Clarifying 'Personal Data' and the Role of Anonymisation in Data Protection Law: Including and Excluding Data from the Scope of the GDPR (More Clearly) Through Refining the Concept of Data Protection
48 Pages Posted: 4 Apr 2023 Last revised: 11 Apr 2023
In a data-driven society, the collection and processing of data is essential to the operation of existing technologies and the development of new ones. Data protection law protects individuals against risks associated with the processing of “personal data”. However, despite an intensive legal debate, there is still considerable uncertainty as to when data is personal data and when it is not. The reason for this is that data such as technical data or geo-location data usually is not “personal” per se but only when it is used for a specific purpose and in a specific way, or to be more precise, when the data processing causes a specific risk to a fundamental right of the an individual. In our paper, we demonstrate that by focusing on these risks when assessing the scope of application, the question whether data falls into the scope of the GDPR or not becomes much clearer. The about, purpose, and result element, introduced by the European Data Protection Board, thereby turn out to be a powerful set of analytical tools to determine which rights are specifically affected by data processing. While the about element addresses different risks to the right to privacy, the purpose element specifically reveals risks to the autonomy of an individual. Finally, the result element focuses on the negative effect a data processing can have on any other fundamental rights of the individual. On this basis, it is also possible to define more precisely the legal requirements for anonymising personal data. First of all, we illustrate that anonymisation mainly affects the about element and can do little “against” the purpose and result element. At least, however, by assessing which sphere of privacy is specifically concerned, it is possible to more precisely define when an individual is identified in a dataset and, thus, what the requirements for anonymization are.
Keywords: data protection, privacy, GDPR, personal data, about element, purpose element, result element, anonymisation, risk-based approach, risks to rights
Suggested Citation: Suggested Citation