Use this URL to cite or link to this record in EThOS:
Title: Towards a new approach to the legal definition of personal data and a jurisdictional model of data protection law : surpassing the requirement for an assessment of identifiability from data with an effects-based approach
Author: Knight, Alison Mary
ISNI:       0000 0004 8509 7656
Awarding Body: University of Southampton
Current Institution: University of Southampton
Date of Award: 2017
Availability of Full Text:
Access from EThOS:
Full text unavailable from EThOS. Please try the link below.
Access from Institution:
Means of identification are growing rapidly with new digital and online tracking capabilities, and other emerging technologies of personal verification and authentication. Today, we emit a wide spectrum of direct - but also indirect – identifiers which, in recorded form, either alone or in combinations, can lead to us being known in different ways. Indeed, in a world that is becoming increasingly hyper-connected and digitally-surveyed, internet-connected devices leak a constant stream of data with which individual users (and proximate others in the data-collection vicinities) can be associated. Furthermore, the more data about a person that are collected, the easier it can become for further information to be inferred about them, linked to them, as well as for them to be singled out from others. Along with the development of data analytical techniques, this has led to recognition that scientific and technological advances are making it increasingly difficult to de-identify personal data and guarantee that the individuals to whom such data relates may not be later re-identified from it. The legal, privacy, and regulatory challenges that flow from these facts have led to the present research. They point to the fact that there is confusion about the legal definition of personal data reliant upon the concept of identification capabilities from information, in interpretation and practical application (in determining what data comes within its scope and data protection obligations apply), when confronted with new technological realities. More specifically, such challenges point to the critical importance of reconsidering the requirement of being identified or identifiable from data as a key trigger for the application of data protection rules. This research explores the significance of the legal requirement that an individual must be identified or identifiable from data as tantamount to the primary factor in determining whether it is personal data or not and subject to EU data protection law, both now and under incoming legal reform (the EU General Data Protection Regulation, ‘GDPR’) to take effect from 25 May 2018. The research findings enable an assessment to be made of the ‘fitness-for-purpose’ of an identificatory approach to personal data as providing a meaningful boundary to data protection regulation. The yard-stick of evaluation is achievement of the twin aims of EU data protection legislation: upholding the fundamental rights of data subjects (in particular, their right to privacy) in connection with the processing of data about them to a high level of equivalence in EU national laws, while also facilitating intra-EU/transborder-with-EU flows of such data. Such an approach is compared against the contours of a new theoretical approach to personal data classification revolving around an analysis of the likely negative effects (risk of harm) to a data subject flowing from data processing activities intended to be applied to information. This comparison is then elaborated on via interrogation of the two approaches, and models founded upon such approaches (existing and prospective), in relation to determining when personal data may – and may no longer be - deemed personal under data protection law. This thesis argues that reconceptualising the definition of personal data as dependent on an effects-based assessment, not an identificatory one, could lay the foundations for a more conceptually-coherent, jurisdictional methodology for determining when and, ultimately, what data protection rules should apply in context. Such a methodology would require a risk-management exercise to be carried out by those planning to process data relating to persons, involving the quantification of likely harm that may flow from particular data processing activities in context. Consequently, a proposition is advanced to implement effect-based exemptions under data protection law, which takes insight from an effects-based framework already evolved under modernised EU competition law. In particular, consideration is given to the use of certain legal ‘safe harbour’ instruments - specifically, block exemption regulations providing comfort from enforcement action - as inspiration for moving to a more coherent, flexible and proportionate regulatory system able to take in to account collective interests. The resulting expansion of the data protection regulatory toolkit could incentivise and enhance confidence in compliance, as well as help encourage data sharing to promote innovation and demonstrable public benefits. Such a development would marry well with the incoming principles of accountability, and impact assessments, as the regulatory ‘lynchpins’ against which those who intend to process data relating to living individuals must abide by in the future as analytic practices and technological applications become more complex.
Supervisor: Stalla-Bourdillon, Sophie Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available