In this paper I propose to analyse the binary notion of personal data and highlight its limits, in order to propose a different conception of personal data. From a risk regulation perspective, the binary notion of personal data is not particularly fit for purpose, considering that data collection and information flows are tremendously big and complex. As a result, the use of a binary system to determine the applicability of EU data protection law may be a simplistic approach. In an effort of bringing physics and law together, certain principles elaborated within the quantum theory are surprisingly applicable to data protection law, and can be used as guidance to shed light on many of today's data complexities. Lastly, I will discuss the implications and the effects that certain processing operations may have on the possibility of qualifying certain data as personal. In other terms, how the chances to identify certain data as personal is dependent upon the processing operations that a data controller might put in place. * Alessandro El Khoury, LLM, Legal and Policy Officer, DG Health & Food Safety, European Commission. The information and views set out in this article are those of the author and do not necessarily reflect the official opinion of the European Commission. 2. Big Data has been defined as a data set whose size is beyond the ability of typical database software tools to capture, store, manage and analyse. See J. Manyika, M. Chui, B. Brown, J. Bughin, R. Dobbs, C. Roxburgh & A.H. Byers. Big Data: The Next Frontier for Innovation, Competition, and Productivity (2011). 3. Cloud Computing has to be understood as a methodology through which a vast measure of pooled and virtualised resources can be accessed. See A. El Khoury, 'Data Protection and Risk Regulation. Cloud Computing: A Case Study' (LLM thesis on file at LUISS School of Governance, Rome). 4. With the term 'Internet of Things', we refer to a global network infrastructure linking uniquely identified physical and virtual objects, things and devices through the exploitation of data capture, communication and actuation capabilities. See A.
