A re-evaluation of the definition of ‘personal data’ in EU data privacy Law

Abstract

Data privacy is a fundamental human right and data privacy law aims to protect the individual’s privacy-related interests. The ‘material scope’ of this law is outlined by the concept of ‘personal data’ which in the European Union its definition is found in the General Data Protection Regulation. It has been argued that data protection law is becoming “the law of everything” however, such a stance is not only doubtful, but in practice, it makes the law unenforceable. This dissertation re-evaluates the notion of ‘personal data’ by analysing the GDPR along with the relevant jurisprudence of the Court of Justice of the European Union as a lex lata matter (‘the law as it is’). What is more, this study shows that the legal literature is currently expanding on this topic more than the textual analysis of the law and the interpretive position taken by the CJEU. As a ‘case study’, this dissertation delves into the matter of whether it would be correct to assume that the data contained within blockchain technology should be classified as ‘personal data’. In addition, with regard to lex ferenda (‘the future law’), there have been concerns that by taking a ‘maximalist’ interpretation of the definition of ‘personal data’, this may result in a ‘system overload’. Therefore, this study maintains that a more effective and rational strategy for the regulation of personal data would be to pay greater attention to the apparent potential harms that may arise and to implement a more risk-based approach. This approach would be essential to guarantee the appropriate application, processing, and security of personal data.