The Data of Schrödinger’s Cat
In day-to-day practice, the question “Is this personal data?” often seems easy to answer: a name, email address, or IP address is generally recognized as such without hesitation. But this apparent clarity hides a more complex legal reality. In practice, data such as “John Smith” does not always meet the legal definition of personal data.
The General Data Protection Regulation (GDPR) provides no absolute criterion but applies a relative standard that is nonetheless objectively assessed. This paradox was perfectly illustrated in the Breyer case (CJEU, C-582/14), where the German government stored dynamic IP addresses of website visitors to detect cyberattacks. Only the internet provider could actually identify the user.
The Court of Justice ruled that the IP address could be considered personal data — but only relative to a data controller who could reasonably and lawfully gain access to that additional identifying information. So the data simultaneously is and isn’t personal data, depending on the viewer and their legally permissible means — much like Schrödinger’s cat, both alive and dead until the box is opened.
Conclusion
Data qualifies as personal data only if a data controller — possibly through third parties — can reasonably identify a natural person. This identification capability is relative (depending on who the controller is), but the assessment is objective: it’s not about what the organization can actually do, but what could reasonably be expected from them within the legal context.
In other words, data may be personal for Controller A, but not for Controller B. For example, A may be in a position to lawfully obtain data via legal channels (such as courts or law enforcement), while B lacks those means or would need to make disproportionate efforts.
Key Considerations
1. The Relative Yet Objective Test
According to Article 4(1) of the GDPR, personal data is any information relating to an identifiable natural person — directly or indirectly. Recital 26 adds that “all the means reasonably likely to be used” must be considered — not only by the controller but also by third parties that could realistically assist, such as public sources, legal authorities, or other cooperative entities.
This assessment is not subjective. It’s not about what you can personally do — it’s about what a data controller in your position is objectively expected to be able to do.
2. The Schrödinger Paradox in Practice
The name “John Smith” illustrates this well. In a small town, this name might refer to one identifiable individual — especially when combined with a birth date or address. But in Amsterdam, without context, the same name is so common that identifying the right person would require unreasonable effort. In that case, the name is not considered personal data for that specific processing activity. Its status remains in a kind of quantum state — neither personal nor anonymous — until the context and means are assessed.
3. The Breyer Doctrine
In Breyer, the Court applied this relative approach. It found that the website operator had to treat the IP address as personal data because legal avenues existed to identify the user via the ISP. These channels were lawful and realistically available. So even though the IP address was not identifying on its own, it still qualified as personal data in that context.
This has major implications: your position, your tools, and your legal access matter. The idea of personal data as an absolute category disappears. It becomes a legal cat in a box — simultaneously alive and dead, until the box (i.e. the context and objective test) is opened.