A stricter regime for profiling07 June 2016
European Regulators Raise the Bar on Anonymization Techniques
Under the new opinion, the "likely reasonably to be used" test appears to provide little comfort, given the heightened sophistication of re-identification techniques. The 2014 opinion points out that irreversible hashing will in most cases be insufficient by itself to guarantee anonymization. The only exception could be a keyed hash function with deletion of the key, or a tokenization technique where the new code numbers are generated randomly without any mathematical link to the original data. Even then, linkability could be achieved if other data sets exist involving the same population of data subjects.
The Working Party's opinion emphasizes that even where a data controller believes it has successfully anonymized personal data, the data controller must periodically re-evaluate the risks in light of developments in re-identification techniques. What emerges from the Working Party's new opinion is that anonymization, like many other aspects of data protection, requires a governance structure to conduct an initial risk analysis and on-going follow-up. For some data, the risk of less-than-perfect anonymization may be acceptable. For sensitive data, even the smallest risk of re-identification may be a show-stopper.
For the Working Party, true anonymization is equivalent to erasing the data entirely. This suggests that when there exists even a small residual risk of re-identification, data will be considered as continuing to fall within European data protection laws. In practice, this means that data controllers may have to use a belt-and-suspenders approach when considering big data projects using (supposedly) anonymized data.
To meet the Working Party's standard, data controllers may wish to have the anonymization technique used for the project first reviewed by a committee including a data scientist independent from the project team. Second, depending on the risk score given by the independent committee, the data controller should put safeguards into place as if the data were not completely anonymized. These safeguards may involve limiting access to the data set and ensuring that bulk copies of the "anonymous" data set are not made.
This approach would permit the data controller to argue first that the data are sufficiently anonymous and therefore do not fall within the scope of European data protection rules, and second to show that even if the data were not totally anonymized, the data controller put into place reasonable back-up safeguards to limit risks.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016