The role of anonymisation and pseudonymisation under the EU data privacy rules: beyond the ‘all or nothing’ approach
Substantial uncertainty exists on the role of anonymised or pseudonymised data in the data privacy discourse; this is all the more so as de-anonymisation science advances and the ubiquity of information increases. Such uncertainty affects not only the wider usage of such measures but also creates the temptation, both on the part of the entities that process personal data and the individuals whose personal data is processed, to downplay privacy risks associated with anonymised or pseudonymised data. Crucial to mitigating such risks and promoting the use of anonymisation and pseudonymisation as privacy-enhancing techniques is understanding the role of such measures under data privacy rules. This article aims to contribute towards the achievement of such an objective by examining the role of anonymisation and pseudonymisation under the EU data privacy rules, particularly the Data Protection Directive, the ePrivacy Directive, Regulation 611/2013, the eIDAS Regulation, and the proposed General Data Protection Regulation. This article identifies three major roles of anonymisation and pseudonymisation under the current and en route rules. First, anonymisation and pseudonymisation can serve as a safe harbour from the entire application of data privacy rules provided they are used to irreversibly prevent identification, although achieving this goal seems increasingly challenging in the current state of technological advancement. Second, anonymisation and pseudonymisation can provide a safe harbour from certain data privacy obligations, such as the notification of personal data breaches, provided they are engineered appropriately and complemented by adequate organisational measures. Third, anonymisation and pseudonymisation can constitute mandated measures for compliance with data privacy obligations, such as the data security and purpose specification and limitation principles. All legal perspectives are drawn at EU level, although examples are given from member states when relevant.
Keywords: Personal data; anonymisation and pseudonymisation; Encryption; Breach notification requirements; EU data privacy; Security of personal data