Maria Lillà Montagnani (Bocconi University – Department of Law) and Mark Verstraete (UCLA School of Law) have posted “What Makes Data Personal?” (UC Davis Law Review, Vol. 56, No. 3, Forthcoming 2023) on SSRN. Here is the abstract:
Personal data is an essential concept for information privacy law. Privacy’s boundaries are set by personal data: for a privacy violation to occur, personal data must be involved. And an individual’s right to control information extends only to personal data. However, current theorizing about personal data is woefully incomplete. In light of this incompleteness, this Article offers a new conceptual approach to personal data. To start, this Article argues that personal data is simply a legal construct that describes the set of information or circumstances where an individual should be able to exercise control over a piece of information.
After displacing the mythology about the naturalness of personal data, this Article fashions a new theory of personal data that more adequately tracks when a person should be able to control specific information. Current approaches to personal data rightly examine the relationship between a person and information; however, they misunderstand what relationship is necessary for legitimate control interests. Against the conventional view, this Article suggests that how the information is used is an indispensable part of the analysis of the relationship between a person and data that determines whether the data should be considered personal. In doing so, it employs the philosophical concept of separability as a method for making determinations about which uses of information are connected to a person and, therefore, should trigger individual privacy protections and which are not.
This framework offers a superior foundation to extant theories for capturing the existence and scope of individual interests in data. By doing so, it provides an indispensable contribution for crafting an ideal regime of information governance. Separability enables privacy and data protection laws to better identify when a person’s interests are at stake. And further, separability offers a resilient normative foundation for personal data that grounds interests of control in a philosophical foundation of autonomy and dignity values—which are incorrectly calibrated in existing theories of personal data. Finally, this Article’s reimagination of personal data will allow privacy and data protection laws to more effectively combat modern privacy harms such as manipulation and inferences.