The concept of anonymization can be complex and vary across jurisdictions. Data that meets the criteria for anonymization is generally exempt from privacy and data protection laws. As the adoption of artificial intelligence increases, which relies on large datasets, the need for clear guidelines and standardization has become more pressing. In the EU, where data regulations have set the benchmark for data usage, achieving accurate anonymization is particularly significant. Compliance with EU regulations is a key aspect of global data strategies aimed at responsible data collection and utilization.
However, implementing EU legal standards for anonymization can be challenging and has faced criticism due to its inherent ambiguities. This article aims to shed light on the confusion surrounding these standards and their evolving nature. Recently, a notable event has taken place which is the decision of the EU General Court in Single Resolution Board v EDPS on April 26th.
The SRB v EDPS Case
This case involves the handling of personal comments provided by shareholders and creditors of Banco Popular, who were affected by a resolution decision made by the Single Resolution Board (SRB), the central resolution authority in the Banking Union. Some of these comments were shared with a third party, Deloitte, but without including identifying data used for registration purposes. The comments shared with third parties were filtered, categorized, and aggregated, and assigned a unique alphanumeric code.
The European Data Protection Supervisor (EDPS) claimed that the SRB violated the data protection obligations stated in Article 15 of the GDPR by not informing the data subjects that their personal data would be shared with third parties. In assessing the SRB’s request to overturn the EDPS’s revised decision, the General Court had to determine whether the comments shared with Deloitte qualified as personal data under Article 3(1) of the GDPR and whether the data subjects remained identifiable. Essentially, the General Court had to ascertain whether the data had been properly anonymized. In this regard, the General Court disagreed with the EDPS, stating that a risk-based approach indeed meets the legal requirements for anonymization in the EU.
The General Court made reference to a previous case known as the Patrick Breyer case from the Court of Justice of the European Union and considered two factors to assess whether adequate standards for anonymization were met:
- Controlled environment: This refers to the contextual controls implemented in the data environment, such as access controls. The General Court noted that Deloitte did not have access to the identification data collected during the registration phase, which would have allowed the participants to be linked to their comments through the alphanumeric code.
- Data itself: This refers to the controls applied to the data to transform its appearance, such as masking. The Court emphasized that the alphanumeric code alone did not enable the authors of the comments to be identified. It stated that personal views or opinions may potentially constitute personal data, but this conclusion cannot be based on presumption alone. Instead, it must be determined whether a view is connected to a specific person based on its content, purpose, or effect.
The General Court concluded that it was essential to assess whether the information transmitted to Deloitte pertained to “identifiable persons” from Deloitte’s perspective. It found that the EDPS failed to consider whether Deloitte could re-identify the authors of the comments or if such re-identification was reasonably possible by combining the transmitted information with additional data held by the SRB. As a result, the General Court deemed the EDPS’s stance as incorrect, emphasizing that it was the EDPS’s responsibility to evaluate whether Deloitte had the means to reasonably identify the authors of the comments.
In practice, the Court’s decision demonstrates that the EU does not strictly adhere to an absolutist approach to anonymization, which demands complete elimination of any chance of reidentifying data, even if statistically improbable. Instead, the court adopts a risk-based approach, considering both data controls and contextual factors. This approach allows for a certain level of probability of identification to remain acceptable as long as it is not likely or reasonable.
However, some objections have been raised regarding the General Court’s opinion. For instance, Recital 26 of the GDPR emphasizes the need to consider the intended data recipient and potential attackers to determine identifiability. Some regulators, like the Irish Supervisory Authority, default to viewing data controllers as potential attackers. However, when appropriate context controls are implemented, data controllers can also be considered trustworthy, as acknowledged by the U.K. Information Commissioner’s Office.
Additionally, it remains unclear whether the purpose for sharing the data played a significant role in the General Court’s analysis. Purpose restrictions are crucial in a risk-based approach to anonymization and typically exclude individual decision making. The importance of purpose restrictions has been emphasized by the EDPS and is also evident in the European Data Space regulation.
What does this mean for your organization?
The European Data Protection Board (EDPB) is currently working on finalizing guidance on anonymization, and it is uncertain whether the shift towards a more practical approach to anonymization in the EU will receive official endorsement from the key regulatory body overseeing personal data. There is a growing trend towards adopting a risk-based approach in the EU, but nonetheless we must be cautious and follow a strict approach until more clarity and guidance is provided. If you have questions regarding this matter, contact us, the experts at data privacy at firstname.lastname@example.org for assistance.