Do You Know Me? Decomposing Identifiability
Tilburg University Legal Studies Working Paper No. 001/2008
TILT Law & Technology Working Paper Series No. 006/2008
24 Pages Posted: 17 Jan 2008
Date Written: January 17, 2008
Abstract
Data protection regulation aims to protect individuals against misuse and abuse of the their personal data, while at the same time allowing businesses and governments to use personal data for legitimate purposes. Collisions between these aims are prevalent in practices such as profiling and behavioral targeting, Many online service providers claim not to collect personal data, whereas data protection authorities and privacy scholars claim the opposite, or that at least there are serious concerns.
This paper argues that part of the disagreement in the debates stems from a conflation of distinct notions of identifiability in current definitions and legal provisions regarding personal data. As a result the regulation is overinclusive, addresses the wrong issues, and leads to opposition by the industry. In this paper I decompose identifiability into four subcategories: L-, R-, C- and S-Identifiability. L-identifiability allows individuals to be targeted in the real world on the basis of the identifier, whereas this is not the case in the other three. R-type identifiability can be further decomposed in S-type, which is a technical kludge, and C-type identifiability which relates to the classification of individuals as being member of some set.
Distinguishing these types helps unraveling the complexities of the issues involved in profiling, dataveillance, etc.. L-, R-, and C-type identification occur in different domains, and their goals, relations, issues, and effects differ. The paper argues that the different types of identifiability should be treated differently and that the regulatory framework should reflect this.
Keywords: data protection, privacy, regulation, identity, technology, legal theory
JEL Classification: K20, K30, K40
Suggested Citation: Suggested Citation