Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brussels Privacy Symposium on Identifiability

Published byGeorgia York Modified over 7 years ago

Similar presentations

Presentation on theme: "Brussels Privacy Symposium on Identifiability"— Presentation transcript:

1 Brussels Privacy Symposium on Identifiability
The new General Data Protection Regulation - Is there sufficient pay-off for taking the trouble to anonymize or pseudonymize data ? Waltraut Kotschy Brussels Privacy Symposium on Identifiability November 8, 2016

2 What is „personal data“?
Defined in Art. 2 (a) of Directive 95/46/EC; nearly identical in the new data protection legal framework (italics = new): Art 4 (1) GDPR: “personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

3 What is „identified“? The definition of “personal data” gives several examples for elements which can be used for the process of identification HOWEVER, unfortunately the definition does not say, when precisely the effect of “identification” is finally achieved Art. 29 Group, Opinion 4/2007 on the concept of personal data, WP 136, from June 20th 2007: To identify a person means to describe this person so that he or she is “singled out” from all other persons in a group Which group? That depends  The circumstances of using the data are important!

4 What is „identifiable“?
A natural person is, according to the definition of „personal data“, „identifiable“ if she or he „can be identified“ Rec. 26 to the Directive: “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person;” Rec. 26 of the GDPR: …” To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments…..”

5 When are data „anonymized“?
There is no definition, neither in the Directive not in the Regulation Data are „anonymized“ as soon as they are no longer „personal data“: Rec. 26 to the GDPR: „…..The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” Rec. 26 to the GDPR: “……To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly…”

6 Why is „anonymous“ an important concept?
Our age is information- driven  Data, including personal data, are a valuable commodity However, the use of personal data is strictly limited. Is anonymization THE solution? - Reliable anonymization is not easy to achieve - Anonymization can usually be achieved only by considerable loss of informational value in the anonymized data

7 Pseudonymisation The GDPR introduces the concept of pseudonymization with the purpose of making it possible to - further use data , especially for scientific research and statistics, - with lesser risks for the data subject Pseudonymized data are defined as personal data, where the additional data, necessary for identifying the data subject, are kept separate and safe from attribution to the rest of the data; - definition open concerning the method of “pseudonymizing”, - disguising (especially encryption) of the main identifiers is not mentioned but would be covered by the text

8 Practical experience with pseudonymized data
Experience in Austria: Directive: extremely wide definition of “identifiability” Research community demanded a more workable approach Austrian implementation 2000: “indirectly personal data” = special key coded data: If identification without access to the pseudonymization key is not possible according to the state of the art, pseudonymized data shall be considered as - “(nearly) no-risk”, - but still “personal data”!

9 Privileged use Disclosure to reliable third parties is generally allowed - not publication! Processing “indirectly personal data “ is exempt from several duties: - no obligation to notify the processing to the DPA, - no obligation to obtain permission from the DPA for transfers to known (reliable) recipients in third countries, - no obligation to inform the data subjects about transfers to third parties, - access rights of data subjects are suspended  No serious case of misuse encountered within 15 years Census is conducted in Austria since 2010 by means of “indirectly personal data” – no more data about identified citizens!  no more protests concerning census

10 Effects of pseudonymization under the GDPR
Pseudonymization under the GDPR: mentioned in Art. 89 (1): as a means of enhancing protection in case of further use of data for research and statistics Art. 6 (4): as a means of possibly contributing to the compatibility of further use of data Art. 25: as a means to contribute to “privacy by design” in data applications Rec. 28: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.”  pseudonymization is no guarantee for data processing being “allowed”

11 Conclusions (1) Using anonymized data results in clear consequences under the GDPR: The GDPR is not applicable. So, rendering data “anonymized” will “pay off” under the Regulation, but there is always a risk that anonymization, as to the level required in Rec. 26, has not been achieved : Although the consequences are clear, the requirements for dealing with “anonymized data” are less clear. Using pseudonymised data under the GDPR has no precise legal consequences: Only on a case to case basis it can be evaluated whether a processing operation is rendered lawful by means of using pseudonymized data;

12 Conclusions (2) The potential “pay-off” for pseudonymization in data protection has not (yet) been fully explored: Best practise rules for different areas of processing could clarify the conditions which could trigger privileged use of properly pseudonymized data – the GDPR offers several possibilities to have such best practise rules checked and approved by competent authorities Within the fining system implemented according to the GDPR there should be severe fines foreseen concerning any attempt of recipients of pseudonymized data to re-identify such data Such rules should be established on a European level in order not to counteract the harmonising effect of the GDPR

Download ppt "Brussels Privacy Symposium on Identifiability"

Similar presentations

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy.

Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.

The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
L, E & P ISSUES1 Follow up on PSP: The PSP is about QUALITY - numerous measures are used - with the obvious commitments to data collection. One of the.

L, E & P ISSUES1 Follow up on PSP: The PSP is about QUALITY - numerous measures are used - with the obvious commitments to data collection. One of the.
EUROPEAN COMMISSION - DG Internal Market 1 Reviewing the Review: The European Commission's Third Review of the Product Liability Directive

EUROPEAN COMMISSION - DG Internal Market 1 "Reviewing the Review: The European Commission's Third Review of the Product Liability Directive"
The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.

The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Protection of Personal Information Act An Analysis on the impact.

Protection of Personal Information Act An Analysis on the impact.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.

Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.
František Nonnemann Skopje, 10th October 2012 JHA 48785 Data protection and re-use of PSI as a tool for public control–CZ approach.

František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.

Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.

Similar presentations

Ads by Google