The great confusion about encryption, cornerstone concept of data security, may jeopardise a proper taxonomy in order to legally qualify data. Through a technical and legal literature review, this paper firstly aims to shed the light on the nature of encryption. Having set the context, the study investigates whether and to what extent the so-called relativist understanding of Recital 26 GDPR is desirable. It considers the effort required to identify the data subject only by the data controller: in the context of cryptography, GDPR’s regime would be applicable if a data controller is able to decrypt a data set or, at least, has reasonable possibilities of doing so. The legal analysis, integrated with technical aspects, addresses the case of polymorphic encryption as an argument in favour of the relativist approach in the post-Breyer era: if cryptographic means have been strong enough so that identification is no longer reasonably likely, such data would be effectively non-personal data. The advisability of such outcome will be critically discussed in the light of recent business trends, where big corporations are increasingly investing in business models aiming at removing from the equation personal data.

Disentangling encryption from the personalization debate: On the advisability of endorsing the “relativist approach” underpinning the identifiability criterion / Pier Giorgio Chiara. - In: UNIVERSITY OF VIENNA LAW REVIEW. - ISSN 2521-3962. - ELETTRONICO. - 4:2(2021), pp. 168-188. [10.25365/vlr-2020-4-2-168]

Disentangling encryption from the personalization debate: On the advisability of endorsing the “relativist approach” underpinning the identifiability criterion.

Pier Giorgio Chiara
2021

Abstract

The great confusion about encryption, cornerstone concept of data security, may jeopardise a proper taxonomy in order to legally qualify data. Through a technical and legal literature review, this paper firstly aims to shed the light on the nature of encryption. Having set the context, the study investigates whether and to what extent the so-called relativist understanding of Recital 26 GDPR is desirable. It considers the effort required to identify the data subject only by the data controller: in the context of cryptography, GDPR’s regime would be applicable if a data controller is able to decrypt a data set or, at least, has reasonable possibilities of doing so. The legal analysis, integrated with technical aspects, addresses the case of polymorphic encryption as an argument in favour of the relativist approach in the post-Breyer era: if cryptographic means have been strong enough so that identification is no longer reasonably likely, such data would be effectively non-personal data. The advisability of such outcome will be critically discussed in the light of recent business trends, where big corporations are increasingly investing in business models aiming at removing from the equation personal data.
2021
Disentangling encryption from the personalization debate: On the advisability of endorsing the “relativist approach” underpinning the identifiability criterion / Pier Giorgio Chiara. - In: UNIVERSITY OF VIENNA LAW REVIEW. - ISSN 2521-3962. - ELETTRONICO. - 4:2(2021), pp. 168-188. [10.25365/vlr-2020-4-2-168]
Pier Giorgio Chiara
File in questo prodotto:
File Dimensione Formato  
6134-Article Text-13158-1-10-20210422.pdf

accesso aperto

Tipo: Versione (PDF) editoriale
Licenza: Licenza per Accesso Aperto. Creative Commons Attribuzione - Non commerciale - Non opere derivate (CCBYNCND)
Dimensione 214.6 kB
Formato Adobe PDF
214.6 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11585/819173
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact