Anonymity and GDPR
Defining the Boundaries
Sofie Geurts – Legal consultant
Last updated on 5 August 2024
With the implementation of the General Data Protection Regulation (GDPR), the distinction between personal and anonymous data has never been more significant. The GDPR aims to protect personal data while allowing the free movement of such data within the European Economic Area (EEA). But what exactly constitutes anonymous data under the GDPR, and when can data be considered truly anonymous?
In this blog post, we will explore the intricacies of data anonymisation and the legal perspectives surrounding it. We will discuss the definitions provided by the GDPR, examine key court rulings, and outline practical steps to assess whether your data can be considered anonymous.
In a nutshell:
The GDPR applies only to data that can be traced back to an individual, known as personal data.
- Anonymous data is data that cannot lead to identification of a natural person, and therefore falls outside the scope of the GDPR.
- Whether data can be considered anonymous depends on the likelihood and severity of the risk of re-identification.
The GDPR is European legislation that protects the personal data of individuals within the European Economic Area (EEA). This legislation applies to anyone who processes personal data. Every organization involved in such activities must comply with the rules for protecting personal data and privacy.
The GDPR defines personal data as any information that can be directly or indirectly traced back to an identified or identifiable legal person. Examples include:
- A name.
- Someone’s address.
- Someone’s phone number.
The GDPR definition of personal data can be read below.
Article 4 (1): Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The GDPR does not apply to data that can be considered anonymous. Data are considered anonymous when it is no longer possible to identify someone based on the data. To determine whether data are anonymous, it must be examined whether a natural person can indeed no longer be identified. All objective factors involved in a specific case, such as the costs and time needed for identification, must be considered to determine if the data can be regarded as anonymous.
In addition to anonymous data, there are also pseudonymized data (also encrypted or de-identified). Pseudonymization is a technique that replaces or removes information in a data set that identifies an individual. Pseudonymizing personal data can reduce the risks to the data subjects and help meet data protection obligations. However, pseudonymization is effectively only a security measure. It does not change the status of the data as personal data. Pseudonymized or encrypted data can still be used to identify a person, either using additional available pieces of information or not. Pseudonomised data remains personal data according to the GDPR.
Questions? We are happy to discuss your specific case.
Related
Stay updated on the AI Act timeline for medical device software with NAALA.
Learn about important compliance dates and what the AI Act means for healthcare AI manufacturers.
Explore the regulatory landscape of AI-driven predictive models in rehabilitation with insights from NAALA. Our detailed analysis highlights the role of these models in enhancing patient care and the stringent quality and safety standards they must meet under the Medical Devices Regulations (MDR).
Learn about the ethical considerations, transparency challenges, and the evolving nature of AI in the medical field.
When is data anonymous?
Over the years, a general trend has emerged from available guidance where the focus has shifted from proving the absolute anonymity of information (which in practice is very challenging to do definitively) to mitigating the risk of identification through organizational, technical, and contractual means. As a result, the views of European data protection authorities (DPAs) have become fragmented. Additionally, there have been two significant court cases that shed light on how the judiciary views data anonymity.
Before the GDPR was enacted, the Europion Union was already considering when data could be regarded as anonymous. The Working Party 29 (WP29), the predecessor of the European Data Protection Board (EDPB), issued its opinion in 2014 on when anonymity exists in data.
According to WP29, anonymity only exists when the following three risks of identification are excluded:
- Singling out: The ability to locate a record of an individual within an information set.
- Linkability: The ability to link two records relating to the same individual or the same group of individuals.
- Inference: The ability to confidently guess or estimate values from other information.
If it cannot be sufficiently demonstrated that all three risks have been eliminated, the information must be regarded as personal data according to WP29. Risks exist, for example, when any party holds additional information that could identify the data subject, such as a mapping of patient names to corresponding patient numbers.
