Author: Domingos Farinho
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;Overview
1. Overview
The concept of ‘personal data’ is the key concept of the GDPR. It directly or indirectly unlocks the deontic meanings of its normative texts and it is an essential component of most definitions presented in the remainder of Art. 4, maxime ‘data subject’, ‘processing’ and ‘controller’. The legal definition of ‘personal data’ frames the interpretation of the subject matter of the GDPR as well as of its material and territorial scopes. It also connects the GDPR with relevant norms in other legal texts, especially the EU Member States’ constitutions and the EU CFR, giving consistency to an EU data protection law. Both Art. 16 TFEU and Art. 8 EU CFR use the concept of personal data to enshrine a protection for data subjects and, while neither document defines it, it should be understood as referring to the same concept adopted in the GDPR and previously by the DPD.[1] Thus, the EU CFR and the GDPR are aligned as the personal data which the GDPR protects and regulates are also the object of a fundamental right within the EU CFR. In addition, Art. 7 and Art. 8 of the EU CFR establish a dialogue through the jurisprudence of the CJEU and the ECtHR with Art. 8 of the ECHR.[2] The definition of personal data thus emerges embedded within a fundamental rights’ framework which sets out to protect natural persons insofar as data identify them and the disclosure and/or misuse of such data may harm their interests, hindering their freedoms. The definition of personal data aims at determining how data may relate to a person in such a way that identification is possible and may pose a threat to the exercise of other fundamental rights of the individuals. Although closely related to the right to privacy (see Art. 7 EU CFR) the definition of personal data goes beyond privacy[3] and relates to other fundamental rights and freedoms, such as the freedom of expression, the freedom of thought, the freedom to conduct a business and others.
The normative structure of the GDPR rests on the definition of personal data, giving meaning and coherence to processing activities and their lawfulness, to the rights of the data subject and the obligations of controllers, processors and recipients, as well as, to the rules regarding international transfers and the provisions relating to specific processing situations, as foreseen in Chapter IX. This positive delimitation is also accompanied by a negative delimitation in as much as it leaves out of the scope of the GDPR all non-personal data, whatever the legal statute they may be subjected to.[4] Anonymous data, although they may pertain to natural persons, do not relate, in the sense of the GDPR, to a specific natural person, for they do not gather all the constituent elements, and, thus, they cannot be considered as personal data.
The CJEU interprets the concept of personal data broadly within the context of European Union Law to assure the widest protection possible for the data subject.[5] This was envisaged by the European lawmaker, by both the Comm and the EP, in the early drafts of the DPD[6] and has not changed under the GDPR.[7] The position of the Art. 29 WP has reinforced this interpretation.[8] This broad approach is justified by Art. 1 para. 1 and para. 2, concerning the subject-matter and the objectives of the GDPR. A broad definition of personal data reduces disputes on whether certain data are personal and fall under the protection of the EU CFR and the GDPR. It frames the legal discussions already within such protection as an ancillary mechanism to exercise fundamental rights.[9] It is however disputed if excessive broadening of the concept of personal data may render it ineffective.[10] A broad interpretation seems preferable[11] as it fosters balancing operations between personal data protection and the protection of other fundamental rights and interests when a processing operation is concerned,[12] but only after the status of information has already been determined as personal data, thus, offering enhanced fundamental rights protection. There is no balancing operation prior to the classification of information as personal data in order to determine its status.[13] This is especially salient in the balancing operation determined by Art. 6 para. 1 lit. f (→ Art. 6 mn. 69) after personal data have already been ascertained and there is a case for balancing it against legitimate interests of the controller or a third party.
