Anonymisierung – Chance im Datenschutz oder Risiko-Grenzfall?

Anonymization in data protection – opportunity or risk borderline? Part 1

Part 1: The concepts of anonymization and pseudonymization

Anonymization – in the context of data protection, this often means that data controllers do not have to comply with data protection regulations when further processing the data. The background to this connotation is that, according to Art. 2 (1), the GDPR only applies to personal data. Anonymized data sets are characterized by the fact that they are no longer personally identifiable. If data controllers want to evade the requirements of the GDPR, they strive to anonymize the processed data. If extensive customer data records are to be analyzed and evaluated for marketing purposes, for example, the goal is to anonymize the data records so that they no longer have to comply with data protection requirements in the course of further processing.

When is data considered anonymous?

Of course, this is not so simple. When data sets are considered anonymous is controversial from many points of view. The GDPR makes no statement about what constitutes anonymous data. It follows from Art. 4 No. 1 GDPR that, in order to identify a person, it is sufficient to be able to assign certain characteristics or information to a person who is otherwise not further known.

Anonymization itself is not mentioned in the GDPR. Only recital 26 is dedicated to it, which already contains the statement in the title that the GDPR should not apply to anonymized data.

Sentences 3 to 5 of the recital provide indications as to the standard to be applied in determining whether data are anonymized or not. The dispute revolves around the question of what additional knowledge can be assumed in order to assume that a person is identifiable. For example, it depends on whether a person can be identified by linking several pieces of information or whether a person becomes identifiable by a change in context. It is disputed among experts whether a lack of personal reference can already be assumed if production would only be possible by illegal means, i.e. if there is no legal possibility of identifying a person. In any case, the ECJ assumed in the Breyer ruling of October 19, 2016 (Case C-582/14) that means of identification can be considered “reasonably” excluded if there is no legal or factual possibility to use them.

Ultimately, it will come down to a risk-based, case-by-case assessment, which must take into account the risk with which de-anonymization could take place.

What is pseudonymization and how is it different from anonymization?

Unlike anonymization, pseudonymization is directly regulated in the GDPR, namely in Art. 4 No. 5. Essentially, pseudonymization is about dividing and storing data records in such a way that no personal reference can be established without merging the data records. The reference to a person is thus retained in principle, but its creation is only possible for authorized persons in the best case due to the separate data storage. The identification of data subjects in the data set is therefore only possible with additional information, so-called identifiers. The prerequisite for pseudonymization is that identifiers are kept separate from the data set. Pseudonymization is listed in Art. 32(1)(a) DSGVO as a measure for the protection of personal data. However, unlike anonymization, pseudonymization does not result in the elimination of the personal reference. Therefore, the GDPR remains applicable in principle to pseudonymized data.

You can read more about pseudonymization and anonymization soon in Part 2.

If you have any questions about data protection or other data protection topics, please contact us!

This post is also available in: German