9 Squares: Framing Data Privacy Issues

Eerke Albert Boiten


In order to frame discussions on data privacy in varied contexts, this paper introduces a categorisation of personal data along two dimensions. Each of the nine resulting categories offers a significantly different flavour of issues in data privacy. Some issues can also be perceived as a tension along a boundary between different categories.

The first dimension is data ownership: who holds or publishes the data. The three possibilities are “me”, i.e. the data subject; “us”, where the data subject is part of a community; and “them”, where the data subject is indeed a subject only. The middle category contains social networks as the most interesting instance. The amount of control for the data subject moves from complete control in the “me” category to very little at all in the “them” square – but the other dimension also plays a role in that.

The second dimension has three possibilities, too, focusing on the type of personal data recorded: “attributes” are what would traditionally be found in databases, and what one might think of first for “data protection”. The second type of data is “stories”, which is personal data (explicitly) produced by the data subjects, such as emails, pictures, and social network posts. The final type is “behaviours”, which is (implicitly) generated personal data, such as locations and browsing histories. The data subject has very little control over this data, even in the “us” category. This lack of control, which is closely related to the business models of the “us” category, is likely the major data privacy problem of our time.

Full Text:



M. Aspan, ‘How Sticky Is Membership on Facebook? Just Try Breaking Free’ (New York Times, 11 February 2008). (accessed 19 July 2016, requires free registration).

M. Barbaro, T. Zeller Jr, ‘A Face Is Exposed for AOL Searcher No. 4417749’ (New York Times, 9 August 2006). (accessed 19 July 2016, requires free registration).

‘City of London calls halt to smartphone tracking bins’ (BBC News, 12 August 2013), (accessed 19 July 2016).

P. Bernal, ‘The EU, the US, and the Right to be Forgotten’, in: Gutwirth, S., Leenes, R.E., De Hert, P. (eds.), Computers, privacy and data protection – reloading data protection (Dordrecht etc., Springer 2014).

P. Druschel, M. Backes, and R. Tirtea. ‘The right to be forgotten – between expectations and practice’. European Network and Infor-mation Security Agency, November 2012, (accessed 19 July 2016).

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (accessed 19 July 2016)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Pro-tection Regulation), (accessed 19 Ju-ly 2016)

Europe vs. Facebook .

P. Fleischer, ‘Foggy thinking about the Right to Oblivion’ (9 March 2011) (accessed 19 July 2016).

P. Golle and K. Partridge, ‘On the Anonymity of Home/Work Lo-cation Pairs’, in H. Tokuda, M. Beigl, A. Friday, A. J. Bernheim Brush, Y. Tobe (eds): Pervasive Computing, 7th International Con-ference, LNCS 5538, pp 390-397, Springer 2009. doi 10.1007/978-3-642-01516-8_26.

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, (accessed 19 July 2016).

Y.-A. de Montjoye, C.A. Hidalgo, M. Verleysen and V.D. Blondel, ‘Unique in the Crowd: The privacy bounds of human mobility’, Scientific Reports 3:1376, doi 10.1038/srep01376, March 2013. (accessed 19 July 2016)

A. Narayanan, V. Shmatikov. ‘Robust de-anonymization of large sparse datasets.’ IEEE Symposium on Security and Privacy, IEEE, 111-125, 2008. doi: 10.1109/SP.2008.33

F. Pasquale, The Black Box Society – The Secret Algorithms That Control Money and In-formation (Harvard University Press, 2015).

V. Reding, ‘Citizenship Privacy matters – Why the EU needs new personal data protection rules’, The European Data Protection and Privacy Conference Brussels, 30 Nov 2010, (accessed 19 July 2016).

‘WayBack Machine’, (accessed 19 July 2016).

Wikihow, ‘How to Ungoogle yourself’, (accessed 19 July 2016)

S. Zuboff, ‘Big Other: Surveillance Capitalism and the Prospects of an Information Civilization’ [2015], Journal of Information Tech-nology 30, 75–89. doi:10.1057/jit.2015.5.

F.J. Zuiderveen Borgesius, Improving Privacy Protection in the Ar-ea of Behavioural Targeting (Wolters Kluwer, 2015).

DOI: https://doi.org/10.21039/irpandp.v2i1.17


  • There are currently no refbacks.

Copyright (c) 2017 EERKE Albert Boiten

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.