The role of anonymisation and pseudonymisation under the EU data privacy rules: beyond the ‘all or nothing’ approach
Abstract
Substantial uncertainty exists on the role of anonymised or pseudonymised data in the data privacy discourse; this is all the more so as de-anonymisation science advances and the ubiquity of information increases. Such uncertainty affects not only the wider usage of such measures but also creates the temptation, both on the part of the entities that process personal data and the individuals whose personal data is processed, to downplay privacy risks associated with anonymised or pseudonymised data. Crucial to mitigating such risks and promoting the use of anonymisation and pseudonymisation as privacy-enhancing techniques is understanding the role of such measures under data privacy rules. This article aims to contribute towards the achievement of such an objective by examining the role of anonymisation and pseudonymisation under the EU data privacy rules, particularly the Data Protection Directive, the ePrivacy Directive, Regulation 611/2013, the eIDAS Regulation, and the proposed General Data Protection Regulation. This article identifies three major roles of anonymisation and pseudonymisation under the current and en route rules. First, anonymisation and pseudonymisation can serve as a safe harbour from the entire application of data privacy rules provided they are used to irreversibly prevent identification, although achieving this goal seems increasingly challenging in the current state of technological advancement. Second, anonymisation and pseudonymisation can provide a safe harbour from certain data privacy obligations, such as the notification of personal data breaches, provided they are engineered appropriately and complemented by adequate organisational measures. Third, anonymisation and pseudonymisation can constitute mandated measures for compliance with data privacy obligations, such as the data security and purpose specification and limitation principles. All legal perspectives are drawn at EU level, although examples are given from member states when relevant.
Keywords: Personal data; anonymisation and pseudonymisation; Encryption; Breach notification requirements; EU data privacy; Security of personal data
Published
Issue
Section
License
EJLT is an open access journal, aiming to disseminate academic work and perspectives as widely as possible to the benefit of the author and the author’s readers. It is the assumption of the EJLT that authors who publish in the journal wish their work to be available as freely and as widely as possible through the open access publishing channel.
Authors who publish with EJLT will retain copyright and moral rights in the underlying work but will grant all users the rights to copy, store and print for non-commercial use copies of their work. Commercial mirroring may also be carried out with the consent of the journal. The work must remain as published – without redaction or editing – and must clearly state the identity of the author and the originating EJLT url of the article. Any commercial use of the author’s work - apart from mirroring - requires the permission of the author and any aspects of the article which are the property of EJLT (e.g. typographical format) requires permission from EJLT.
Authors can sometimes become no longer contactable (through, for example, death or retirement). If this occurs, any rights in the work will pass to the European Journal of Law and Technology which will continue to make the work available in as wide a manner as possible to achieve the aims of open access and ensuring that an author's work continues to be available. An author - or their estate - can recover these rights from EJLT by providing contact information.
The European Journal of Law and Technology holds rights in format, publication and dissemination.
EJLT, as a non-commercial organisation - which receives donations to allow it to continue publishing – must retain information on reader access to journal articles. This means that we will not give permission to mirror the journal unless we can be provided with full details as to reader access to each and every journal article. We prefer and encourage deep linking rather than mirroring. Encouragement is thus given for all users – commercial and non-commercial – to provide indexes and links to articles in the EJLT where the index or link points to the location of the article on the EJLT server, rather than to stored copies on other servers.
Please contact the European Journal of Law and Technology if you are in any doubt as to what this statement of use covers.