Do They Know Me? Deconstructing Identifiability
TILT Law & Technology Working Paper Series No. 006/2008
Posted: 17 Jul 2010
Date Written: 2008
Data protection regulation aims to protect individuals against misuse and abuse of the their personal data, while at the same time allowing businesses and governments to use personal data for legitimate purposes. Collisions between these aims are prevalent in practices such as profiling and behavioral targeting.
Many online service providers claim not to collect personal data. Data protection authorities and privacy scholars contest this claim or raise serious concerns. This paper argues that part of the disagreement in the debates stems from a combination of distinct notions of identifiability in current definitions and legal provisions regarding personal data. As a result, the regulation is over and underinclusive, addresses the wrong issues, and leads to opposition by the industry.
In this paper I deconstruct identiability into four subcategories: L-, R-, C- and S-Identifiability. L-identifiability (for look-up identifiability) allows individuals to be targeted in the real world on the basis of the identifier, whereas this is not the case in the other three. R-identifiability (recognition) can be further decomposed into S-type (session) identifiability, which is a technical kludge, and C-type (classification) identifiability which relates to the classification of individuals as being member of some set.
Distinguishing these types helps unraveling the complexities of the issues involved in profiling, dataveillance, etc... L-, R-, and C-type identification occur in different domains, and their goals, relations, issues, and effects differ. The paper argues that the different types of identifiability should be treated differently and that the regulatory framework should reflect this.
Keywords: data protection, privacy, regulation, identity, technology, legal theory
JEL Classification: K, K2, K3, K4
Suggested Citation: Suggested Citation