From knowing by name to targeting: the meaning of identification under the GDPR

• Despite its core role in the EU system of data protection, the meaning of identification remains unclear in data protection law and scholarship while the spotlight focuses on the legally relevant chance of identification, i.e. identifiability. • While Article 29 Working Party interpreted identification broadly, as distinguishing one in a group, this interpretation has been questioned in light of the CJEU decision in Breyer. This paper tackles this uncertainty. • This paper offers an integrated socio-technical typology of identification where, in addition to the known identification types (look-up-, recognition-, session- and classification identification), targeting is added as a new identification type. To identify by way of targeting means to select a particular individual from a group as an object of attention or treatment in a single moment of time. • The paper clarifies the legal meaning of identification under the GDPR. It proposes a contextual interpretation of Breyer, which negates Breyer’s restrictive potential and brings all identification types within the GDPR. • The paper concludes with a discussion of the implications of this reading of identification for data protection in terms the applicability of the GDPR to new data technologies and practices such as facial detection and non-tracking based targeted advertising, effects of certain privacy preserving technologies such as federated learning of cohorts, consequences for invoking data protection rights when identification is not possible, but also in terms of the need to clearly define the objectives of the data protection law