‘Personal data as anything and everything’ under the GDPR

Published at 2024-03-26 by Ana Rodrigues

Understanding the complex link between AI and the General Data Protection Regulation (GDPR) requires diving into the Regulation's material reach. This includes the subject area that it seeks to regulate, namely the processing of personal data (article 2).

However, scholars such as Nadezhda Purtova emphasise a major issue: the broad expansion of the concept of personal data. This broad interpretation might cover all sorts of information, effectively rendering the GDPR 'the law of everything'.

Article 4.1 of the GDPR offers a seemingly clear definition of personal data as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

However, taking a closer look at its components – "any information," "relating to," "an identified/identifiable," and "natural person" – exposes the possibility of broad interpretation. This extension is evident in the analysis offered by authorities such as the Article 29 Working Party (29 WP) and decisions made by the European Union's Court of Justice (CJEU). It is crucial to highlight that, although being replaced by the EDPB in 2018, the 29 WP retains power, particularly in areas where the EDPB remains silent.

Opinion 136 of the Article 29 Working Party, confirmed by the CJEU's Nowak decision, offers a thorough framework for comprehending personal data under the GDPR. It maintains that all information, regardless of nature or content, is under its purview. The phrase "relating to," as defined in both Nowak and Opinion 136, spans beyond content-specific elements such as a person's name to include both the purpose and possible results of data processing. This interpretation expands the concept to encompass any information processed with the aim to assess, influence behaviour, or impact rights and interests, regardless of the extent of the effect.

Recital 26 of the GDPR establishes identifiability as a complete strategy that takes into account all possible forms of identification. It requires assessors to evaluate elements such as singling out by the controller or any other party, emphasising the significance of examining all objective criteria.

Similarly, in WP136, the focus expands beyond hypothetical scenarios to include all possible methods of identification. WP136 also lists a list of objective elements to be taken into account, such as the technology environment, prices, efforts, security risks, and the purpose and nature of processing.

The issue stems not just from the expansive interpretation of personal data or the wide legal protection it involves, but also from the scenario in which almost everything qualifies as personal data, demanding thorough data protection procedures. In such cases, the GDPR creates a strict and non-scalable set of rights and duties. Maintaining this structure becomes not just difficult, but nearly impossible.

GDPR on AI - a series of posts written by [Maria Mot]