Data protection regulation aims to protect individuals against misuse and abuse of their personal data, while at the same time allowing businesses and governments to use personal data for legitimate purposes. Collisions between these aims are prevalent in practices such as profiling and behavioral targeting. Many online service providers claim not to collect personal data. Data protection authorities and privacy scholars contest this claim or raise serious concerns. This paper argues that part of the disagreement in the debate stems from a conflation of distinct notions of identifiability in current definitions and legal provisions regarding personal data. As a result, the regulation is over- and under-inclusive, addresses the wrong issues, and leads to opposition by the industry. In this paper I deconstruct identifiability into four subcategories: L-, R-, C- and S-identifiability. L-identifiability (look-up identifiability) allows individuals to be targeted in the real world on the basis of the identifier, whereas this is not the case in the other three. R-identifiability (recognition) can be further decomposed into C-type (classification) identifiability, which relates to the classification of individuals as being members of some set, and S-type (session) identifiability, which is a technical device. Distinguishing these types helps in unraveling the complexities of the issues involved in profiling, dataveillance, and other contexts. L-, R-, and C-type identification occur in different domains, and their goals, relations, issues, and effects differ. This paper argues that the different types of identifiability should be treated differently and that the regulatory framework should reflect this.
- data protection,
- personal data
Available at: http://works.bepress.com/ronald_leenes/2/