Database Reference
In-Depth Information
Ohm (2010) proposes a differentiation based on the roles different entities can
play in the identification or re-identification process. He argues that because iden-
tification or re-identification is made possible (or easier) by combining different
data sets from different entities, entities that process large amounts of (personal)
data (what Ohm calls 'large entropy reducers'), should have a higher duty of care
(e.g., companies like Google, Microsoft and Choicepoint).
Schwarz & Solove (2011) propose a differentiated system based on the differ-
ence between 'identified data' and 'identifiable data'. They divide the use of data
into three risk categories: identified, identifiable, and non-identifiable. Rather than
defining these categories in law, they opt for a more flexible, standards based ap-
proach to determine under which circumstances what regime should apply.
7.7.2 Focus on the 'Why' Instead of the 'What': Goal Oriented
Approach
While a more fine-grained data centric approach will, to some extent, remedy the
issues associated with the binary and procedural nature of data protection legisla-
tion, it does not necessarily deal effectively with the possible risks of profiling.
Therefore, we should also look towards other mechanisms to function alongside
data protection legislation.
An alternative (or an addition) to the data centric approach is a more goal ori-
ented approach. Depending on the actual goal of the data processing and the pos-
sible risks involved, the most effective protective measures may be chosen.
Purpose specification and purpose binding already form key elements of the
structure of the current Data protection directive. Data controllers need to have a
specified, explicit and legitimate purpose for collecting personal data and any fur-
ther processing may not be incompatible with the specified purpose (see article 6
of the Directive). However, the goal of the data processing does not determine
which rules should apply. Rather, the general rules of the Data protection directive
apply, regardless whether they are the most effective protective measures.
7.7.3 Revisiting the Moral Reasons for Data Protection
In a goal-oriented approach the type and level of protection would be based pri-
marily on the goal of the profiling exercise and the risks associated with this goal,
rather than on the basis of the fact that certain data is considered personal data. By
looking more closely at the risks involved with a particular type of processing we
can ascertain whether data protection law should apply, and to what extent. A
more goal-oriented approach makes data protection rules more context-sensitive,
opening up the possibility for other legal protection mechanisms (such as con-
sumer protection, equal treatment, and unfair commercial practices legislation)
that might be more effective or suitable.
A goal-oriented approach to data protection and profiling would therefore place
more emphasis on the moral grounds for data protection than is currently the case.
This may also entail that other types of legislation (anti-discrimination legislation
for instance) may come into play in addition to data protection law. In some cases
Search WWH ::




Custom Search