Machine Data, Personal Data, Sensitive Data and Artificial Intelligence. the Interplay of Privacy Enhancing Technologies with the GDPR

11 Pages Posted: 31 Jan 2023

See all articles by Arnold J. F. Lukas, LL.M.

Arnold J. F. Lukas, LL.M.

Arnold Lukas Rechtsanwalts-GmbH ; Johannes Gutenberg University Mainz; Deutsche Bank AG

Date Written: January 29, 2023


For Germany as a leading industrial nation, machine-generated data, for example in the environment of Industry 4.0, are of particular importance. However, it is very easy to refrence many machine data back to a natural person by linking them with other data, which means that they fall under the General Data Protection Regulation and their processing requires a legal basis according to Art. 6 GDPR.i Using Big Data and Artificial Intelligence (AI), information can often be derived from personal data that constitutes sensitive data within the meaning of Art. 9 GDPR - for which Art. 9(1) GDPR initially postulates a general ban on processing.ii Hardly any industrial control system still operates without artificial intelligence (AI), at least in the broad definition of the draft EU AI Regulation (EU AI Regulation-E).

In industrial practice and in the broader context of Internet of Things applications this means: The initially pure machine data of networked production facilities become personal data when combined with the working hours of the employees labouring in production. If information from personnel data systems is then added, e.g., about absences due to illness, this health data falls within the scope of Art. 9 GDPR. In addition, companies are increasingly processing their data via cloud computing, which raises further questions for the protection of outsourced data.

The ECJ has also recognized the problem and ruled in 2022 that the scope of application of Art. 9 GDPR is also opened if sensitive data can be indirectly inferred from initially only personal data.iv Examples from practice confirm that such inferred data can pose a real risk to the rights of data subjects: In the U.S., non-transparent AI-supported processing of special categories of personal data derived from facial images sometimes leads to innocent people being wrongly suspected of a crime.v Facebook uses AI to infer people's political or sexual orientation from facial The danger that can evolve from such derivatives of normal data is obvious, even and especially if these AI-generated conclusions are "false positives," i.e., mere numerical correlations with no causal relationship to reality.

In view of the broad scope of application of Art. 9 GDPR, the question arises: How can data then still be legally processed? This must still be possible, because the free movement of data in the EU is just as much the normative purpose of the GDPR as the protection of personal data.

Keywords: GDPR, privacy, data protection, IT, artificial intelligence, data

Suggested Citation

Lukas, Arnold J. F., Machine Data, Personal Data, Sensitive Data and Artificial Intelligence. the Interplay of Privacy Enhancing Technologies with the GDPR (January 29, 2023). Available at SSRN: or

Arnold J. F. Lukas (Contact Author)

Arnold Lukas Rechtsanwalts-GmbH ( email )

Johann-Sebastian-Bach-Str. 45
Wiesbaden, 65193
+4916095064978 (Phone)

Johannes Gutenberg University Mainz ( email )

Saarstr. 21
Jakob Welder-Weg 4
Mainz, 55122

Deutsche Bank AG ( email )


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics