Identifying the Identified: Unraveling the Third Element of Personal Data in EU Law
DOI:
https://doi.org/10.33344/vol17iss1pp64-80Keywords:
Data Protection Law, GDPR, Personal Data, IdentifiedAbstract
The notion of 'personal data' is a well-established concept within European Union legislation, having been defined and interpreted through various legal texts and court cases over the past two decades. However, the third element of this definition, which pertains to the identification or identifiability of an individual, continues to generate considerable ambiguity. The crux of this uncertainty lies in determining the circumstances under which an individual can be deemed 'identified'. This interpretation is of paramount importance, as data that cannot be associated with an identified or identifiable individual is not classified as personal data, thereby falling outside the scope of the General Data Protection Regulation (GDPR).
Historically, the Court of Justice of the European Union (CJEU) has not provided a clear stance on the threshold of identifiability. The Working Party, established under Article 29 of the Data Protection Directive, has offered its own interpretation, providing a detailed perspective on what constitutes an 'identified' individual. Despite its non-binding nature, this opinion is frequently employed by legal scholars as a foundation for defining personal data. However, the absence of references to this opinion in CJEU judgements, coupled with the fact that the European Data Protection Board (the successor of the Working Party 29) has not officially endorsed or adopted the WP 136 opinion, leaves the question of what can be considered as 'identified' open to interpretation and debate.
This article posits that 'identification' has to be construed as the process of distinguishing an individual from a larger group. The article argues that alternative interpretations could undermine the fundamental objectives of the GDPR. Thus, this paper seeks to contribute to the ongoing discourse surrounding the definition of personal data within the context of EU data protection law.