WORKING

PAPERS

WORKING PAPER • VOL. 6 • N° 24 • July 2020

Individuation: re-imagining data privacy laws to protect against digital harms

by Anna Johnston, Principal of Salinger Privacy

ABSTRACT

Most data protection and privacy laws turn on the identifiability of an individual as the threshold criteria for when data subjects will need legal protection. However I argue that privacy harms can also arise from individuation: the ability to disambiguate or ‘single out’ a person in the crowd, such that they could, at an individual level, be tracked, profiled, targeted, contacted, or subject to a decision or action which impacts upon them - even if that individual’s ‘identity’ is not known (or knowable). I conclude that data protection and privacy laws need a re-think and re-design in order to reflect the reality of the digital environment, and protect people from digital harms.

First, I will show that ‘not identifiable’ is no longer an effective proxy for ‘will suffer no privacy harm’. Second, I will argue that even the GDPR’s mention of ‘singling out’ is not sufficient to encompass harms arising from individuation. Third, I will demonstrate how some post-GDPR laws and statutory instruments have taken a more expansive approach to threshold criteria, to incorporate individuation. Finally, I will outline a six-part approach which could be taken by legislators to ensure that new or reformed laws robustly protect against digital harms, while avoiding some of the pitfalls demonstrated in the drafting of the CCPA.

Keywords: Personal data, personal information, identifiability, individuation, profiling, GDPR, CCPA, data protection, privacy, AdTech