Should we also regulate non-personal data? Bart van der Sloot www.bartvandersloot.com

Expanding scope Legal instruments Material scope Resolutions 1973&1974 Information relating to individuals (physical persons) Convention 1981 Information relating to an identified or identifiable individual Directive 1995 Information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; Regulation 2016 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Expanding scope Article 2 - Material scope 1.This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Article 4 – Definitions ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Content data - metadata The ECtHR suggests that the processing of content data and of metadata can be equally intrusive. Metadata, for example, “could reveal the identities and geographic location of the sender and recipient and the equipment through which the communication was transmitted. In bulk, the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with”.  Big Brother Watch and Others v the United Kingdom, para, 356 CJEU case law, according to which metadata “is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them … In particular, that data provides the means … of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.” C-203/15 and C-698/15 Tele2/Watson (2016) ECLI:EU:C:2016:970, para. 99

Non-personal data Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union This Regulation applies to the processing of electronic data other than personal data in the Union, which is: (a) provided as a service to users residing or having an establishment in the Union, regardless of whether the service provider is established or not in the Union; or (b) carried out by a natural or legal person residing or having an establishment in the Union for its own needs. This Regulation aims to ensure the free flow of data other than personal data within the Union by laying down rules relating to data localisation requirements, the availability of data to competent authorities and the porting of data for professional users.

Anonymous data Not included under the GDPR Paul Ohm: BROKEN PROMISES OF PRIVACY: RESPONDING TO THE SURPRISING FAILURE OF ANONYMIZATION

Combined and agregated data In principle not covered by the GDPR A Composition Theory for Privacy Law, by John A Fluitt et al: ‘Recent data privacy attacks have successfully combined multiple releases of data in order to learn privacy-sensitive information about individuals. As one prominent example, researchers in 2018 demonstrated that it was possible to reconstruct the full database from the 2010 Decennial Census and re-identify sensitive information for a significant percentage of the US population, by combining the statistical tables published by the US Census Bureau with information from commercial databases available in 2010. This revelation has compelled the Census Bureau to adopt formal mathematical guarantees of privacy that quantitatively measure and manage cumulative privacy risk for all data publications from the 2020 Decennial Census. As the volume and complexity of data uses and publications grow exponentially across a broad range of contexts, the need to develop frameworks for addressing cumulative privacy risks is likely to become an increasingly urgent and widespread problem. This Article argues that information privacy law inadequately addresses cumulative risks from multiple data uses and releases…’

Static categories Personal data – non-personal data Personal data – sensitive-personal data Anonymous data – identifying data Content data – meta data Etc.

Why not dissolve the difference between personal and non-personal data? More protection, but still room for data processing Adresses current technological developments Limits endless legal discussions Limits possibilities for circumventing the data protection framework