1Conducting a PIA will become mandatory for certain categories of personal data processing.
CHAPTER 2
Terminology
Before getting into the substance of the matter, it is necessary to define precisely the main concepts involved in a privacy risk analysis. Indeed, technical terms are not always used in a consistent way in this area and different authors sometimes use the same words with different meanings. The objective of this chapter is to set the scene and introduce the terminology used throughout this book.
In the following subsections, we define successively the notions of:
1. personal data, which is the object of protection;
2. stakeholders, which relate to or handle personal data at various stages of their lifecycle;
3. risk sources, which may cause privacy breaches;
4. feared events, which may lead to privacy harms; and
5. privacy harms, which are the impacts of privacy breaches on individuals, groups of individuals or society as a whole.
Some of these notions, such as privacy harms, have been extensively discussed by legal scholars even though they have received less attention from law makers. Others, such as personal data, are defined by privacy laws and regulations. Still others, such as feared events, have been used only by certain data protection authorities. However, even for terms that are well-discussed, there is generally no single interpretation of their meaning. Therefore, in the following sections we provide a concise definition of each of these terms (which will be further discussed in the next chapters). For some of them, we agree with one of the existing definitions, while for others we provide our own and justify our choice. In the rest of the book, unless otherwise mentioned, these terms will be used in the sense defined in this chapter.
2.1 PERSONAL DATA
Both the European Union (EU) and the United States (U.S.) privacy regulations rely on notions of “data” or “information” but they follow different approaches. While the EU defines the notion of “personal data,” the U.S. refers to “personally identifiable information” (or “PII”). The use of these terms reveals substantial differences in the ways of considering privacy on each side of the Atlantic.
The notion of personal data used in this book is mainly inspired by the definitions provided by the EU Data Protection Directive (“EU Directive” in the sequel) [47] and the EU General Data Protection Regulation (“GDPR” in the sequel) [48]. The primary reason for this choice is that the EU provides a single, uniform definition, which contrasts with the multiple, competing attempts at defining PII in the U.S. [134, 135].
Article 4(1) of the GDPR [48] defines personal data as follows:
‘“Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR (Recital 26) adds a clarification about pseudonymization and identification: “Personal data which has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”
This position is inspired by the Working Party 29.1 Opinion 08/2012 [10] suggesting that “any information allowing a natural person to be singled out and treated differently” should be considered as personal data. Our definition of personal data is in line with the approaches followed by the GDPR and the Working Party 29.
Definition 2.1 Personal Data [10, 47, 48]. Personal data is any information relating to an identified or identifiable natural person2 and any information allowing such a person to be singled out or treated differently.
Considering the fact that a person can be singled out or treated differently makes it possible to take into account data processing that can have privacy impacts, such as discriminatory treatments (e.g., discriminatory ads [38]), without necessarily identifying any individual.
The different approaches followed for the definition of personal data in the EU and the U.S. are further discussed in Chapter 4.
2.2 STAKEHOLDERS
The term “stakeholder” is commonly used in the literature, generally without definition. Even though its meaning may look obvious, we define it as follows to avoid any ambiguity.
Definition 2.2 Stakeholder. A stakeholder is any entity (individual or organization) to which a piece of data relates or that processes3 or gets access (legally or not) to a piece of data at any stage of its lifecycle.
The EU Directive provides comprehensive definitions of different types of stakeholders, whereas the U.S. privacy laws and regulations rely on sectoral definitions. In this book, we follow the same approach as the EU Directive and consider the following stakeholders:
• data controllers,
• data subjects,
• data processors and
• third parties.
We also chose to use definitions inspired by the EU Directive for these terms.
Definition 2.3 Data Subject [10, 32, 47, 48]. A data subject is an identified or identifiable natural person whom the personal data relates to.
Definition 2.4 Data Controller [32, 47]. A data controller is an entity (individual or organization) that, alone or jointly with others, determines the purpose, conditions and means of processing of personal data.
Definition 2.5 Data Processor [47]. A data processor is an entity (individual or organization) that processes personal data on behalf of the data controller.
Definition 2.6 Third Party [47]. A third party is an entity (individual or organization) other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
Typical examples of third parties include ad brokers installing cookies on the computer of the data subject, marketing companies receiving personal data from the data controller, or pairs in a social network.
Some difficulties may arise while applying these definitions in practical scenarios, especially those that involve multi-party processing arrangements and cloud computing. In some cases, the notion of the data controller and the data processor cannot be distinguished very easily.4
The roles defined above are not mutually exclusive. For example, a data controller for one set of data or operations may act as a data processor for another set of data or operations. Moreover, consistently with the approach followed in the EU Directive, the above definitions do not imply the lawfulness of the actions of any entity. A data controller, for example, may legally or illegally process data; it may process data without any legitimate purpose or collect more data than necessary for the purpose. This is in agreement with the opinion of the Working Party 29 [8] clarifying that the data controller only “determines” rather than “lawfully determines” the purpose and the means for data processing.
2.3 RISK SOURCES
One