They Who Must Not Be Identified - Distinguishing Personal from Non-Personal Data Under the GDPR

48 Pages Posted: 11 Oct 2019

See all articles by Michèle Finck

Michèle Finck

Max Planck Institute for Innovation and Competition; University of Oxford

Frank Pallas

TU Berlin - Information Systems Engineering

Date Written: October 1, 2019

Abstract

In this article, we examine the concept of non-personal data from a law and computer science perspective. The delineation between personal data and non-personal data is of paramount importance to determine the GDPR’s scope of application. This exercise is, however, fraught with difficulty, also when it comes to de-personalised data – that is to say data that once was personal data but has been manipulated with the goal of turning it into anonymous data. This article charts that the legal definition of anonymous data is subject to uncertainty. Indeed, the definitions adopted in the GDPR, by the Article 29 Working Party and by national supervisory authorities diverge significantly. Whereas the GDPR admits that there can be a remaining risk of identification even in relation to anonymous data, others have insisted that no such risk is acceptable. A review of the technical underpinnings of anonymisation that is subsequently applied to two concrete case studies involving personal data used on blockchains, we conclude that there always remains a residual risk when anonymisation is used. The concluding section links this conclusion more generally to the notion of risk in the GDPR.

Keywords: anonymisation, de-personalisation, GDPR, risk

Suggested Citation

Finck, Michèle and Pallas, Frank, They Who Must Not Be Identified - Distinguishing Personal from Non-Personal Data Under the GDPR (October 1, 2019). Max Planck Institute for Innovation & Competition Research Paper No. 19-14. Available at SSRN: https://ssrn.com/abstract=3462948 or http://dx.doi.org/10.2139/ssrn.3462948

Michèle Finck (Contact Author)

Max Planck Institute for Innovation and Competition ( email )

Marstallplatz 1
Munich, Bayern 80539
Germany

University of Oxford ( email )

Mansfield Road
Oxford, Oxfordshire OX1 4AU
United Kingdom

Frank Pallas

TU Berlin - Information Systems Engineering ( email )

Einsteinufer 17
EN 14
Berlin, DE 10587
Germany
+49 30 314 73285 (Phone)
+49 30 314 22357 (Fax)

HOME PAGE: http://www.ise.tu-berlin.de/menue/team/frank_pallas_dr-ing/

Register to save articles to
your library

Register

Paper statistics

Downloads
194
Abstract Views
995
rank
159,667
PlumX Metrics