Individual vs. group privacy

Floridi (2014) argues that most humans are not profiled as individuals but as a member of a specific group. Strangely, not all topics are covered within GDPR legislation and especially group privacy is absent. So, what is the difference between individual and group privacy?

According to a news article by Sarah Knapton (2016) consumers are secretly being followed by high street shops. In the article, Knapton explains how the retailer Marks & Spencer tracks a consumer’s mobile phone. She also stated that not just Marks & Spencer are tracking consumers, but other companies such as Morrisons and Topshop participate in similar activities. Multiple articles state that consumers are being located and tracked within or close to a shop (Datoo, 2014; Griswold, 2014). The articles describe that the information retrieved can be used for multiple purposes. Examples are, to see whether certain products need to be reallocated, or to determine if the advertisement is located effectively. Even though these organizations are tracking and profiling individuals, they generalize it for multiple individuals and target them as members of the group ‘customers at their shops’. This raises the question if their privacy should be protected as an individual or as a group.

To explain the differences between individual and group privacy, knowledge of related topics is required. This article will start with explaining profiling, privacy and current legislation before engaging in the discussion on individual and group privacy.

Profiling is defined by Schauer (2003) as an economical way of anticipating how a person’s environment will behave in the near future determined by a set of variables. Organizations use profiling to identify their customer’s behavior to improve their everyday operations as well as a way of retrieving information for strategic decisions (Hildebrandt & Gutwirth, 2008, p. 2). In the book Profiling the European Citizen, Hildebrandt and Gutwirth (2008, p. 365) gave an extended definition: “Profiling is a matter of pattern recognition, which is comparable to categorization, generalization and stereotyping.”. These definitions have in common that profiling is the prediction of consumer behaviour, but Hildebrandt and Gutwirth have a more practical point of view. They determined that profiling needs to be differentiated between classification and clustering. For gathering data and transforming it into valuable information, data mining techniques can be used. The rapid increase in development and popularity of data mining technologies have caused serious issues related to the security of sensitive personal information contained in the gathered data (Xu, Jiang, Wang, Yuan, & Ren, 2014). Individuals can be clustered according to behaviours, preferences and other characteristics without being identified (van der Sloot, 2014).

Sarah Knapton (2016) interviewed Renata Samson, Chief Executive of Big Brother Watch, a non-profit organization who is trying to ensure that organizations respect privacy through campaigning (Big Brother Watch, 2017). When asked about the privacy of consumers, she said, “It is a huge problem, and most people don’t even know that their phone is being used to monitor them.”. The book Distributed Computing and Internet Technology defines privacy as “the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively” (Hota & Srimani, 2013).

The EU General Data Protection Regulation (GDPR) has replaced the Data Protection Directive (DRP) 95/46/EC and the various national laws based on it, on the 25th of May 2018. The GDPR is a regulation that is intended to strengthen and unite data protection of personal data for all individuals within the European Union (EU). It has the ability to unsettle many companies who will rigorously have to take technical and strategic measures. Paul Jordan, European managing director at the International Association of Privacy Professionals, stated: “Consumers are becoming increasingly sophisticated and wary of their privacy rights and at the heart of GDPR is consumer protection.” (Ram, 2017). The main purpose for this legislation is that organizations are only permitted to use data of individuals only for a direct and clear purpose and can only be saved for a limited time.

Individual vs. group privacy

The majority of the current discussion on data protection focuses on the individual ‘user,’ or ‘data subject,’ who’s right to privacy will grow exponentially with the enforcement of the GDPR. However, groups were not protected by the DRP and are also not mentioned in the GDRP. According to Mittelstadt (2017), in international laws groups are defined by a shared background. He distinguishes groups in three forms:

  • collective group: a group intentionally joined due to collective interests, shared background or other explicit common traits and purposes;
  • ascriptive group: a group whose membership is determined by inherited or incidentally developed characteristics;
  • ad hoc group: a group whose memberships is assembled for a third party interest according to perceived links between members. The group is often assembled for a time- or purpose-limited period with volatile membership requirement.

From the literature study of Mittelstadt (2017), it can be concluded that the first two forms already are legally recognized. While ad hoc groups can be considered as profiling and do not have legal rights. To support this statement, Bisaz (2012) stated that the idea of groups may have a right to privacy and are covered by the rights of a ‘data subject’. In this case, a profile-based individual, is debatable. To explain this statement, additional research caused Floridi (2014) to argue that the tension is sometimes presented as being asymmetric; between the ethics of privacy and the politics of security. In other words, it is fostering human rights against improving human welfare. For example, if multiple individuals provide their biometric data to be examined, new cures can be found for diseases. The cures are beneficial for the society to which the individual belongs. Floridi (2014) even argues that most humans are not targeted as individuals but as a member of a specific group. His definition of group privacy is “the right that is held by a group as a group rather than by its members severally. It is the group, not its members, that is correctly identified as the right-holder” (p. 1).

Aforementioned, profiling is used by organizations to collect data of individuals which will then be used to gain information to generalize it for multiple individuals (Hildebrandt & Gutwirth, 2008). Generating knowledge from individual data can be sensitive to a specific individual (Xu, Jiang, Wang, Yuan, & Ren, 2014), but in relation to Floridi’s (2014) and Mittlestadt’s (2017) combined definition where an ad hoc group consist of multiple individuals and do not have legal rights, we can only conclude that there is a grey area between the privacy of individuals and individuals as a group that needs to be researched thoroughly.



Big Brother Watch. (2017, 9 13). About. Retrieved from Big Brother Watch:

Bisaz, C. D. (2012). The Concept of Group Rights in International Law. Brill.

Datoo, S. (2014, 1 10). How tracking customers in-store will soon be the norm. Retrieved from The Guardian:

Floridi, L. (2014). Open Data, Data Protection, and Group Privacy. Springer, 1-3.

Griswold, A. (2014, 1 28). These Heat Maps Show How Retailers Track You As You Shop. Retrieved from Business Insider:

Hildebrandt, M., & Gutwirth, S. (2008). Profiling the European Citizen. Springer.

Hota, C., & Srimani, P. (2013). Distributed Computing and Internet Technology. Bhubaneswar: ICDCIT.

Knapton, S. (2016, 12 27). High street shops secretly track customers using smartphones. Retrieved from The Telegraph:

Mittelstadt, B. (2017). Form Individual to Group Privacy in Big Data Analytics.

Ram, A. (2017, Augustus 30). Tech sector struggles to prepare for new EU data protection laws. Retrieved from Financial Times:

Schauer, F. (2003). Profiles, Probabilities, and Stereotypes. London: Harvard University Press.

Shearer, C. (2000). The CRISP-DM Model:. The Journal of Data Warehousing, 5(4), 13 – 22.

van der Sloot, B. (2014, 04 23). Privacy in the Post-NSA Era:Time for a Fundamental Revision? Journal of Intellectual Property, Information Technology and E-Commerce Law, 5(1).

Xu, L., Jiang, C., Wang, J., Yuan, J., & Ren, Y. (2014). Information Security in Big Data: Privacy and Data Mining. Tsinghua University.

Artikel door Fabienne Kooijmans