The European Article 29 Data Protection Working Party has published an opinion on anonymisation techniques. The opinion confirms that truly anonymised data falls outside of the scope of the European data protection legislation. The question, however, is when data has been truly “anonymised.” According to the Working Party, anonymisation occurs when information has been modified to irreversibly prevent identification. Anonymising data can therefore be a useful risk mitigation strategy for data controllers processing personal data. If they can adequately anonymise the personal data that they process, then European data protection rules no longer apply to the data.
The new opinion describes the main anonymisation techniques, their principles, strengths and weaknesses, and common mistakes and failures related to each technique. It also discusses pseudonymisation and stresses that this is not a method of anonymisation, but is merely a technique used to reduce the “linkability” of a dataset with the original identity of a data subject. Although data protection legislation still applies to such a data set, pseudonymisation is still regarded as a useful security measure and a useful means of reassuring data subjects about the use of their data.
TIP: Companies subject to EU privacy law requirements that wish to anonymise data would be well served to review this new opinion and understand the Working Party’s guidance on proper anonymisation techniques.