Data about people has become a key form of capital in information economies, where its processing is often distributed and multi-party in nature, working through supply chains of interconnected services and actors. Personal data’s legal definition – any information relating to an identified or identifiable natural person – divides processing of this data which is subject to data protection law from that which is not. The question of when an individual is in some way ‘identifiable’ therefore helps determine whether its processing falls within data protection law’s framework. I argue that the CJEU’s jurisprudence on this question in practice combines with common multi-party processing arrangements to produce a space of effective legal immunity around shadow processing for speculative accumulation of and value extraction from data relating to people, beyond the reach of data protection law. This is because the CJEU’s modified relative understanding of identifiability systematically excludes certain supply chain actors from the law’s scope. In doing so, this interpretation undermines data protection law’s purpose and objectives of protecting people’s rights and interests where information about them is being processed, operates retrospectively and produces legal uncertainty for many parties, and leaves governance of shadow processing to unsuitable private law mechanisms. This interpretation should be rejected in favour of a contextual and pluralistic one, which better accounts for the distributed and multi-party nature of data processing today.
Jennifer Cobbe (Mon,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: