 1 lit. d.
[12]Regulation (EU) 2015/847 Art. 4 para. 1 lit c. See also Opinion of the European Data Protection Supervisor on a proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, and a proposal for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds [2013] OJ C32/06 para. 43.