When is personal data “about” or “relating to” an individual? A comparison of Australian, Canadian, and EU data protection and privacy laws

The definition of “personal information” or “personal data” is foundational to the application of data protection laws. One aspect of these definitions is that the information must be linked to an identifiable individual, which is incorporated in the requirement that the information must be “about” or “relating to” an individual. This article examines this requirement in light of recent judicial and legislative developments in Australia, Canada and the European Union. In particular, it contrasts the decisions rendered by the Federal Court of Australia in Privacy Commissioner v Telstra Corporation Ltd and by the European Court of Justice decisions in Scarlet Extended and Patrick Breyer v Bundesrepublik Deutschland as well as the new General Data Protection Regulation with Canadian law. This article also compares how the three jurisdictions deal with the vexed issue of IP addresses as personal information where the connection between the IP address and a particular individual often raises particular problems.