GDPR Fun Fact #9: The definition of personal data is sometimes excessive – says the GDPR

Article 11 on "processing not requiring identification" has always been a bit of a UFO. Its purpose was to cautiously acknowledge certain realities, and to carefully bring a modicum of common sense into real world situations more nuanced than what many privacy theorists and activists may care to tolerate. Has it worked? Yes, but not necessarily as initially intended. It may not have put the desired order to the chaos of online commercial user tracking, but it has been a breath of fresh air for cybersecurity operations.

1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.

In the original Commission proposal from 2012, the article only had its first paragraph, and its title was “processing not allowing identification”. Granted, that title was self-defeating in its logical contradiction with the definition of personal data: If data does not allow identification, then it must not be personal, therefore the GDPR doesn’t apply, so what is the point of this article?

More importantly, it was a politically dangerous admission of the reality that in many contexts, for data controllers, the data subject is neither identified, nor identifiable, even if the information processed does meet the extremely expansive definition of personal data: Where the theoretical possibility of identifiability exists, however indirect and remote, the data must be regarded as personal. Consequently the GDPR must be made to apply, no matter how impractical or unrealistic. So it could not be acknowledged that personal data in a controller’s possession might not allow the controller to identify the data subject: At best it could be grudgingly accepted that not all controllers need or want to go all the way to actually identifying the data subject.

An everyday case – almost completely ignored by the authors of the text who at the time were only concerned with cornering certain online tracking and targeted advertising schemes which did not identify, but mere singled out specific data subjects (hence the reference to "singling out" in Recital 26) – is cybersecurity.

Certain very common cyberthreat defense techniques such as the blacklisting, the quarantining and the sink holing of traffic emanating from known malicious sources rely upon detection based on network identifiers (e.g. IP addresses) or account identifiers (e.g. email addresses) that were compromised and are being misused by cyber attackers.

Cyber defenders typically don’t know and don’t care who the internet subscribers or email users might be whose devices or accounts are being turned into cybercriminal bots. Also, they have no legal grounds to even try to figure that out. Yet, they still need to process the data. Article 11 paragraph 1 gives them much needed solace in that regard.

You might then ask: Is there a case in cybersecurity where Article 11 paragraph 2 may apply? Of course: For instance when the legitimate user of a blacklisted email account requests the removal of their address from the blacklist. Reputable data controllers active in the email security space have specific processes for that. Not your typical data subject request, but still an important and relevant one out there in the real world.

Which also brings up this lingering side question: Why is Article 11 in Chapter II (Principles), and not in Chapter III (Rights of the Data Subject)? What principle does it lay down? At best, it could be argued that it is a tortuously convoluted extension of the data minimisation principle, but that’s very far fetched. In fact, the only thing it does is to partially exempt the controller from compliance with certain data subject rights where such compliance would require more privacy-invasive data collection than what the data subject willingly permits. By all means, Article 11 would have been better placed at the end of Chapter III. Oh well…