NGOs (non-governmental organisations) have been doing a good job recently in trying to explain where things stand in the process of re-drafting [and maybe one day adopting] the General Data Protection Regulation (GDPR).
You might remember that on 25 January 2012, the European Commission released a Proposed Revised Data Protection Legislative Framework, including the GDPR.
The timeline of the legislative process so far is quite rich with detail after three years of intense debate, and flitting around the issues to be covered within the Framework, by the EU institutions. On 12 March 2014, for example, the European Parliament adopted a resolution on the proposal for a GDPR. But the text subsequently went back to the Council, as per the ordinary legislative procedure. At a Justice and Home Affairs Council meeting held on 4-5 December 2014 it was then announced through a press release that “Progress was made by justice ministers on the EU data protection framework”. [I suppose it all depends upon the way you define the word progress!].
A document dated 19 December 2014 from the Italian Presidency to the Working Party on Information Exchange and Data Protection contains “a revised version of the draft General Data Protection Regulation. This version seeks to take account of the discussions on the draft Regulation that took place in the Working Party on Information Exchange and Data Protection under the Italian Presidency”. Other leaked documents from the Council can also be found on the Web – e.g. docs on the one-stop-shop mechanism, on the right to be forgotten, on consent, on data subjects’ rights – either on the European digital civil liberties group (EDRi’s) website or on the Lobbyplag website. As these documents tend to refer to the text of the original Commission’s proposal, it is not always easy to compare the position of the European Parliament and that of the Council (or at least that of some of its members). But EDRi and Lobbyplag have created easy-to-read consolidated documents [Huge thanks!].
There is a lot to be said about the revised version of the GDPR dated 19 December 2014 and other leaked documents. Only a few things will be said in this post as the author is currently looking at issues relating to anonymisation and ‘Big Data’ (to use a current buzz word!).
You may recall that not a long time ago, on 10 April 2014, the advisory working group Article 29 Data Protection Working Party (Article 29 WP) – gathering all the representatives of all of the EU Member States’ data protection agencies – issued a timely opinion on Anonymisation techniques.
Why is it important to understand how anonymisation techniques work? It is because Recital 26 of the Data Protection Directive (the current applicable text) states that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”. Said otherwise, anonymous data are outside the scope of EU data protection law!
But anonymous data means, to repeat the words of Recital 26, that “the data subject is no longer identifiable” (as a result of the implementation of the anonymisation technique).
Recital 23 of the original Commission’s proposal contains the same language.
Article 29 WP’s opinion states clearly that: “pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a dataset with the original identity of a data subject, and is accordingly a useful security measure”. A bit further it gives the reasons for such a view “pseudonymised data cannot be equated to anonymised information as they continue to allow an individual data subject to be singled out and linkable across different data sets”. As a result, it goes on “Pseudonymity is likely to allow for identifiability, and therefore stays inside the scope of the legal regime of data protection”.
Indeed, the singling out of individuals (by distinguishing them uniquely within a group of people) is a concern – as much as the identification of data subjects – as singling out may allow the creation of very extensive profiles about individuals and the pseudonymisation process may not prevent re-identification of data subjects at a later stage, even if it reduces the linkability of a dataset.
Both the text of the Data Protection Directive and that of the original Commission’s proposal do not speak about pseudonymised data.
By contrast, here is the text of the revised version of the Council. Recital 23 is modified to include the following statement regarding pseudonymised data: “Data including pseudonymised data, which could be attributed to a natural person by the use of additional information, should be considered as information on an identifiable natural person”.
At first glance this appears a good thing as it seems to suggest that even if pseudonymised data is not data about an identified natural person it is data about an identifiable natural person and therefore still personal data.
But the revised version of Recital 23 is confusing since it would now seem that in some circumstances pseudonymisation can equate to anonymisation. One can read in the Council’s revised text, just after the previous statement, that “To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify the individual directly or indirectly. To ascertain whether means are reasonable likely to be used to identify the individual, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration both available technology at the time of the processing and technological development”.
Yet, strictly speaking, pseudonymisation does not amount to anonymisation (“Pseudonymisation consists of replacing one attribute (typically a unique attribute) in a record by another” says Article 29 WP), unless other techniques are used such as… anonymisation techniques which should aim at reducing the risk of singling out (i.e. isolating the records of specific individuals), reducing the risk of linkability (the ability to link several datasets concerning the same data subject or group of data subjects) and also reducing the risk of inferences (i.e. the prediction of additional personal data that can be attributed to a person derived from previously collected, known attributes).
Not only is the revised version of the Council confusing but also the wording proposed by Germany is problematic as it puts side-by-side anonymisation and pseudonymisation, without attempting to distinguish between the two processes (See for ex p. 110 of the EDRi’s consolidated doc.]
More importantly, the more you collect pseudonymised data about individuals the more that risks of personal inferences being drawn about them, and the possibilties of them being singled out individually from within a group of individuals, increase. Therefore the German proposal found at p. 15 of the EDRi’s consolidated doc is clearly worrying in as much as it excludes the applicability of the purpose limitation principle for further processing of pseudonymised data: “where further processing takes place by using measures of pseudonymisation, it should not be considered as incompatible with the purpose for which the data have been initially collected as long as the data subject is not identified or identifiable (Art. 6(3a) (f))”.
It is true that the text adopted by the European Parliament contained the following Recital 58a: “Profiling based solely on the processing of pseudonymous data should be presumed not to significantly affect the interests, rights or freedoms of the data subject. Where profiling, whether based on a single source of pseudonymous data or on the aggregation of pseudonymous data from different sources, permits the controller to attribute pseudonymous data to a specific data subject [i.e. to single out a specific data subject], the processed data should no longer be considered to be pseudonymous”.
However, there is a crucial difference between the ways the European Parliament and the Council (or Germany) define pseudonymous or pseudonymised data. This shows clearly, once again, that the criterion of the usage of the data is crucial [See here for a post on health data and the importance of the criterion of the usage of the data]. For the European Parliament, data should no longer be considered to be pseudonymous when the purpose of the collection is the singling out of individuals! Therefore, the intention of the European Parliament was clearly not to ease the obligations placed upon data controllers and processors engaged in the profiling of users even with “merely” pseudonymous data!