Anonymisation – the hot potato of the data protection world
Personal data that has been anonymised is not subject to the UK GDPR but how does the ICO explain this important concept? Camilla Ravazzolo of the Market Research Society reports.
Following the publication of the Data Sharing Code of Practice, the Information Commissioner’s Office (ICO) is now working on Guidance on anonymisation, pseudonymisation and privacy enhancing technologies(1). The guidance explores the legal, policy and governance issues around the application of anonymisation and pseudonymisation in the context of data protection law and in so doing will clarify:
- when personal data can be considered anonymised,
- whether it is possible to anonymise data adequately to reduce risks, and
- what the benefits of anonymisation and pseudonymisation might be.
The endeavour is commendable. The topic has been up for debate for a long time, and without dwelling on the past, and considering only the data protection context, we can easily recall examples on both sides of the pond: The ICO’s first attempt Anonymisation: managing data protection risk code of practice of 2012 and the former Article 29 Working Party (now EDPB) Opinion on Anonymisation Techniques of 2014, the Norwegian and Irish DPAs guidance on anonymisation and pseudonymisation of 2017 and 2019. Along with many other non-institutional commentators and scholars, the appraisal was straightforward - anonymisation must be assessed against the possibility of re-identifying the data subject, while it was the test of re-identifiability that left much room for discussion. On the one hand, Article 29 WP aimed for a close to zero approach, on the other the Court of Justice of the European Union (CJEU) in 2016 in Breyer(2) held that if the identification of the data subject is prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and manpower, the risk of identification appears in reality to be insignificant. As for (almost) all CJEU judgments, legislation followed, which is why the GDPR Recital 26 now reads: “to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”. (Yes, we could easily debate why a recital and not an article, alas we will not).
UK Report subscribers please login to access the full article.
If you wish to subscribe please see our subscription information.