Identification in EU Data Protection Law
27 Pages Posted: 15 Jan 2021 Last revised: 19 Jan 2021
Date Written: January 6, 2021
Although the new EU data protection framework includes new pan-European limits based on notions of non-identification, these provisions cannot be construed in a sweeping or linear fashion. Non-identified data can only include information which is not being used to target a specific individual on- or offline and which does not readily and manifestly enable such pinpointing. Although GDPR controllers cannot generally be obliged to render such data identified, they must stand ready to do so to facilitate reactive subject rights. However, they have no design obligation to ensure this is easy. Identifying or authenticating whether a particular individual is a specific data subject and considering whether other data subjects are also linked to the information are separately regulated. With the exception of the GDPR rights to data portability and a copy of personal data, the latter is in principle left to national derogation. Regarding the former, both the GDPR and LED allow controllers to require further information where reasonably required to identify a claimant of reactive rights. However, controllers retain a fundamental duty to organise their processing to secure data obligations and rights. Controllers can generally only resist reactive rights claims where they can positively demonstrate that the request is manifestly excessive.
Keywords: AdTech, authentication, data protection by design, GDPR, identifiers, identification, Law Enforcement Directive, pseudonymization, rectification, right to object, right to erasure, scientific research, subject access, surveillance capitalism, profiling
Suggested Citation: Suggested Citation