GDPR Brief: the concept of personal data in the GDPR

9 Nov 2020

The central concepts of “identifiability” and of “personal data” are broadly defined in the GDPR, which can create challenges for actors in the health sector hoping to determine what data is regulated by the GDPR and what data is not.

The General Data Protection Regulation (GDPR) only applies to personal data, which is data that relates to “an identified or identifiable natural person” (a human). The central concepts of “identifiability” and of “personal data” are broadly defined in the GDPR, which can create challenges for actors in the health sector hoping to determine what data is regulated by the GDPR and what data is not. 

Personal data can consist of “any information” relating to an individual through an identifier. The identifier can be a “name, an identification number, location data, an online identifier” and can also include factors that refer to the concerned person with reference to “the physical, physiological, genetic, mental, economic, cultural or social identity” of that person. For instance, a characteristic, code, or object that relates to a natural person may be considered that person’s identifier. Whole genome sequence data represents a rich network of potential identifiers. This makes such data difficult to anonymize, i.e. render non-personal. 

Data can relate to the individual in “content,” “purpose”, or “effect”. Data relates to an individual in content if the substance of the data concerns the person. Data relates to an individual in its purpose if its intended use is to affect the interests of the concerned person, or to make determinations about that person. Last, data relates to a person if its processing is likely to have the result of affecting that person’s interests, even if such an outcome is not the primary purpose of the processing. 

Abstract reasoning or concepts used in making decisions about an individual will not necessarily be personal data. 

Regarding the “identifiability” of personal data, a contextual, risk-based approach should be adopted. Consequently, the identifiability of data is assessed relative to the factual circumstances of the data’s use, and to relative to other existing datasets that might reasonably linked to the data, rather than in the abstract. Further, data should only be considered identifiable if there is a foreseeable risk of re-identification. All means that are “reasonably likely” to be used to perform re-identification must be considered in determining if the individual is identifiable. According to the Court of Justice of the European Union, this test would include all means except those that are practically impossible to be used, or those that are illegal. 

Data can be identifiable even if the controller or processor using the data is not able to perform re-identification themselves. This could be the case, for instance, if third parties can perform the re-identification of de-identified genetic data by combining such data with other accessible sources of genetic data held in ancestry databases. 

For practical purposes, some academic commentators recommend assessing the likelihood that an individual could conceivably be re-identified as a result of the controller’s data use, and considering the degree to which such data use could affect the interests of the concerned individuals. This is consistent with risk-based approaches to GDPR compliance.

Last, personal data in the GDPR is distinct from similar concepts in other laws, such as Canadian data privacy legislation or the United States’ Health Insurance Portability and Accountability Act (HIPAA). International research consortia could thus face difficulties in establishing consistent policies regarding data governance, as regulated data may differ across participating jurisdictions.

Further reading

• CJEU Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland
• CJEU Case C-434/16, Peter Nowak v Data Protection Commissioner
• CJEU Joined Cases C-141/12 and C-372/12 YS (and others) v Minister of Immigration 
• Article 29 Data Protection Working Party – Opinion 4/2007 on the concept of personal data
• Nadezhda Purtova “The law of everything. Broad concept of personal data and future of EU data protection law” Law, Innovation, and Technology (2018). 
• Thomas Finnegan and Allison Hall “Identification and Genomic Data” PHG Foundation (2017).
• Lorenzo Dalla Corte “Scoping Personal Data: Towards a Nuanced Interpretation of the Material Scope of EU Data Protection Law” European Journal of Law and Technology (2019). 
• Michèle Finck and Frank Pallas. “They Who Must Not Be Identified – Distinguishing Personal from Non-Personal Data Under the GDPR” International Data Privacy Law (2020). 
• Edward S. Dove and Jiahong Chen. “To What Extent Does the EU General Data Protection Regulation (GDPR) Apply to Citizen Scientist-Led Health Research with Mobile Devices?” The Journal of Law, Medicine, and Ethics (2020).

Relevant GDPR provisions

• Recital 26 – GDPR not applicable to anonymous data
• Recital 30 – online identifiers
• Article 4(1) – definition of personal data
• Article 11 – processing which does not require identification 

Alexander Bernier is a Montreal-based lawyer and an Academic Associate at McGill University’s Centre of Genomics and Policy. 

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.