The General Data Protection Regulation (GDPR) only applies if you process personal data. Hence, according to Recital 26 of the GDPR, personal data that is anonymised no longer falls within the scope of the GDPR and can be processed more easily. However, the GDPR does not provide a uniform standard for when data can be considered anonymised, so various national standards have emerged. We explain what you need to consider and how you might achieve anonymisation of personal data.
What is anonymous data?
Recital 26 of the GDPR defines anonymous data as data that “does not relate to an identified or identifiable natural person or to personal data rendered anonymous” so “that the data subject is not or no longer identifiable.” However, it is still unclear what anonymisation really means in practice.
In 2007, the Working Party 29 (WP29) issued an opinion, in which it explained the difference between anonymisation and pseudonymisation. The main criterion the WP29 identified was the possibility of re-identification. Pseudonymisation is reversible, while anonymisation does not enable a re-identification. It pointed out that if “appropriate technical measures” were deployed to prevent re-identification, such as one-way cryptography, the respective data can be considered anonymous. Hence, this approach provided organizations with a reasonable degree of flexibility.
However, in 2014, the WP29 issued another opinion on anonymisation, which caused confusion in regard to the standards for anonymisation. Here, the WP29 considers the difference between anonymisation and pseudonymisation to be the probability of re-identification. However, many studies have shown that it is almost impossible to completely anonymise data. Thus, a certain possibility of re-identification usually remains, which raises the question how companies should assess the probability for re-identification. The WP29 listed three re-identification risks that have to be considered:
- Singling out — the possibility to identify an individual’s record within data sets;
- Linkability — the possibility to link two records concerning the same individual or a group of individuals;
- Inference — the possibility to estimate or guess values by using other information.
According to the WP29, anonymisation measures that protect against all of these risks “would be robust against re-identification (…)” and, hence, the respective data can be viewed as anonymous.
But, the WP29 also established another requirement for anonymisation: the aggregation and permanent deletion of the original (identifiable) data. This means that companies can only be sure that their data is anonymised, and thus falls outside the scope of the GDPR, if the data is aggregated into group statistics and the original data is deleted permanently.
Due to this adaptation of the requirements for anonymisation by the WP29, different standards have emerged within the EU, as some national regulators follow the 2007 standard and others the 2014 standard.
What anonymisation standards exist throughout Europe?
To give you an impression of different anonymisation standards throughout Europe, we will provide you with some examples.
Some national authorities, such as the UK Information Commissioner’s Office (ICO) and the Irish Data Protection Commission (DPC), indicated that a certain risk of re-identification is acceptable provided sufficient preventive measures are in place.
However, the DPC also clarified that in most cases, data can only be considered pseudonymized if the original data are kept by the controller, so that it remains possible to reverse the anonymization and thus identify individuals. Similarly, the Spanish Agencia Española de Protección de Datos (AEPD) and the European Data Protection Supervisor (EDPS) indicated that “anonymisation procedures must ensure that not even the data controller is capable of re-identifying the data holders in an anonymised file.”
The French Commission Nationale de l’informatique et des Libertés (CNIL) takes an even stricter approach. It underlines that the anonymisation of the data must be irreversible: “Anonymisation is a treatment which consists in using a set of techniques in such a way as to make it impossible, in practice, to identify the person by any means whatsoever and in an irreversible manner (…). Since the anonymisation process aims to eliminate any possibility of re-identification, the future exploitation of the data is thus limited to certain types of use.”
How can anonymisation be reasonably achieved?
The uncertainty arising from these deviating standards makes it very difficult for companies to be sure that their anonymisation measures render the GDPR inapplicable. Nevertheless, there are approaches that your company can adopt.
One option is to use so-called ”trusted third parties“ (TTPs) who act as intermediaries between the organization that is in possession of the original (and thus identifiable) data and you, i.e., the organization that wants to use the anonymous data. The WP29 (in 2013), as well as the ICO (in 2012), suggested that this might be an effective tool to achieve anonymisation.
However, it should be noted that there is also the interpretation that complete anonymisation is not even possible if TTPs are used, as in this case at least the TTP would be able to carry out a re-identification. Therefore, you should bear in mind that according to this view it is generally questionable whether complete anonymisation is even possible.