Substantial uncertainty exists on the role of anonymised or pseudonymised data in the data privacy discourse; this is all the more so as de-anonymisation science advances and the ubiquity of information increases. Such uncertainty affects not only the wider usage of such measures but also creates the temptation, both on the part of the entities that process personal data and the individuals whose personal data is processed, to downplay privacy risks associated with anonymised or pseudonymised data. Crucial to mitigating such risks and promoting the use of anonymisation and pseudonymisation as privacy-enhancing techniques is understanding the role of such measures under data privacy rules. This article aims to contribute towards the achievement of such an objective by examining the role of anonymisation and pseudonymisation under the EU data privacy rules, particularly the Data Protection Directive, the ePrivacy Directive, Regulation 611/2013, the eIDAS Regulation, and the proposed General Data Protection Regulation. This article identifies three major roles of anonymisation and pseudonymisation under the current and en route rules. First, anonymisation and pseudonymisation can serve as a safe harbour from the entire application of data privacy rules provided they are used to irreversibly prevent identification, although achieving this goal seems increasingly challenging in the current state of technological advancement. Second, anonymisation and pseudonymisation can provide a safe harbour from certain data privacy obligations, such as the notification of personal data breaches, provided they are engineered appropriately and complemented by adequate organisational measures. Third, anonymisation and pseudonymisation can constitute mandated measures for compliance with data privacy obligations, such as the data security and purpose specification and limitation principles. All legal perspectives are drawn at EU level, although examples are given from member states when relevant.
[1]
Christopher Millard,et al.
Data protection jurisdiction and cloud computing – when are cloud users and providers subject to EU data protection law? The cloud of unknowing
,
2012
.
[2]
Rosa Barcelo,et al.
The Emerging European Union Security Breach Legal Framework: The 2002/58 ePrivacy Directive and Beyond
,
2010,
Data Protection in a Profiled World.
[3]
Timothy Grance,et al.
Guidelines on Security and Privacy in Public Cloud Computing | NIST
,
2012
.
[4]
Luiz Costa,et al.
Privacy and the regulation of 2012
,
2012,
Comput. Law Secur. Rev..
[5]
Christopher Millard,et al.
The problem of ‘personal data’ in cloud computing: what information is regulated?—the cloud of unknowing
,
2011
.
[6]
Martin Meints.
The Relationship between Data Protection Legislation and Information Security Related Standards
,
2008,
FIDIS.
[7]
Mark Burdon,et al.
Encryption safe harbours and data breach notification laws
,
2010,
Comput. Law Secur. Rev..
[8]
Lorenzo Valeri,et al.
Review of the European Data Protection Directive
,
2009
.
[9]
L. Bygrave.
Data Protection Law, Approaching Its Rationale, Logic and Limits
,
2002
.