Tech Talk with the Regulators – Understanding Anonymization Under the GDPR
The General Data Protection Regulation (GDPR) has already been in existence for four years, and has been in force for two years. How can anonymization techniques under the GDPR help Data Protection Officers (DPOs) assess innovation? I hosted a webinar with Truata that featured experts from DPAs in Italy, Ireland, and the UK to find out more about their perspective.
The recording is available here (link to the webinar).
‘A revision of the 2014 opinion on anonymization techniques is in the working program of the EDPB’
In 2014, the European data protection authorities, assembled in the Article 29 Working Party provided guidance in their opinion on anonymization techniques. Giuseppe D’Acquisto, Senior Technology Advisor at the Italian Data Protection Authority, said that some adjustments to the 2014 guidance are needed because there are unexplored aspects of anonymization in the GDPR: “A revision of the 2014 opinion is in the working program of the EDPB.”
Ultan O’Carroll, Deputy Commissioner for Technology and Operational Performance at the Data Protection Commission in Ireland, said: “The 2014 opinion is still as valid as it ever was, if not more so.”
O’Carroll: “The principles and rights that we talked about in the 2014 opinion, and the risks that were identified – all of which have materialized in the GDPR – are particular about the importance of singling out, for instance. So, the guidance continues to be relevant and impactful, and outlines considerations for data controllers as they use and attempt to anonymize data.”
‘Unexplored aspects of anonymization in the GDPR’
D’Acquisto gave three examples where in his view the use of Privacy Enhancing Technologies (PETs) could play a role.
- On legitimate interest as a legal ground: “Anonymization techniques can become an element in the balancing test when you want to invoke legitimate interest.”
- On public interest as a legal ground: “Public interest is an opportunity when used in combination with national law.” He called on national legislators to explore the possibility of including the use of privacy-enhancing safeguards in laws.
- On the secondary, (in)compatible use of personal data for further processing: “Rethinking the 2014 opinion is useful to explore new opportunities for data controllers.”
D’Acquisto’s last remark came against the background of Recital 50 of the GDPR. It clarifies Article 6 of the GDPR which stipulates the lawfulness of processing. Recital 50 states that the processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller should take into account the existence of appropriate safeguards in both the original and intended further processing operations. D’Acquisto stressed that value could be added to data in the interest of the public when applying anonymization techniques as safeguards for our rights and freedoms.
‘Time to focus on privacy risk management’
Simon McDougall, Executive Director for Technology Policy and Innovation at the Information Commissioner’s Office in the UK, said that it is time to focus on privacy risk management: “There is a tension between risk management and hard science. We can now quantify re-identification risk, for example. The problem is that most people do not understand risk. They struggle with the concept of residual risk and the question of what risk to accept.”
McDougall stressed that the challenge today is about communication: “We now have a better understanding of how to manage (residual) risks and bring them back to an acceptable level.”
He also explained the benefits of a layered approach to privacy risk management, rather than a focus on a single technology. “Think of it as a Swiss cheese notion of [stacked] risk management measures,” McDougall said. “A layered approach to control prevents risk from passing through various risk mitigation measures because the holes do not line up.”
While it is important to keep up with the cutting edge of anonymization technologies in order to understand the full scope of possibilities, McDougall implored the audience to “look at the basics, not just the cutting-edge material.”
‘Legal and technical competences are complementary to each other’
From the discussion, it became clear that to move the use of anonymization techniques forward, Data Protection Officers (DPOs) have an important role to play. The broader questions around innovation, sharing of data, and repurposing of data have become particularly important in the context of COVID-19. Accordingly, each of the experts expressed their advice for DPOs given the developments in anonymization technologies.
D’Acquisto suggested that DPOs should not rely on either legal or technical competence alone. “Both competencies are important in order to tackle the complex aspects of anonymization techniques,” he said. “If we look at one, we miss the opportunities of the other. Each is complementary to the other. A holistic approach is needed with legal safeguards, technical safeguards, and a path toward compliance.”
‘DPOs: do not go alone; get help’
O’Carroll added that it is essential that DPOs not act in isolation. “DPOs need to get access to scientists and to organizational people, but also to expert advice in terms of social science, cognitive science, interface design, or mathematics, for example. Do not go alone; get help,” he said. “And be sure that what you’re presenting is robust. Take your time to do that. It’s not worth carrying forward without that because you’ll be asked questions that you may not think about.”
In closing, McDougall remarked that “DPOs should think about themselves as intelligent customers. Anonymization technologies are very complex. A DPO should be able to have conversations with experts. Instead of thinking this is all incredibly complicated, they should try to understand what the risks are for the individual and the organization. But it is possible to follow, to understand the principles, to understand that the levels of risk and the technology itself are changing all the time. It is possible to keep up with it so you can then have the conversation with the right expert.”
To learn more about FPF in Europe, please visit fpf.org/eu.