The definition of personal data

• Author: Michèle Finck
• Pages: 14-36

STOA | Panel for the Future of Science and Technology

14

3. The definition of personal data

The definition of personal data determines the GDPR's scope of application and is accordingly of

paramount importance. The Regulation only applies to data that is considered 'personal' in nature.

Notwithstanding, '[w]hat constitutes personal data is one of the central causes of doubt' in the

current data protection regime.85 The difficulty of determining what counts as personal data is

anchored in various factors. First, continuing technical developments make it ever easier to identify

individuals on the basis of data that may not be personal on its face. Second, the GDPR's broad

definition of personal data encompasses ever more data points. Third, much uncertainty pertains to

the notions of pseudonymisation and anonymisation in the GDPR; and finally, despite the GDPR's

harmonising aim considerable divergences remain in national law and policy that have added

confusion to this area of the law.

The Regulation adopts a binary perspective be tween personal data and non-personal data and

subjects only the former to its scope of application. 86 Pursuant to Recital 26 GDPR, the Regulation

indeed does not apply to anonymous data. In contrast with this binary legal perspective, reality

operates on a spectrum between data that is clearly personal, data that is clearly anonymous (an

uncontroversial example should be that of climatic data from outer space that does not reveal

information about those that collected it) and anything in between.87

Today, much economic value is derived from data that is not personal on its face but can be

rendered personal if sufficient effort is put in place. The current battlefield in defining personal data

relates to 'data which when collected and processed has the potential to have an impact on the

personal privacy of particular users, perhaps including their economic and emotional wellbeing,

from data which definitely does not have such potential. Data which originally related to a living

person but now claims to be 'anonymised' in some sense – perhaps merely by the substitutions of

an identifier for a name – can still be very useful for businesses and very intrusive to personal

privacy'.88 Beyond, there is an ongoing debate as to whether personal data can be manipulated to

become anonymous that is of much relevance in contexts where encryption and hashing are used,

as is the case for DLT.89 This section traces th e uncertain contours of personal and anonymous data

respectively to determine what data that is frequently used in relation to blockchains may qualify as

personal data.

Article 4(1) GDPR defines personal da ta as follows:

any information relating to an identified or identifiable natural person ('data

subject'); an identifiable natural person is one who can be identified, directly or

indirectly, in particular by reference to an identifier such as a name, an

identification number, location data, an online identifier or to one or more factors

85 Edwards L (2018), Law, Policy and the Internet, Oxford: Hart Publishing, 84.

86 Some might object that ‘pseudonymous data’ was introduced as third category by the GDPR. Below it will be seen that

pseudonymization is more adequately seen as a method of data processing rather than a separate category of data in EU

data protection law.

87 Note however, Purtova N (2018) ‘The law of everything. Broad concept of personal data an d future of EU data protection

law’ 10 Law, Innovation and Technology 40.

88 Edwards L (2018), Law, Policy and the Internet, Oxford: Hart Publishing, 85

89 See further Finck M and Pallas F, ‘Anonymisation Techniques and the GDPR’ (draft on file with author).

Blockchain and the General Data Protection Regulation

15

specific to the physical, physiological, genetic, mental, economic, cultural or

social identity of that natural person 90

Article 4 (1) GDPR underlines that personal data is data that directly or indirectly relates to an

identified or identifiable natural person. The reference to an 'identifiable' person underlines that

the data subject does not need to be already identified for data to qualify as personal data. The mere

possibility of identification is sufficient.91 The Article 29 Working Party has issued guidance on how

the four constituent elements of the test in Article 4 (1) GDPR – 'any information', 'relating to', 'an

identified or identifiable' and 'natural person' – ought to be interpreted.92

Information is to be construed broadly, and includes both objective information (such as a name

or the presence of a given substance in one's blood) but also subjective analysis such as informati on,

opinions and assessments. 93 Note, however, that the ECJ has clarified in the meantime that whereas

information contained in the application for a residence permit and data contained in legal analysis

qualify as personal data, related legal analysis does not. 94 Information qualified as personal data can

include information that is unrelated to one's private life, underlining the distinction between the

concepts of data protection and privacy. 95 Personal data can also take any form, whether it is

alphabetical or numerical data, videos and pictures.96 The Court has indeed confirmed that 'the

image of a person recorded by a camera' constitutes personal data.97

Second, data can be considered to be 'relating to' a data subject 'when it is about that individual'.98

This obviously includes information that is in an individual's file but can also include vehicle data

that reveals information about a given data subject such as a driver or passenger.99 An individual is

considered to be 'identified' or 'identifiable' where it can be 'distinguished' from others.100 This does

not require that the individual's name can be found. According to the Court, identifying individuals

'by name or by other means, for instance by giving their telephone number or information regarding

their working conditions, and hobbies, constitutes the processing of personal data'.101 Personal data

is accordingly 'information, by reason of its content, purpose or effect, is linked to a particular

person'.102

Personal data relates to an identified or identifiable natural person. Where data obviously relates

to a natural person, as is the case regarding the data subject's full name, the conclusion that such

data is personal data appears uncontroversial.103 Article 4(1) GDPR however also provides the

examples of location data or an identifier, as personal data. This underlines that data, such as health

90 Article 4(1) GDPR (my own emphasis).

91 Below, the required standard of identifiability is examined in detail.

92 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 6.

93 Ibid.

94 Joined Cases C-141/12 and C-372/12 YS v M inister voor Immigratie [2014] EU:C:2014:2081.

95 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 7.

96 Ibid.

97 Case C-345/17, Sergejs Buivids EU:C:2019:122, para 31.

98 Article 29 Working Party, Opinion 04/2007 on the concep t of personal data (WP 136) 012 48/07/EN, 9 (emphasis in

original).

99 Article 29 Working Party, Opinion 04/2007 on the concept of personal dat a (WP 136) 01248/07/EN, 10.

100 Ibid, 12.

101 Ibid, 14 and Case C-101/01 Bodil Lindqvis t [2003] EU:C:2003:596, para 27.

102 Case C-434/16 Nowak [2017] EU:C: 2017:994, para 35.

103 In Bodil Lindqvist, the Court held that the term personal data ‘undoubtedly covers the name of a person in conjunction

with his telephone coordinates or information about his working conditions or hobbies’. Case C-101/01 Bodil Lindqvist

[2003] EU:C:2003:596, para 24.