Information can harm people, for instance, being denied a mortgage or insurance based on your grocery shopping or online surfing profile. But what exactly is it in information that is harmful, and how can people be protected? The current legal answer is that legal protection (data protection principles, rights and obligations) is granted when a) there is information b) about or potentially affecting a person c) who is identified or identifiable. This is personal data. But what will become of legal protection when all information is personal data, and how will law be able to meaningfully protect against information-induced harms?

Given modern data collection and processing techniques and unprecedented amounts of data available for analysis, any information will become personal data in a near future. Legal regime of protection triggered by any automated interaction with information will be difficult to maintain. Yet, alternatives for structuring legal protection other than through the concept of personal data are lacking.

With the research project Understanding information for the legal protection of people against information-induced harms (INFO-LEG), we look for substitutes for the notion of personal data to fundamentally re-organize legal protection. The project is unique in integrating how law, economics, and information studies conceptualize information. In addition to the data protection law, the results of the project will impact various other areas of law regulating information in digital age: intellectual property (drawing borders of rights in information objects); constitutional law (if data is protected speech); telecommunication and cybercrime.

Research questions

The main research question is: which organising notion or notions relating to information are appropriate to trigger legal protection of people against information-induced harms?

The main research question is divided into three sub-questions:

  1. How do modern information processing technologies and practices challenge current personal data-centred legal protection against information-induced harms?
  2. Which organising notions can be found to provide protection against information-induced harms more consistently and robustly than the protection triggered by personal data?
  3. Which organising notions are appropriate for protecting people from information-induced harms, and how can they help shape legal reform?