A law that promotes Privacy by Design and Data Minimisation ought to encourage the use of indirectly-linked identifiers, which allow processing to be done separate from, or even without, the ability to identify the person whose information is being processed. However European Data Protection law has never really worked out what these identifiers are. The resulting regulatory uncertainty discourages the use of indirectly-linked identifiers to protect privacy and may even result in obligations that create new privacy risks.
The current Data Protection Directive declares indirectly-linked identifiers to be the same as directly-linked identifiers. Both are personal data according to Article 2(a), so both are subject to the same legal duties. That immediately creates a problem as some of those duties are impossible to fulfil: if I only have an IP address, I can’t proactively contact you to report a security breach, for example. Indeed some duties, such as subject access requests and the proposed rights to transfer and erasure, are positively harmful if they are applied to identifiers that (like IP addresses under Carrier Grade NAT schemes) may be shared between large numbers of individuals. Such duties can only help what the UK Information Commissioner described as a “pervasive and widespread ‘industry'” already exploiting identifiers that aren’t sufficiently tightly bound to a single individual.
The latest draft Data Protection Regulation applies a quick fix to the first of these problems by declaring (in Article 10(2)) that if a duty is impossible for certain types of personal data then it doesn’t apply. This doesn’t help with the second problem where a duty can be fulfilled but, in the interests of privacy, probably shouldn’t be. It also raises concerns that some of those disapplied duties might be important privacy protections and, rather than simply deleting them, alternatives should be found and imposed.
The challenge is that, depending on how they are created and used, indirectly-linked identifiers can be nearly as privacy-protecting as fully anonymised data or nearly as privacy-harming as direct identifiers. Hence the apparent paradox of a regulator promoting them as a privacy-enhancing technology at the same time as some uses, including profiling and automated decision making, are considered so hazardous that they require specific additional regulation (e.g. Article 15 of the Data Protection Directive).
Given this range of privacy benefits and threats, legislation that treats all indirectly-linked identifiers alike, whether as personal data (“assuming the worst”) or non-personal data (“hoping for the best”), seems bound to fail. Instead the law needs to look both at the identifiers and their uses, developing a set of rules that are necessary and safe for all indirectly-linked identifiers and then applying additional restrictions on uses that involve a particular risk (for example where re-identification is intended). That way we can get the privacy benefits of identifiers that don’t identify while still reducing the risks of them being misused.
