Anonymisation and data-erasure requests: a perfect solution or a dangerous false friend?
With the GDPR now fully applicable, data subjects are entitled to exercise a number of new rights over their personal data undergoing processing by organisations. They are able to demand that – in certain circumstances and with some limitations – organisations abide their requests to rectify, erase, restrict the processing of, or transfer their personal data.
These enhanced data subject rights represent a new challenge for organisations in both the public and private sectors, especially those who process high volumes of data in an inefficient way. This inefficiency often originates from the structural complexity of the organisation. The adoption of enhanced technical and organisational measures can only reduce, but not necessarily eliminate the burden of dealing with these new types data subject requests.
What is anonymisation?
In this context, some organisations are considering employing a technique called anonymisation to reduce their compliance obligations with the GDPR and to avoid having to establish and undertake complex processes to respond to data subject requests.
Anonymisation is a technical operation aimed at rendering personal data ‘anonymous in such a way that the data subject is not or no longer identifiable’ (Recital No 26 GDPR). In other words, anonymising data means erasing any element that connects the retained information to the individual.
When this operation is successful, data is no longer personal, and therefore the GDPR no longer applies. As a consequence, processing anonymised data does not require a valid lawful ground for processing and is not governed by any other elements of the GDPR.
Differences with pseudonymisation
Despite their similar names, anonymisation and pseudonymisation have very few aspects in common.
On the one hand, anonymisation is a technique that aims at erasing the identifiable elements entirely, escaping the GDPR regime with a surgical, irreversible data erasure.
On the other hand, pseudonymisation is a technique that proves useful to ‘reduce the risks to the data subjects and help controllers and processors to meet their data-protection obligations’ (Recital No 28 GDPR). It is defined as ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’ (Article 4(5) GDPR).
In other words, pseudonymisation consists of splitting the information on each data subject between two or more processing systems. Only a combination of those systems may lead to a re-identification of the data subject.
Given their nature, the reason of the brief, and indirect, mention of anonymisation in the GDPR vis-à-vis the official definition of pseudonymisation in the same legislation becomes clear. Whilst the anonymisation of personal data puts it entirely out of the GDPR’s scope of application, pseudonymisation belongs to the wider category of technical and organisational measures that data controller can implement to lower the risk for them and for the data subjects.
In other words, pseudonymisation is a technique to enhance security when processing personal data, while anonymisation is a technique to destroy the ‘personal’ element and keep the data without any connection to the data subject.
The risk of re-identification
Anonymised data which falls outside the scope of the GDPR can still be used for several purposes, including statistical and research purposes. However, anonymising data may prove a challenging task. Researchers have found that a mere combination of birth date, gender, and residence post code allows data controllers to reidentify data subjects. More recently, it was argued that even two data points may lead to a reidentification of the data subject.
The dangers of anonymisation are outstandingly exemplified by a recent case law in the US: in that case, in the text of the judgment, the US Southern NY District Court removed the name of one of the individuals involved in the case without having any success in hiding his identity (see below).
From these examples, one can better understand the point of view of the European Data Protection Board, which argued in 2014 that anonymisation is hard to achieve without rendering the data useless. In fact, organisations aiming at anonymising their data-subject personal data must undergo a process that often results in increased complexities and uncertainties than the process they would need to erase the data entirely.
Anonymisation to address right-of-erasure requests
As mentioned, making use of anonymisation to address erasure requests is a tempting path for data controllers. However, this path is strewn with obstacles.
First of all, Data Protection Authorities seem to be of the opinion that anonymisation cannot per se replace erasure when addressing a request for data erasure. While this view seems logical from the regulator’s perspective (or, more specifically, from a perspective of a linear and solid Subject-Access-Request process), it is questionable whether this position can be defended from a strictly legal point of view. Indeed, if an organisation successfully anonymises data, such data is not personal anymore (i.e., does not point at any data subject, including the one making the request) and is not regulated by the GDPR. This would mean that an erasure request could indeed be closed based on the fact that an organisation anonymised the requester’s data, in fact erasing all information that connected this information to the data subject.
However, this approach is not without risk. In fact, it is very hard to ensure that data is properly anonymised in such a way which prevents a future re-identification. Indeed, it may be possible that the organisation obtains a relevant identifier (a data which allows identification) at a later stage, rendering the process even more unpredictable.
This means that it is very difficult to be sure that the GDPR does not apply to a certain dataset of allegedly-anonymised data. In fact, incorrectly anonymised data would still fall within the scope of the GDPR.
The power to determine whether the Regulation still applies to such a dataset rests on the shoulders of the Data Protection Authority.
Finally, complex or large organisations often have complex data processing practices due to different functions gathering and processing data semi-autonomously. As a result, it is difficult to coordinate an effort between various departments to properly anonymise personal data and, at the same time, be reasonably sure that no other function holds even a single data point that could enable a re-identification of the individual.
In conclusion, while anonymisation may seem appealing to organisations who could struggle with complying with data-subject requests, its implementation comes with risks which may eventually outweigh any benefit anonymisation may offer.
In light of the current orientation of a few Data Protection Authorities on this matter, it seems inadvisable to adopt anonymisation as a compliance strategy before relevant case-law is developed on the matter.
Visit our Data Governance and contact our team for more information.