The exponential spreading and deployment of emerging digital technologies such as the Internet of Things (IoT) has been remarkable: the IoT market is expected to triple, at least, from USD 170.57 billion in 2017 to USD 561.04 billion by 2022. IoT technologies collect, generate and communicate a huge amount of different data and metadata, through an increasing number of interconnected devices and sensors. Current EU legislation on data protection classifies data into personal and non-personal. The paper aims at charting the resulting entanglements from an interdisciplinary perspective. The legal analysis, integrated with a technical perspective, will address firstly the content of IoT communications, i.e. “data”, and the underlying distinction between personal and non-personal. Secondly, the focus will shift on the metadata related to communications. Through a technical analysis of the highly sensitive nature of metadata, even when the content is encrypted, I will argue that metadata are likely to undermine even more the ontological and sharp division between personal and non-personal data upon which the European legal frameworks for privacy and data protection have been built. The incoming ePrivacy Regulation shall provide metadata, which should be considered always personal data, the same level of protection of “content” data. This interpretation might broaden the scope of application of GDPR and the connected obligations and responsibilities of data controllers and data processors too much.