Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brussels Privacy Symposium on Identifiability

Published byDominick Murphy Modified over 6 years ago

Similar presentations

Presentation on theme: "Brussels Privacy Symposium on Identifiability"— Presentation transcript:

1 Brussels Privacy Symposium on Identifiability
The new General Data Protection Regulation - Is there sufficient pay-off for taking the trouble to anonymize or pseudonymize data ? Waltraut Kotschy Brussels Privacy Symposium on Identifiability November 8, 2016

2 What is „personal data“?
Defined in Art. 2 (a) of Directive 95/46/EC; nearly identical in the new data protection legal framework (italics = new): Art 4 (1) GDPR: “personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” DPCC e.U.

3 What is „identified“? The definition of “personal data” gives several examples for elements which can be used for the process of identification HOWEVER, unfortunately the definition does not say, when precisely the effect of “identification” is finally achieved Art. 29 Group, Opinion 4/2007 on the concept of personal data, WP 136, from June 20th 2007: To identify a person means to describe this person so that he or she is “singled out” from all other persons in a group Which group? That depends  The circumstances of using the data are important! DPCC e.U.

4 What is „identifiable“?
A natural person is, according to the definition of „personal data“, „identifiable“ if she or he „can be identified“ Rec. 26 to the Directive: “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person;” Rec. 26 of the GDPR: …” To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments…..” DPCC e.U.

5 Who must be able to „identify“?
CJEU C‑582/14, Breyer vs Germany: Are dynamic IP-addresses „personal data“? In paragraph 43 of its judgement the Court refers to Art. 2 (a) stating, that “, it is not required that all the information enabling the identification of the data subject must be in the hands of one person.” The Court is further of the opinion “that the online media services provider has the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, on the basis of the IP addresses stored.” From this the Court draws the conclusion in paragraph 49 of its judgement that Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address constitutes personal data within the meaning of that provision, in relation to a controller, who has the legal means which enable it to identify the data subject with additional data which a third party has about that person. DPCC e.U.

6 Understanding C‑582/14 The Court states that IP-addresses are in the given case personal data because the „controller, .. has the legal means which enable it to identify the data subject with additional data which a third party has about that person” Can this be interpreted as saying that data are not „personal data“ if the controller has NO LEGAL MEANS to access additional, identifying information? I do not think so because This would directly contradict the GDPR, defining in Art. 4 (5) pseudonymized data as „personal data“, although the definition of „personal data“ has not been significantly changed in the GDPR and also the new Rec. 26 follows the old Rec. 26 (to the Directive) concerning „third parties“ C-582/14 might therefore only mean, that – as concerns the given case - information is at all events „personal data“ if the controller has the legal means to identify the person with the aid of a third party DPCC e.U.

7 When are data „anonymized“?
There is no definition, neither in the Directive nor in the Regulation Data are „anonymized“ as soon as they are no longer „personal data“: Rec. 26 to the GDPR: „…..The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.” Rec. 26 to the GDPR: “……To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly…” DPCC e.U.

8 Why is „anonymous“ an important concept?
Our age is information- driven  Data, including personal data, are a valuable commodity However, the use of personal data is strictly limited. Is anonymization THE solution? - Reliable anonymization is not easy to achieve - Anonymization can usually be achieved only by considerable loss of informational value in the anonymized data DPCC e.U.

9 Pseudonymisation The GDPR introduces the concept of pseudonymization with the purpose of making it possible to - further use data , especially for scientific research and statistics, - with lesser risks for the data subject Pseudonymized data are defined as personal data, where the additional data, necessary for identifying the data subject, are kept separate and safe from attribution to the rest of the data; - definition open concerning the method of “pseudonymizing”, - disguising (especially encryption) of the main identifiers is not mentioned but would be covered by the text DPCC e.U.

10 Practical experience with pseudonymized data
Experience in Austria: Directive: extremely wide definition of “identifiability” Research community demanded a more workable approach Austrian implementation 2000: “indirectly personal data” = special key coded data: If identification without access to the pseudonymization key is not possible according to the state of the art, pseudonymized data shall be considered as - “(nearly) no-risk”, - but still “personal data”! DPCC e.U.

11 Privileged use Disclosure to reliable third parties is generally allowed - not publication! Processing “indirectly personal data “ is exempt from several duties: - no obligation to notify the processing to the DPA, - no obligation to obtain permission from the DPA for transfers to known (reliable) recipients in third countries, - no obligation to inform the data subjects about transfers to third parties, - access rights of data subjects are suspended  No serious case of misuse encountered within 15 years Census is conducted in Austria since 2010 by means of “indirectly personal data” – no more data about identified citizens!  no more protests concerning census DPCC e.U.

12 Effects of pseudonymization under the GDPR
Pseudonymization under the GDPR: mentioned in Art. 89 (1): as a means of enhancing protection in case of further use of data for research and statistics Art. 6 (4): as a means of possibly contributing to the compatibility of further use of data Art. 25: as a means to contribute to “privacy by design” in data applications Rec. 28: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.”  pseudonymization is no guarantee for data processing being “allowed” DPCC e.U.

13 Conclusions (1) Using anonymized data results in clear consequences under the GDPR: The GDPR is not applicable. So, rendering data “anonymized” will “pay off” under the Regulation, but there is always a risk that anonymization, as to the level required in Rec. 26, has not been achieved : Although the consequences are clear, the requirements for dealing with “anonymized data” are less clear. Using pseudonymised data under the GDPR has no precise legal consequences: Only on a case to case basis it can be evaluated whether a processing operation is rendered lawful by means of using pseudonymized data; DPCC e.U.

14 Conclusions (2) The potential “pay-off” for pseudonymization in data protection has not (yet) been fully explored: Best practise rules for different areas of processing could clarify the conditions which could trigger privileged use of properly pseudonymized data – the GDPR offers several possibilities to have such best practise rules checked and approved by competent authorities Within the fining system implemented according to the GDPR there should be severe fines foreseen concerning any attempt of recipients of pseudonymized data to re-identify such data Such rules should be established on a European level in order not to counteract the harmonising effect of the GDPR DPCC e.U.

Download ppt "Brussels Privacy Symposium on Identifiability"

Similar presentations

Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy.

Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.

The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.

Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
Organ, body, authority Prof. Gyula Bándi. A reference to the competent organ or body, particularly to the competent authority, are part of legal regulation.

Organ, body, authority Prof. Gyula Bándi. A reference to the competent organ or body, particularly to the competent authority, are part of legal regulation.
EUROPEAN COMMISSION - DG Internal Market 1 Reviewing the Review: The European Commission's Third Review of the Product Liability Directive

EUROPEAN COMMISSION - DG Internal Market 1 "Reviewing the Review: The European Commission's Third Review of the Product Liability Directive"
The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.

The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Protection of Personal Information Act An Analysis on the impact.

Protection of Personal Information Act An Analysis on the impact.
Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.

Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.
Independent Centre for Privacy Protection Schleswig-Holstein

Independent Centre for Privacy Protection Schleswig-Holstein
Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability
Industry 4.0 – New ways of cooperative working – are we prepared?

Industry 4.0 – New ways of cooperative working – are we prepared?
The Protection of Confidential Commercial or Industrial Information in Environmental Law: Analysis and Call for a Graded Concept of Protection Prof. Dr.

The Protection of Confidential Commercial or Industrial Information in Environmental Law: Analysis and Call for a Graded Concept of Protection Prof. Dr.

Similar presentations

Ads by Google