Chasing shadows: the interplay of privacy and (digital) identification - toward an identifiability-based framework for privacy impact assessment

Abstract

Digital technology deeply affects the natural interplay between privacy, personal identity and identification. Privacy implications of digital identification practices are apparent but privacy studies tend to neglect either technical or societal factors in this regard. Only few studies take multiple angles into account. To narrow this gap, this research applied an interdisciplinary approach, located in the field of technology assessment; informed by general systems theory as an analytical lens. The results reveal a privacy control dilemma of digital identification shaped by several interrelated socio-political, economic and technical factors. Existing tensions between privacy, security, surveillance and transparency aggravate. Increases in implicit and explicit forms of (digital) identification, partially overlapping with surveillance practices, reinforce this dilemma: further growth in digitally networked environments complicates the detection of privacy risks and the creation of appropriate safeguards. Thus a core problem of contemporary privacy protection is uncontrolled identifiability, aggravating information asymmetries and agency problems inherent to the control dilemma. Entailed is increasing demand for privacy by design (PbD) and privacy impact assessment (PIA), also stimulated by the new European data protection regulation. Easing the dilemma requires more transparency of privacy-affecting information processing and thus PIA. Based on a review of existing PIA approaches, a refined approach was developed. The proposed identifiabilitybased PIA framework contributes to improve the theoretical understanding of privacy impacts with practical relevance. Included is a typology of identifiable information with explicit consideration of technical identifiability. The typology enables a more systematic analysis of privacy-relevant information processes as integral part of PIA. This can also contribute to the development of more effective PbD implementations. A prototypical PIA process sketches a potential practical adoption of the identifiability-based approach, supportive as a guideline for PIA implementations in institutions. Progressing digital automation and semi-autonomous systems make a further expansion of identifiability likely and thus additional demand for effective PIA and PbD.