The evolution of the concept of personal data: Are we entering the era of relative personal data?

1. Introduction

Within the data protection community, the conventional interpretation of 'absolute personal data' has long been a generally agreed-upon concept. This consensus has also withstood in circumstances where the information required to make an individual 'identifiable', either directly or indirectly, is possessed by a party other than the one processing the personal data. It has been recognised that the definition of 'personal data' might be context-specific, varying for each data controller involved. Yet, in court rulings, it has been held that the possession of additional information by a third party, which could make a natural person identifiable, is sufficient grounds to classify the information as 'personal data'. This understanding has endured even when no lawful means exist to acquire the additional information necessary to 'identify' the natural person held by a third party. 

However, recent case law has begun to test the waters of this long-standing interpretation of personal data. A growing contingent within the data protection field views this development with optimism, interpreting it as a potential shift away from the established notion of 'absolute personal data' and towards a more 'relative' understanding of personal data. This relative concept would take into account the objective factors, such as the cost and time required for identification, as well as the available technology at the time of processing and technological advancements. In this text, we will first explore the conventional concept of personal data. Following this, we will evaluate recent case law to assess whether we are transitioning towards an era of ‘relative personal data’.

2. The conventional concept of personal data

2.1 Legal basis

Although the most recent developments have emerged from case law, it is essential to remember that the concept of personal data is, and will always remain, based on the definition provided by the law. The EU General Data Protection Regulation (“GDPR”) defines personal data in Art. 4(1). According to Art. 4(1) of the GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly. According to recital 26 of the GDPR, "to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used […] either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments."

The conventional concept of personal data is strongly based on the wording of the GDPR. According to this perspective, information is considered personal data if it meets two tests: the data in question must relate to an individual and the individual must be at least identifiable. ‘Relates to’ and ‘identifiable’ are separate tests; both must be met.

2.2 The “relates to” test

The first part of the test, the ‘relates to’ part, has first been set out in detail by the Article 29 Working Party’s (“WP29”) Opinion 4/2007 on the concept of personal data (“WP136”). At p.10, the WP29 states as follows: 

“.. in order to consider that data ‘relate to’ an individual, a ‘content’ element OR a ‘purpose’ element OR a ‘result’ element should be present.”

At p.11, the WP29 also states that “… where the content element is present, there is no need for the other elements to be present to consider that the information relates to the individual.” 

When it is clear that the data pertains to a specific individual, the purpose and result tests become redundant: as long as the person can be identified or is identifiable, the data will always be considered personal. The WP29 implicitly foresees that this will be the norm for most personal data ("In many situations, this relationship [that the data is about the individual] can be easily established"). The purpose and result tests have been implemented to broaden the definition of personal data to cover situations that are not as clear-cut. In the opinion, the WP29 suggests an example about the value of a house. This data might not in all cases be seen to relate to the owner ("[it] is information about an object"), as it could also just illustrate the level of real estate prices in an area. If, however, the value of the house is processed in the context of being an asset to the owner (e.g. to pay taxes), such information shall be considered personal data according to the WP29.

Other opinions have only cursorily mentioned the concept of ‘relates to’. Opinion 8/2014 on recent developments on the internet of things (WP223) contains a paragraph ‘on the notion of personal data’ at section 3.2. The Opinion refers readers back to WP136, but then states that 

“In the context of the IoT, it is often the case that an individual can be identified based on data that originates from “things”. Indeed, such data may allow discerning the life pattern of an individual or family – e.g. data generated by the centralised control of lighting, heating, ventilation and air conditioning.” The Opinion does not go on to consider purpose or result. The mere fact that the data is identifiable and could lead to a purpose or result for individuals seems sufficient. 

EDPB Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility-related applications similarly presume that connected vehicle data should be assumed to be personal data and to presume that such data will relate to individuals.  For example, at para 3, EDPB states: 

“[…]connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers or passengers. Even if the data collected by a connected car are not directly linked to a name, but to technical aspects and features of the vehicle, it will concern the driver or the passengers of the car. As an illustration, data relating to the driving style or the distance covered, data relating to the wear and tear on vehicle parts, location data or data collected by cameras may concern driver behaviour as well as information about other people who could be inside or data subjects that pass by. Such technical data are produced by a natural person, and permit his/her direct or indirect identification, by the data controller or by another person.”

