Positioning synthetic data under EU data protection law

Synthetic data is artificially generated data seeking to mimic real-world data (RWD) while protecting individual privacy. There are many advantages of using synthetic data over RWD. One is that synthetic data can be generated on-demand, and, due to recent advances in computing power and machine learning techniques, it is possible to generate highly complex synthetic datasets retaining most of the statistical properties of RWD. As data protection supervisory authorities and legal scholars have already pointed out, this carries risks of re-identification of individuals included in RWD. While this is an important risk, synthetic data can affect the rights and freedoms of individuals in other ways relevant in a data protection context. This paper positions synthetic data by shedding light on its different elements, how it is created and by mapping synthetic data in the EU data protection law landscape. It aims to inform both legal and technical practitioners’ data protection risks assessments when using synthetic data and further the academic discourse on synthetic data and EU data protection regulation. It concludes that synthetic data generally is a privacy-enhancing technology (PET) but that thinking of it as a fundamental rights-enhancing technology (FRET) could help ensure that all the aspects of synthetic data are considered when carrying out the rights and freedoms risk assessment.