They Who Must Not Be Identified - Distinguishing Personal from Non-Personal Data Under the GDPR

Forthcoming, International Data Privacy Law, 2020

Max Planck Institute for Innovation & Competition Research Paper No. 19-14

48 Pages Posted: 11 Oct 2019 Last revised: 30 Jan 2020

See all articles by Michèle Finck

Michèle Finck

Eberhard-Karls University Tübingen

Frank Pallas

TU Berlin - Information Systems Engineering

Date Written: October 1, 2019

Abstract

In this article, we examine the concept of non-personal data from a law and computer science perspective. The delineation between personal data and non-personal data is of paramount importance to determine the GDPR’s scope of application. This exercise is, however, fraught with difficulty, also when it comes to de-personalised data – that is to say data that once was personal data but has been manipulated with the goal of turning it into anonymous data. This article charts that the legal definition of anonymous data is subject to uncertainty. Indeed, the definitions adopted in the GDPR, by the Article 29 Working Party and by national supervisory authorities diverge significantly. Whereas the GDPR admits that there can be a remaining risk of identification even in relation to anonymous data, others have insisted that no such risk is acceptable. A review of the technical underpinnings of anonymisation that is subsequently applied to two concrete case studies involving personal data used on blockchains, we conclude that there always remains a residual risk when anonymisation is used. The concluding section links this conclusion more generally to the notion of risk in the GDPR.

Keywords: anonymisation, de-personalisation, GDPR, risk

Suggested Citation

Finck, Michèle and Pallas, Frank, They Who Must Not Be Identified - Distinguishing Personal from Non-Personal Data Under the GDPR (October 1, 2019). Forthcoming, International Data Privacy Law, 2020, Max Planck Institute for Innovation & Competition Research Paper No. 19-14, Available at SSRN: https://ssrn.com/abstract=3462948 or http://dx.doi.org/10.2139/ssrn.3462948

Michèle Finck (Contact Author)

Eberhard-Karls University Tübingen ( email )

Tübingen
Germany

Frank Pallas

TU Berlin - Information Systems Engineering ( email )

Einsteinufer 17
EN 14
Berlin, DE 10587
Germany
+49 30 314 73285 (Phone)
+49 30 314 22357 (Fax)

HOME PAGE: http://www.ise.tu-berlin.de/menue/team/frank_pallas_dr-ing/

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
1,338
Abstract Views
4,995
Rank
27,623
PlumX Metrics