At para 62, EDPB goes on to state that: 

“As noted in the introduction, most data associated with connected vehicles will be considered personal data to the extent that it is possible to link it to one or more identifiable individuals. This includes technical data concerning the vehicle’s movements (e.g., speed, distance travelled) as well concerning the vehicle’s condition (e.g., engine coolant temperature, engine RPM, tyre pressure).”

EDPB Guidelines 02/2021 on voice activated assistants refer to ‘observed data (e.g. device data that relates to a data subject, activity logs, online activities)’. This is referenced as a type of personal data. Although EDPB refers to device data that relates to a data subject, there seems to be an assumption that activity logs and online activities will be personal.

Furthermore, the Court of Justice of the European Union (“CJEU”) has also held that the information does not need to be accurate to constitute personal data. In the Google Spain v. Costeja case (Case C-131/12), the Court held that “under certain conditions, individuals have the right to obtain erasure of their personal data from an internet search engine’s search results. This right may be invoked where information relating to an individual is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing.” Inaccurate information can mean, for example, factually incorrect information or information relating to the wrong person (e.g. the person has been falsely identified). So, information may ‘relate to’ a data subject even if it incorrectly refers to the person and is actually about another person.

The supervisory authorities tend to place more emphasis on ‘identifiability’ than on 'relates to' - the ‘relates to' test is almost always met. 

2.3 Identifiable

In most cases concerning the concept of personal data, the Court has discussed the concept of ‘identifiable’. In the Breyer case (Case C-582/14), the Court found that “in so far as that recital [26] refers to the means likely reasonably to be used by both the controller and by ‘any other person’, its wording suggests that, for information to be treated as ‘personal data’, --- it is not required that all the information enabling the identification of the data subject must be in the hands of one person" (par. 43). In that case, the Court found that the fact that the additional data necessary to identify the user of a website was not held by the online media services provider, but by that user’s internet service provider, did not mean that the dynamic IP addresses registered by the online media services provider would not constitute personal data (par. 44). They could be personal data if there are means likely reasonably used.

Thus, the Breyer decision set the bar high for the ‘means reasonably likely to be used’ (to identify the natural person). The Court held in this decision that dynamic IP addresses might constitute personal data as the online media services provider is able to contact the competent authority to obtain the information (par. 47), even though the online media service provider might not itself have any access to the data that makes the IP addresses identifiable.

The Breyer case has later been referenced in other CJEU cases, and it has given a broad scope for the concept of personal data. Recent judgements of the Court (such as C-579/21 and C-604/22) have not changed the broad scope. In the case C-579/21, the Court found that “the broad definition of the concept of ‘personal data’ covers not only data collected and stored by the controller, but also includes all information resulting from the processing of personal data relating to an identified or identifiable person” (par. 45). 

In IAB Europe v. Gegevensbeschermingsautoriteit (Case C-604/22), the Court ruled that "a string composed of a combination of letters and characters, such as the TC String (Transparency and Consent String), containing the preferences of a user of the internet or of an application relating to that user’s consent to the processing of personal data concerning him or her by website or application providers as well as by brokers of such data and by advertising platforms constitutes personal data within the meaning of that provision in so far as, where those data may, by reasonable means, be associated with an identifier, such as, inter alia, the IP address of that user’s device, they allow the data subject to be identified. In such circumstances, the fact that, without an external contribution, a sectoral organisation holding that string can neither access the data that are processed by its members under the rules which that organisation has established nor combine that string with other factors does not preclude that string from constituting personal data within the meaning of that provision" 

This shows that data might be personal data, even if the data controller does not know whose personal data it is as long as there are ways to connect the data to a natural person.

3. EDPS v SRB – Change in the scope of personal data?

3.1 Case facts and the General Court's judgment in case T-557/20

It has been argued that the General Court’s judgement in case T-557/20 might have changed the scope of the concept of personal data. The General Court annulled a revised decision of the European Data Protection Supervisor (“EDPS”) regarding a case where the EU’s Single Resolution Board (“SRB”) had conducted a hearing of creditors and shareholders of a Spanish bank in connection with the bank’s resolution. SRB shared the comments of the creditors and shareholders with the consultancy firm Deloitte by replacing the names of the respondents with alphanumeric codes. 

