17 February 2017

Privacy Taxonomy and the GDPR

'Property and (Intellectual) Ownership of Consumers’ Information: A New Taxonomy for Personal Data' by Gianclaudio Malgieri in (2016) 4 Privacy in Germany – PinG 133 comments
This article proposes a new personal data taxonomy in order to determine more clearly ownership and control rights on different kinds of information related to consumers. In an information society, personal data is no longer a mere expression of personality but a strong economic element in the relationships between companies and customers. As a consequence, the new General Data Protection Regulation recognises different levels of control rights to consumers in accordance with a ‘proprietorial’ approach to personal data. Moreover, existing data taxonomies (based on a subject matter approach) are anachronistic. In an IoT world, the information industry is interested in any data related to consumers: not only their commercial preferences or habits, but also their health conditions, their family and financial status, their sports habits, friendships, and so on. At the same time, there exists a great conflict between privacy concerns and IP interests of companies regarding customer data processing.
This article proposes to change the perspective on personal data taxonomy and to classify personal information in accordance with its ‘relationship’ to the data subject and to reality, and with intellectual activity of businesses in acquiring and processing such data. Three categories are identifiable in this respect: strong relationship data (data provided directly by customers), intermediate relationship data (data observed or inferred and related to the present life of consumers), and weak relationship data (predictive data). Each category reflects different individuals’ rights under the EU General Data Protection Regulation. Data portability is provided just for strong relationship data, whereas no control rights are provided by weak relationship data. At the same time, other rights rebalance information asymmetries between consumers and enterprises (right to information, right not to be subjected to automated profiling, etc.). Therefore, the best balancing approach in order to both respect the IP rights of companies and the information privacy rights of consumers is to distinguish ‘control rights’ (access, portability, oblivion) from ‘reaction rights’ (right to information, opposition to automated profiling, etc).