The EU’s Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data has released “Opinion 05/2014 on Anonymisation Techniques” (Working Party pdf; archive pdf). We’ve discussed the pitfalls of various anonymization or “de-identification” techniques and how the information can be “deanonymized” or re-identified, leading to privacy problems for individuals. Here’s an excerpt from the executive summary of the Working Party’s opinion:
The WP acknowledges the potential value of anonymisation in particular as a strategy to reap the benefits of ‘open data’ for individuals and society at large whilst mitigating the risks for the individuals concerned. However, case studies and research publications have shown how difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task.
In the light of Directive 95/46/EC and other relevant EU legal instruments, anonymisation results from processing personal data in order to irreversibly prevent identification. In doing so, several elements should be taken into account by data controllers, having regard to all the means “likely reasonably” to be used for identification (either by the controller or by any third party).
Anonymisation constitutes a further processing of personal data; as such, it must satisfy the requirement of compatibility by having regard to the legal grounds and circumstances of the further processing. Additionally, anonymized data do fall out of the scope of data protection legislation, but data subjects may still be entitled to protection under other provisions (such as those protecting confidentiality of communications). Read more »