'Identification in EU Data Protection Law' by David Erdos comments
Although the new EU data protection framework includes new pan-European limits based on notions of non-identification, these provisions cannot be construed in a sweeping or linear fashion. Non-identified data can only include information which is not being used to target a specific individual on- or offline and which does not readily and manifestly enable such pinpointing. Although GDPR controllers cannot generally be obliged to render such data identified, they must stand ready to do so to facilitate reactive subject rights. However, they have no design obligation to ensure this is easy. Identifying or authenticating whether a particular individual is a specific data subject and considering whether other data subjects are also linked to the information are separately regulated. With the exception of the GDPR rights to data portability and a copy of personal data, the latter is in principle left to national derogation. Regarding the former, both the GDPR and LED allow controllers to require further information where reasonably required to identify a claimant of reactive rights. However, controllers retain a fundamental duty to organise their processing to secure data obligations and rights. Controllers can generally only resist reactive rights claims where they can positively demonstrate that the request is manifestly excessive.