In 2016, the Court of Justice of the European Union (Patrick Breyer v Bundesrepublik Deutschland) made a significant ruling on the subject of anonymization. The case involved IP addresses and whether they could be considered personal data. This case provided direction on the approach to be taken regarding questions related to data and anonymization.
The court adopted the approach that data identification is impractical if it is prohibited by law or requires a disproportionate effort in terms of time, cost, and manpower.
In 2023, the General Court of the European Union (SRB v EDPS) issued a new ruling that further clarified when pseudonymized data are considered personal data. The approach emphasized the need to consider the perspectives of different parties.
The General Court highlighted that to determine whether pseudonymized information transmitted to a data receiver constitutes personal data, it is necessary to consider the receiver’s perspective. If the data recipient does not have any additional information enabling it to re-identify the data subjects and has no legal means available to access such information, the data can be considered anonymized and therefore not personal data. The fact that the data transmitter has the means to re-identify data subjects is irrelevant. It does not mean that the transmitted data are automatically also personal data for the recipient. This case opens new options for anonymization and adds much-needed legal clarity. This means that it is possible for a piece of information to qualify as personal data for someone who can identify the data subject, whereas the same piece of information is anonymous for someone without such ability.
Assessing if your data is anonymous
Determining whether data is anonymous can not simply be done through a one-size-fits-all assessment. Different circumstances play a role in whether data can be identified. So, the question is not whether the information is anonymous or not, but whether the risk of identification is acceptably low.
To determine if the data you possess can indeed be considered anonymous, you must assess whether it is practically impossible to identify the data. This involves a few steps:
Determine what personal data you have, where it comes from, and other relevant circumstances surrounding the personal data.
Next, determine whether identification is possible. This involves determining if identification is impractical due to legal prohibitions or requires a disproportionate effort in terms of time, cost, and manpower, according to case law.
- Check if any laws apply to the situation that makes identification legally prohibited, such as statutory confidentiality.
- To determine if the effort is disproportionate, all possible factors and circumstances must be considered to establish whether the effort to re-identify pseudonymized data is so high that it is disproportionate. This involves assessing the risks of re-identification using the motivated intruder test.
These considerations together indicate the risk of re-identification. As indicated, the risk needs to be acceptable. Only then can the data be considered anonymous.
motivated intruder is someone who starts without prior knowledge but wishes to identify an individual. The motivated intruder is assumed to be competent, with access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as contacting people who may have additional knowledge of the identity of the data subject. The motivated intruder is not assumed to have any specialist knowledge, such as computer hacking skills.
The previous step should reveal whether re-identification is possible. This will indicate the level of risk that exists for re-identification. As evident from the above analysis and recent judgements, data can only be considered anonymous for a party when the risk of re-identification is so low that it can be considered negligible. The higher the risk of re-identification, the less likely it is that the data can be considered anonymous.
The intentional ambiguity in classifying data as anonymous requires organisations to conduct an internal assessment of the likelihood of identification. Such an assessment will determine whether the data can be considered anonymous. If the outcome is that the risk of de-anonymisation is sufficiently unlikely (excessively costly and cumbersome), then the data can be considered anonymous, and the GDPR no longer governs this data.
Note that as an organization, you must continually ensure that these risks remain low by taking additional measures, such as entering into agreements with parties that also possess the data and providing warnings to the users of your software not to enter names or personal data.
Other key points to watch out for
Anonymity is interpreted differently across countries and within the same data protection bodies over time. Despite varying views, the core question remains whether a natural person can be identified. This difference in interpretation often hinges on what is considered an acceptable level of risk for identification.
The residual risk of identification should be regularly re-evaluated, and the effectiveness and sufficiency of measures must be consistently assessed. This allows for continuous monitoring of risks and effectively reduces the residual risk to an acceptable level. Regular assessments and updates are necessary to maintain GDPR compliance.
Contact.
For further insights on personal data or if you seek expert consultation on practical solutions, we invite you to get in touch. Our team is here to provide comprehensive guidance and address your specific needs.