Repository logo
 

Identification in personal data: Authenticating the meaning and reach of another broad concept in EU data protection law

Accepted version
Peer-reviewed

No Thumbnail Available

Type

Article

Change log

Abstract

Although the new EU data protection framework includes new pan-EU limits based on notions of non-identification, these provisions cannot be construed in a sweeping or linear fashion. Personally identifiable data can only include information which is not being used to target a specific individual on- or offline Although GDPR controllers cannot generally be obliged to render such personal data into an identified form, they must stand ready to do so to facilitate request-based transparency and control rights. However, they have no design obligation to ensure this is easy. Considering whether other data subjects are also linked to the information and reconciling competing rights are left to restrictions in national law, with the exception of the GDPR rights to data portability, to receipt of a copy of personal data and potentially to mere access to personal data as well. Proactive duties to ensure that an individual can be authenticated as a specific data subject flow from a fundamental duty to enable transparency and control, although both the GDPR and Law Enforcement Directive (LED) allow controllers to require further information from rights claimants where reasonably required to identify them. Controllers can generally only resist request-based rights claims where they can positively demonstrate that the particular request is manifestly excessive.

Description

Keywords

48 Law and Legal Studies, 4807 Public Law, 16 Peace, Justice and Strong Institutions

Journal Title

Computer Law and Security Review

Conference Name

Journal ISSN

0267-3649

Volume Title

Publisher

Elsevier BV