Brussels Privacy Symposium on Identifiability The new General Data Protection Regulation - Is there sufficient pay-off for taking the trouble to anonymize or pseudonymize data ? Waltraut Kotschy Brussels Privacy Symposium on Identifiability November 8, 2016

What is „personal data“? Defined in Art. 2 (a) of Directive 95/46/EC; nearly identical in the new data protection legal framework (italics = new): Art 4 (1) GDPR: “personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

What is „identified“? The definition of “personal data” gives several examples for elements which can be used for the process of identification HOWEVER, unfortunately the definition does not say, when precisely the effect of “identification” is finally achieved Art. 29 Group, Opinion 4/2007 on the concept of personal data, WP 136, from June 20th 2007: To identify a person means to describe this person so that he or she is “singled out” from all other persons in a group Which group? That depends  The circumstances of using the data are important!

What is „identifiable“? A natural person is, according to the definition of „personal data“, „identifiable“ if she or he „can be identified“ Rec. 26 to the Directive: “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person;” Rec. 26 of the GDPR: …” To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments…..”

When are data „anonymized“? There is no definition, neither in the Directive not in the Regulation Data are „anonymized“ as soon as they are no longer „personal data“: Rec. 26 to the GDPR: „…..The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” Rec. 26 to the GDPR: “……To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly…”

Why is „anonymous“ an important concept? Our age is information- driven  Data, including personal data, are a valuable commodity However, the use of personal data is strictly limited. Is anonymization THE solution? - Reliable anonymization is not easy to achieve - Anonymization can usually be achieved only by considerable loss of informational value in the anonymized data

Pseudonymisation The GDPR introduces the concept of pseudonymization with the purpose of making it possible to - further use data , especially for scientific research and statistics, - with lesser risks for the data subject Pseudonymized data are defined as personal data, where the additional data, necessary for identifying the data subject, are kept separate and safe from attribution to the rest of the data; - definition open concerning the method of “pseudonymizing”, - disguising (especially encryption) of the main identifiers is not mentioned but would be covered by the text

Practical experience with pseudonymized data Experience in Austria: Directive: extremely wide definition of “identifiability” Research community demanded a more workable approach Austrian implementation 2000: “indirectly personal data” = special key coded data: If identification without access to the pseudonymization key is not possible according to the state of the art, pseudonymized data shall be considered as - “(nearly) no-risk”, - but still “personal data”!

Privileged use Disclosure to reliable third parties is generally allowed - not publication! Processing “indirectly personal data “ is exempt from several duties: - no obligation to notify the processing to the DPA, - no obligation to obtain permission from the DPA for transfers to known (reliable) recipients in third countries, - no obligation to inform the data subjects about transfers to third parties, - access rights of data subjects are suspended  No serious case of misuse encountered within 15 years Census is conducted in Austria since 2010 by means of “indirectly personal data” – no more data about identified citizens!  no more protests concerning census

Effects of pseudonymization under the GDPR Pseudonymization under the GDPR: mentioned in Art. 89 (1): as a means of enhancing protection in case of further use of data for research and statistics Art. 6 (4): as a means of possibly contributing to the compatibility of further use of data Art. 25: as a means to contribute to “privacy by design” in data applications Rec. 28: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.”  pseudonymization is no guarantee for data processing being “allowed”

Conclusions (1) Using anonymized data results in clear consequences under the GDPR: The GDPR is not applicable. So, rendering data “anonymized” will “pay off” under the Regulation, but there is always a risk that anonymization, as to the level required in Rec. 26, has not been achieved : Although the consequences are clear, the requirements for dealing with “anonymized data” are less clear. Using pseudonymised data under the GDPR has no precise legal consequences: Only on a case to case basis it can be evaluated whether a processing operation is rendered lawful by means of using pseudonymized data;

Conclusions (2) The potential “pay-off” for pseudonymization in data protection has not (yet) been fully explored: Best practise rules for different areas of processing could clarify the conditions which could trigger privileged use of properly pseudonymized data – the GDPR offers several possibilities to have such best practise rules checked and approved by competent authorities Within the fining system implemented according to the GDPR there should be severe fines foreseen concerning any attempt of recipients of pseudonymized data to re-identify such data Such rules should be established on a European level in order not to counteract the harmonising effect of the GDPR