Towards A New Approach To The Legal Definition Of Personal Data And A Jurisdictional Model Of Data Protection Law: Surpassing The Requirement For An Assessment Of Identifiability From Data With An Effects-Based Approach
Towards A New Approach To The Legal Definition Of Personal Data And A Jurisdictional Model Of Data Protection Law: Surpassing The Requirement For An Assessment Of Identifiability From Data With An Effects-Based Approach
Means of identification are growing rapidly with new digital and online tracking capabilities, and other emerging technologies of personal verification and authentication. Today, we emit a wide spectrum of direct - but also indirect – identifiers which, in recorded form, either alone or in combinations, can lead to us being known in different ways. Indeed, in a world that is becoming increasingly hyper-connected and digitally-surveyed, internet-connected devices leak a constant stream of data with which individual users (and proximate others in the data-collection vicinities) can be associated. Furthermore, the more data about a person that are collected, the easier it can become for further information to be inferred about them, linked to them, as well as for them to be singled out from others. Along with the development of data analytical techniques, this has led to recognition that scientific and technological advances are making it increasingly difficult to de-identify personal data and guarantee that the individuals to whom such data relates may not be later re-identified from it.
The legal, privacy, and regulatory challenges that flow from these facts have led to the present research. They point to the fact that there is confusion about the legal definition of personal data reliant upon the concept of identification capabilities from information, in interpretation and practical application (in determining what data comes within its scope and data protection obligations apply), when confronted with new technological realities. More specifically, such challenges point to the critical importance of reconsidering the requirement of being identified or identifiable from data as a key trigger for the application of data protection rules.
This research explores the significance of the legal requirement that an individual must be identified or identifiable from data as tantamount to the primary factor in determining whether it is personal data or not and subject to EU data protection law, both now and under incoming legal reform (the EU General Data Protection Regulation, ‘GDPR’) to take effect from 25 May 2018. The research findings enable an assessment to be made of the ‘fitness-for-purpose’ of an identificatory approach to personal data as providing a meaningful boundary to data protection regulation. The yard-stick of evaluation is achievement of the twin aims of EU data protection legislation: upholding the fundamental rights of data subjects (in particular, their right to privacy) in connection with the processing of data about them to a high level of equivalence in EU national laws, while also facilitating intra-EU / transborder-with-EU flows of such data.
Such an approach is compared against the contours of a new theoretical approach to personal data classification revolving around an analysis of the likely negative effects (risk of harm) to a data subject flowing from data processing activities intended to be applied to information. This comparison is then elaborated on via interrogation of the two approaches, and models founded upon such approaches (existing and prospective), in relation to determining when personal data may – and may no longer be - deemed personal under data protection law.
This thesis argues that reconceptualising the definition of personal data as dependent on an effects-based assessment, not an identificatory one, could lay the foundations for a more conceptually-coherent, jurisdictional methodology for determining when and, ultimately, what data protection rules should apply in context. Such a methodology would require a risk-management exercise to be carried out by those planning to process data relating to persons, involving the quantification of likely harm that may flow from particular data processing activities in context.
Consequently, a proposition is advanced to implement effect-based exemptions under data protection law, which takes insight from an effects-based framework already evolved under modernised EU competition law. In particular, consideration is given to the use of certain legal ‘safe harbour’ instruments - specifically, block exemption regulations providing comfort from enforcement action - as inspiration for moving to a more coherent, flexible and proportionate regulatory system able to take in to account collective interests. The resulting expansion of the data protection regulatory toolkit could incentivise and enhance confidence in compliance, as well as help encourage data sharing to promote innovation and demonstrable public benefits. Such a development would marry well with the incoming principles of accountability, and impact assessments, as the regulatory ‘lynchpins’ against which those who intend to process data relating to living individuals must abide by in the future as analytic practices and technological applications become more complex.
University of Southampton
Knight, Alison, Mary
d236af12-ad63-4f55-848b-cb55f179f5f4
November 2017
Knight, Alison, Mary
d236af12-ad63-4f55-848b-cb55f179f5f4
Stalla-Bourdillon, Sophie
c189651b-9ed3-49f6-bf37-25a47c487164
Knight, Alison, Mary
(2017)
Towards A New Approach To The Legal Definition Of Personal Data And A Jurisdictional Model Of Data Protection Law: Surpassing The Requirement For An Assessment Of Identifiability From Data With An Effects-Based Approach.