Some respondents submitted complaints to the EDPS claiming that the SRB failed to inform them that the data collected through the responses on the forms would be transmitted to third parties, breaching the terms of the privacy statement. In the procedure before the EDPS, the SRB claimed that the information did not constitute personal data while the EDPS found the shared data to be pseudonymous data, arguing that the comments were personal data because the SRB shared the alphanumeric code that allows linking the replies given in the registration phase with the ones given in the consultation phase – notwithstanding the fact that the data provided by the participants to identify themselves in the registration phase were not disclosed to Deloitte.

However, the Court’s main focus was not on the scope of the concept of personal data per se – instead, it stressed that the EDPS “had not examined the content, the purpose or the effect of the information transmitted to a third party” (par. 70) and “Since the EDPS did not carry out such an examination, he could not conclude that the information transmitted to Deloitte constituted information ‘relating’ to a natural person within the meaning of Article 3(1) of Regulation 2018/1725” (par. 74). The case concerns the scope of ‘personal data’ under Regulation 2018/1725 which is the EU institutions’ equivalent to the GDPR and mirrors the same language and principles as the GDPR. 

Similarly, the Court found that the EDPS should have investigated whether Deloitte had legal means to access the additional information necessary to re-identify the authors of the comments. Since the EDPS did not investigate this, “the EDPS could not conclude that the information transmitted to Deloitte constituted information relating to an ‘identifiable natural person’ within the meaning of Article 3(1) of Regulation 2018/1725” (par. 105). The Court did not take a stance on the concept of personal data as such but made a significant ruling that the burden of proof as to whether data is personal data lies with the supervisory authority, not the data controller. The Court also made references to the arguments made in the case Breyer.

3.2 Opinion of Advocate General Spielmann in Case C-413/23 P

The EDPS v SRB case, T-557/20 was appealed and is waiting for judgement of the CJEU (Case C-413/23 P). Advocate General Spielmann (“AG”) gave his opinion on 6 February 2025. It is stated in the introduction of the opinion that “the present case gives the Court of Justice the opportunity to clarify, in the context of pseudonymised data, the concept of ‘personal data’ and the obligations arising therefrom for the purpose of complying with the obligations of fair and transparent processing of data" (par. 2).

The EDPS, supported by the EDPB, put forward two grounds of appeal. The first seeks to challenge the General Court’s interpretation of the concept of “personal data” within the meaning of Article 3(1) and (6) of Regulation 2018/1725, as interpreted by the case-law of the Court of Justice. The second ground of appeal alleges breach of the principle of accountability (par. 25).

The AG found that the comments that had been shared to the third party related to the complainants by reason of their content, purpose and effect (par. 31-38). This was not changed by the fact that the comments were filtered, categorized and aggregated. Furthermore, the AG found that “the fact that it is not possible, within that sum of comments, to distinguish the various individual opinions seems to me to fall more within the scope of the second cumulative condition, relating to the identifiability of the data subjects, examined in the context of the second part of the present ground of appeal, than within the scope of the condition requiring the comment to be ‘linked’ to a natural person" (par. 39). 

Due to this, the AG was of the view that “the General Court’s assessment may be regarded as vitiated by an error of law in that regard, inasmuch as it considered that the EDPS had not concluded that the comments at issue ‘related’ to natural persons, within the meaning of Article 3(1) of Regulation 2018/1725” (par. 40).

Secondly, the AG pointed out that the complaint illustrates two different approaches: “Should pseudonymised data be included within that scope automatically on the sole ground that the data subjects remain identifiable, irrespective of the accessibility of the additional identification data, or should it be considered that, following the pseudonymisation process, the data are personal data only for those persons who can reasonably identify the data subjects” (par. 43). The AG states that “if it is impossible to identify those data subjects, they are therefore legally considered to be sufficiently protected by the pseudonymisation process, notwithstanding the fact that the additional identification data have not been completely erased” (par. 51) and that “such data may, under certain conditions, fall outside the scope of the concept of personal data” (par. 52).

