The role of anonymisation and pseudonymisation under the EU data privacy rules: beyond the ‘all or nothing’ approach

Authors

  • Samson Yoseph Esayas Norwegian Research Center for Computers and Law, University of Oslo

Abstract

Substantial uncertainty exists on the role of anonymised or pseudonymised data in the data privacy discourse; this is all the more so as de-anonymisation science advances and the ubiquity of information increases. Such uncertainty affects not only the wider usage of such measures but also creates the temptation, both on the part of the entities that process personal data and the individuals whose personal data is processed, to downplay privacy risks associated with anonymised or pseudonymised data. Crucial to mitigating such risks and promoting the use of anonymisation and pseudonymisation as privacy-enhancing techniques is understanding the role of such measures under data privacy rules. This article aims to contribute towards the achievement of such an objective by examining the role of anonymisation and pseudonymisation under the EU data privacy rules, particularly the Data Protection Directive, the ePrivacy Directive, Regulation 611/2013, the eIDAS Regulation, and the proposed General Data Protection Regulation. This article identifies three major roles of anonymisation and pseudonymisation under the current and en route rules. First, anonymisation and pseudonymisation can serve as a safe harbour from the entire application of data privacy rules provided they are used to irreversibly prevent identification, although achieving this goal seems increasingly challenging in the current state of technological advancement. Second, anonymisation and pseudonymisation can provide a safe harbour from certain data privacy obligations, such as the notification of personal data breaches, provided they are engineered appropriately and complemented by adequate organisational measures. Third, anonymisation and pseudonymisation can constitute mandated measures for compliance with data privacy obligations, such as the data security and purpose specification and limitation principles. All legal perspectives are drawn at EU level, although examples are given from member states when relevant.

Keywords: Personal data; anonymisation and pseudonymisation; Encryption; Breach notification requirements; EU data privacy; Security of personal data

Author Biography

Samson Yoseph Esayas, Norwegian Research Center for Computers and Law, University of Oslo

Samson Yoseph Esayas is a researcher at the Norwegian Research Center for Computers and Law (NRCCL), University of Oslo. He holds a masters degree in Information and Communication Technology (ICT) Law from the University of Oslo, Norway. His current research focuses on legal risk management and compliance in using and developing information technology services. Other areas of research include Internet governance and policy, largely from the perspective of developing countries.

Downloads

Published

31.10.2015

Issue

Section

Refereed Articles