Identification in personal data: Authenticating the meaning and reach of another broad concept in EU data protection law
Accepted version
Peer-reviewed
Repository URI
Repository DOI
Change log
Authors
Abstract
Although the new EU data protection framework includes new pan-EU limits based on notions of non-identification, these provisions cannot be construed in a sweeping or linear fashion. Personally identifiable data can only include information which is not being used to target a specific individual on- or offline Although GDPR controllers cannot generally be obliged to render such personal data into an identified form, they must stand ready to do so to facilitate request-based transparency and control rights. However, they have no design obligation to ensure this is easy. Considering whether other data subjects are also linked to the information and reconciling competing rights are left to restrictions in national law, with the exception of the GDPR rights to data portability, to receipt of a copy of personal data and potentially to mere access to personal data as well. Proactive duties to ensure that an individual can be authenticated as a specific data subject flow from a fundamental duty to enable transparency and control, although both the GDPR and Law Enforcement Directive (LED) allow controllers to require further information from rights claimants where reasonably required to identify them. Controllers can generally only resist request-based rights claims where they can positively demonstrate that the particular request is manifestly excessive.