Viewing the GDPR Through a De-Identification Lens Mike Hintze Partner, Hintze Law PLLC Adjunct Professor, University of Washington School of Law
De-Identification Under the GDPR The GDPR provides the basis to recognize a more comprehensive spectrum of de-identification Identified vs. Identifiable in the definition of “personal data” Pseudonymous data as a particular type of “Identifiable” data Article 11 strong de-identification: “not in a position to identify the data subject” Anonymous data: GDPR requirements don’t apply Identified Identifiable Article 11 De-Identified Anonymous / Aggregate Directly linked to identifying data Yes No Known, systematic way to (re)identify Relates to a specific person Article 4(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; Article 11(2). the controller is able to demonstrate that it is not in a position to identify the data subject. Recital 26. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
GDPR Obligations Through De-ID Lens Consent or Legitimate Interests Notice to Data Subjects Data Retention Limitations Appropriate Data Security Access, Erasure, Controls Identified Consent of Data Subject ↕ Legitimate Interests Prominent Notice Discoverable Notice Shorter Retention Longer Retention Stronger Protections Some Protections Required Identifiable Article 11 De-Identified No Requirement Anonymous / Aggregated No Requirements Legitimate interests: Article 6(1)(f) involves a balance between the legitimate interests of the controller, and the fundamental rights and freedoms of the data subjects. It’s clear that the stronger the de-identification, the lower the risk to the data subject’s fundamental rights and freedoms. a Plus, Article 6(4) supports the idea that de-identification can be used to help justify a basis for lawful processing other than consent. “Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent . . . the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia . . . (e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.” Data retention: Article 5(e) of the GDPR establishes the general rule that personal data may be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Data Security: Article 32 of the GDPR requires organizations to implement security measures sufficient “to ensure a level of security appropriate to the risk.” Article 12(2) states that Article 11 De-Identified data (the controller is able to demonstrate that it is not in a position to identify the data subject), certain Article do not apply – including right of access, rectification, erasure, and data portability.
De-Identification’s Role in GDPR Guidance GDPR guidance that recognizes a full range of de-identification can: provide greater clarity in areas of the GDPR that remain opaque; enable organizations to adopt pragmatic compliance tools and strategies; increase incentives for companies to adopt the strongest de-identification that is compatible with the purposes of the data processing (thus achieving an optimal balance between data protection and data utility); and advance the objectives of the GDPR by enhancing the protection of individuals’ personal data. Identified Identifiable Article 11 De-Identified Anonymous / Aggregate
Questions? mike@hintzelaw.com @mhintze Hintze Law Privacy + Security