However, the AG highlighted that data can legally escape classification as personal data only when the risk of identification is “non-existent or insignificant” (par. 57). The argumentation of the AG therefore seems to follow the path set by the Breyer case. This is also in line with the European Data Protection Board's recent draft guidelines on pseudonymisation, which suggested that pseudonymised data will always be personal (para 22).

Nonetheless, the AG noted that it may be “disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from Regulation 2018/1725, obligations which that entity could not, in theory, comply with or which would specifically require it to attempt to identify the data subjects” (par. 58). Due to this, AG was of the opinion that “it was necessary to determine whether the pseudonymisation of the data at issue was sufficiently robust to conclude that the complainants, who were the authors of the information transmitted to Deloitte, were not reasonably identifiable. In other words, in that context, if Deloitte had reasonable means to identify those complainants, it could be considered to be processing personal data” (par. 59).

Subsequently, the AG processed the obligation to provide information to the data subjects and the comparison to the judgement Breyer. AG found that the obligation to provide information is part of the relationship between the data subjects (the complainants) and the controller (the SRB) (par. 72). The AG found that “the issue of whether or not pseudonymisation is sufficiently robust and effective, so as to permit a conclusion regarding whether or not the data in Deloitte’s possession constitute personal data, ultimately does not seem to me to be material with regard to the SRB’s obligation to provide information” (par. 80). This obligation was incumbent on the SRB “irrespective of whether or not the data as transferred into Deloitte’s possession were personal data” (par. 74). 

The AG concluded that since the point of view of the recipient of the data at issue is not relevant to the obligation to provide information, the arguments of the parties concerning the possibility for Deloitte to identify the data subjects, by lawful and practically feasible means, are ineffective and there is therefore no need to examine them (par. 82).

Finally, the AG examined in the alternative the second ground of the appeal on the alleged error of the Court in holding that it was for the EDPS to demonstrate that the information transmitted to Deloitte was personal data, in breach of the principle of accountability of the SRB (par. 84). The AG states in his opinion that “if it is accepted, for the purposes of the alternative examination of the present ground of appeal, that Deloitte’s point of view was relevant in the present case, it may be considered, as the General Court held, that it was for the EDPS to demonstrate for what reason, legal or technical, the pseudonymisation process implemented by the SRB in the present case was not sufficient and should have led to the conclusion that Deloitte was processing personal data” (par. 96). The AG was therefore of the opinion that the judgment under appeal should be upheld as regards the second ground of appeal (par. 97), meaning that EDPS would bear the burden of proof for the matter. 

The AG proposed that the Court should set aside the judgment of the General Court of the European Union of 26 April 2023, SRB v EDPS (T‑557/20, EU:T:2023:219), refer the case back to the General Court for judgment on the second plea in law raised before it and reserve the costs.

4. Have we entered the era of relative personal data?

The simple answer is NO. We have not entered a new era concerning the concept of personal data.

The concept of personal data has always been somewhat relative; the assessment of whether information constitutes personal data has always been made from the perspective of the entity whose data protection obligations are being evaluated. To claim that we have entered a new era in terms of the concept of personal data would require demonstrating a significant change to this prevailing concept. However, recent case law and the Advocate General's opinion on the Single Resolution Board case have not changed the extremely high threshold, familiar from the Breyer case, for information not to be considered personal data. 

The prevailing concept of personal data can be summarised with a quote from Advocate General Spielmann's opinion on case C-413/23 P: “it is only where the risk of identification is non-existent or insignificant that data can legally escape classification as 'personal data'.” This suggests that while there may be ongoing discussions and potential shifts in the concept of personal data, the conventional interpretation, which establishes a high threshold for information to be considered non-personal, continues to be upheld. Therefore, the established standards for defining personal data remain largely unchanged.

While the Single Resolution Board case may not have brought about a desired change in the concept of personal data, it is important to note that the Court made a significant ruling regarding the principle of accountability. Accountability, as one of the principles of the GDPR, requires entities to not only comply with the GDPR but also be able to demonstrate their compliance.  The Court made a significant ruling that the burden of proof whether data is personal data lies with the supervisory authority, not the data controller. It remains to be seen how the principle of accountability will be interpreted after this decision. What remains of the accountability principle if the burden of proof ultimately lies with the supervisory authority?