The EU Data Protection Directive applies to information concerning an identified or identifiable person. The principles set out by the Directive indicate that a person, the data subject, is identifiable if personal information, whether or not compiled from a single source or multiple sources, is identifiable from that information. The principles would not apply to data rendered anonymous, such that a specific person is no longer identifiable even from data compiled from multiple sources and if stored in a manner that could not be re-assembled to identify a specific person, provided the risk of identification is “remote”.
Anonymisation of personal information is the stripping away of all personal identifiers such that the data subject is no longer reasonably identifiable or where the risk of identifiability is remote. Such anonymised information is useful to identify buying patterns, popularity of consumer products and other consumer behaviour.
Personal information that is no longer needed for other purposes is often anonymised and since it is no longer protected, it is sold or shared with others freely. There are no regulatory measures that limit retention by businesses or any subsequent use of anonymised information. The question remains, how remote must the risk of identifiability be in order to ensure compliance with data protection regulation is not required.
Is absolute anonymity possible to achieve? Or should any use of anonymised information be with made with caution? Periodic reassessment should be undertaken as new technology becomes available to re-assemble or otherwise re-link anonymised information together to re-identify a data subject.
The European Union Agency for Fundamental Rights, the Council of Europe and the Registry of the European Court of Human Rights have just issued a new handbook on European data protection laws. This non-binding guide is intended to “raise awareness and improve knowledge of data protection rules in European Union and Council of Europe member states”. The new handbook sets out a different test for defining when personal data can be said to have been anonymised.
“Data are anonymised if all identifying elements have been eliminated from a set of personal data. …No element may be left in the information which could, by exercising reasonable effort, serve to re-identify the person(s) concerned. Where data have been successfully anonymised, they are no longer personal data.”
The standard then has moved from “remote risk” (of re-identification) to “reasonable effort” (to re-identify). This seems to lower the bar, as may be expected, given the advances in technology over the last several years. While the guidelines are not binding per se, it is likely that this definition will be given appropriate weight.
If your business relies on anonymised data, continually measure the risk of re-identification as new technology becomes available.
Please contact us if you have any concerns about use of anonymised data.