University of Southampton, Doctoral Thesis, 418pp.
Record type:
Thesis
(Doctoral)
Abstract
Means of identification are growing rapidly with new digital and online tracking capabilities, and other emerging technologies of personal verification and authentication. Today, we emit a wide spectrum of direct - but also indirect – identifiers which, in recorded form, either alone or in combinations, can lead to us being known in different ways. Indeed, in a world that is becoming increasingly hyper-connected and digitally-surveyed, internet-connected devices leak a constant stream of data with which individual users (and proximate others in the data-collection vicinities) can be associated. Furthermore, the more data about a person that are collected, the easier it can become for further information to be inferred about them, linked to them, as well as for them to be singled out from others. Along with the development of data analytical techniques, this has led to recognition that scientific and technological advances are making it increasingly difficult to de-identify personal data and guarantee that the individuals to whom such data relates may not be later re-identified from it.
The legal, privacy, and regulatory challenges that flow from these facts have led to the present research. They point to the fact that there is confusion about the legal definition of personal data reliant upon the concept of identification capabilities from information, in interpretation and practical application (in determining what data comes within its scope and data protection obligations apply), when confronted with new technological realities. More specifically, such challenges point to the critical importance of reconsidering the requirement of being identified or identifiable from data as a key trigger for the application of data protection rules.
This research explores the significance of the legal requirement that an individual must be identified or identifiable from data as tantamount to the primary factor in determining whether it is personal data or not and subject to EU data protection law, both now and under incoming legal reform (the EU General Data Protection Regulation, ‘GDPR’) to take effect from 25 May 2018. The research findings enable an assessment to be made of the ‘fitness-for-purpose’ of an identificatory approach to personal data as providing a meaningful boundary to data protection regulation. The yard-stick of evaluation is achievement of the twin aims of EU data protection legislation: upholding the fundamental rights of data subjects (in particular, their right to privacy) in connection with the processing of data about them to a high level of equivalence in EU national laws, while also facilitating intra-EU / transborder-with-EU flows of such data.
Such an approach is compared against the contours of a new theoretical approach to personal data classification revolving around an analysis of the likely negative effects (risk of harm) to a data subject flowing from data processing activities intended to be applied to information. This comparison is then elaborated on via interrogation of the two approaches, and models founded upon such approaches (existing and prospective), in relation to determining when personal data may – and may no longer be - deemed personal under data protection law.
This thesis argues that reconceptualising the definition of personal data as dependent on an effects-based assessment, not an identificatory one, could lay the foundations for a more conceptually-coherent, jurisdictional methodology for determining when and, ultimately, what data protection rules should apply in context. Such a methodology would require a risk-management exercise to be carried out by those planning to process data relating to persons, involving the quantification of likely harm that may flow from particular data processing activities in context.
Consequently, a proposition is advanced to implement effect-based exemptions under data protection law, which takes insight from an effects-based framework already evolved under modernised EU competition law. In particular, consideration is given to the use of certain legal ‘safe harbour’ instruments - specifically, block exemption regulations providing comfort from enforcement action - as inspiration for moving to a more coherent, flexible and proportionate regulatory system able to take in to account collective interests. The resulting expansion of the data protection regulatory toolkit could incentivise and enhance confidence in compliance, as well as help encourage data sharing to promote innovation and demonstrable public benefits. Such a development would marry well with the incoming principles of accountability, and impact assessments, as the regulatory ‘lynchpins’ against which those who intend to process data relating to living individuals must abide by in the future as analytic practices and technological applications become more complex.
Text
Alison_Knight_final_PhD_thesis_July_2019_FINAL
- Version of Record
More information
Published date: November 2017
Identifiers
Local EPrints ID: 436790
URI: http://eprints.soton.ac.uk/id/eprint/436790
PURE UUID: ef7280c4-8709-44e2-8067-6c7c42836c3b
Catalogue record
Date deposited: 09 Jan 2020 17:30
Last modified: 17 Mar 2024 03:23
Export record
Contributors
Author:
Alison, Mary Knight
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics
