Every 28 January, International Data Protection Day is celebrated to commemorate the opening for signature of Convention 108 of the Council of Europe on that same day in 1981. However, 45 years later—and almost a decade after the adoption of the GDPR—it is revealing that one of the core issues of the system remains the subject of debate: what should be understood, in legal and practical terms, as “personal data”.
The delineation of this concept has, since its origins, been one of the main sources of conceptual and operational friction in European data protection law. Although the GDPR codified a broad and technologically neutral definition in Article 4, the question of when and for whom information allows the identification of a natural person has proven to be less stable than the regulatory text itself might suggest. This tension became particularly pronounced following the judgment in Patrick Breyer (C-582/14), in which the Court of Justice of the European Union introduced a criterion of identifiability based on the legal—rather than necessarily material or customary—possibility of accessing additional information held by third parties.