II. Legislative History
- International instruments
The definition of personal data present in the GDPR reflects prior definitions set out in several texts that influenced the DPD and that still influence the GDPR. Convention 108, which is referred to in recital 11 of the DPD and recital 105 of the GDPR, was the first international instrument to set forth a definition of personal data. Art. 2 lit. a defines personal data as “any information relating to an identified or identifiable individual”. This definition would go on to be used by other relevant international instruments that define personal data, most notably the OECD Guidelines 1980, which use an identical definition under para. 1 lit. b. The Guidelines were adopted in the same month in which the Convention 108 was adopted. The Asia-Pacific Economic Cooperation (APEC) Privacy Framework adopts a similar definition under para. 9 as does the African Union Convention on Cyber Security and Personal Data Protection under Art. 1.[14]
The requisite of identification through information is developed in the explanatory reports concerning the original and the 2013 modernised version of Convention 108 (Convention 108+). Thus, in the Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data it can be read that “‘Identifiable persons’ means a person who can be easily identified: it does not cover identification of persons by means of very sophisticated methods”.[15] On the Explanatory Report to Convention 108+ the reference to identification through very sophisticated methods is replaced by identification that would “require unreasonable time, effort or resources”.[16] The Explanatory Report to Convention 108+ further adds that “The issue of what constitutes ‘unreasonable time, efforts or resources’ should be assessed on a case-by-case basis”.[17] Although the legal definition remained unchanged in Convention 108+, the explanation on how to interpret the notion of “identifiable” has been considerably developed[18] taking into account i) the questions put forth by the ability to technically “individualise” or single out (and thus allow to treat differently one person from others);[19] ii) the use of pseudonymous data and re-identification techniques;[20] and iii) identification by combination, when apparently anonymous data allow for the identification of a person when combined under certain criteria.[21] These new concerns underpin the evolution of data processing techniques and the intention to keep a broad definition of personal data so as to adjust the protection of individual’s fundamental rights.[22] But it also entails that the identification of a natural person rests on a risk analysis[23] regarding how otherwise anonymous information may cease to be so, relate to a specific individual when certain techniques are applied[24] and thus become personal data[25].
[…]
[1]See Gellert/Gurwirth, ‘The legal construction of privacy and data protection’, Computer law & security review, 29 (2013), pp. 523 et seq.
[2]European Union Agency for Fundamental Rights/Council of Europe, ‘Handbook on European data protection law’, (2018), pp. 51 et seq.
[3]See Gellert/Gurwirth, ‘The legal construction’, p. 523; Kokott/Sobotta, ‘The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR’, IDPL, Vol. 3, No. 4, 2013, p. 222.
[4]In this regard, it is relevant to consider the Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union.
[5]CJEU C-434, 20.12.2017, Nowak, ECLI:EU:C:2017:994, para. 34.
[6]Cf. Art. 29 WP 136, p. 4.
[7]Cf. recitals 26-30.
[8]See Art. 29 WP, 136, p. 4; see also de Hert/Papakonstantinou, ‘The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals’, Computer law & security review, 28 (2012), p. 133.
[9]In this sense, cf. Art. 29 WP 199, p. 4.
[10]Bygrave/Tosoni, ‘Art. 4(1)’, in Kuner/Bygrave/Docksey, pp. 113-114; Purtova, ‘The law of everything. Broad concept of personal data and future of EU data protection law’, Law, Innovation and Technology, vol. 10, N. 1 (2018), pp. 48 and seq.; Leiser/Dechesne, ‘Governing machine-learning models: challenging the personal data presumption’, International Data Privacy Law, Vol. 10, No. 3 (2020), pp. 187-200.
[11]For new challenges, however, see, Leiser/Dechesne, ‘Governing machine-learning models’, pp. 187-200.
[12]See recital 4.
[13]See Karg, ‘Art. 4(1)’, in Simitis/Hornung/Spiecker gen. Döhmann, pp. 285-286, mn. 14-18.
[14]This Convention is not yet in force.
[15]Explanatory Report to the Convention for the Protection of Individuals regarding Automatic Processing of Personal Data, para. 28.
[16]Explanatory Report to the Protocol amending the Convention for the Protection of Individuals regarding Automatic Processing of Personal Data, para. 17.
[17]Ibid, para. 17.
[18]As we shall see below, by influence of the Art. 29 WP.
[19]Explanatory Report to the Protocol amending the Convention for the Protection of Individuals regarding Automatic Processing of Personal Data, para. 18.
[20]Ibid, para. 18-19.
[21]Ibid, para. 20.
[22]See also, in the same sense, the Explanatory Memorandum to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, §41 on the definition of “personal data” and “data subject”.
[23]As clearly supported by recital 26.
[24]Finck/Pallas, ‘They who must not be identified—distinguishing personal from non-personal data under the GDPR’, IDPL, 10, 1 (2020), pp. 11 et seq.
[25]Ibid, pp. 13-14.