Anonymisation is considered ultimate data
protection, because the data is, well, anonymised. When a person can not be
identified through the data, there is no risk to the rights and freedoms of an
individual. There is no need to protect the data and data privacy regulation do
not need to apply. So, it makes sense that organisations are free to process
such data as they wish. Or does it?
What if anonymised data is never really anonymised?
A 2019 UK study was
able to identify 99.98 percent of individuals in any anonymised dataset. In a
different MIT
study of anonymised credit card data, researchers identified 90
percent of its users.
All these
studies use machine learning techniques to trawl through enormous amounts of
data using relatively vague points of information in the available datasets to
detect patterns enabling them to re-identify individuals. How vague you might
ask? A study of anonymised user vehicle data such as
breaking, acceleration, gear shifts was able to identify the driver roughly 90
percent of the time.
Now consider
the large public research programs such as published on the EU open data
portal or data from data breaches (anonymised and not) available on
the dark web.
Evolution of data protection
It raises the
question if data protection regulation are too narrow
for the speed of progress. Today's data privacy regulations are protecting the
rights and freedoms of the individual by regulating the use of personal
data.
Yet, some
technology such as facial recognition are already testing the limits of today’s
privacy regulations leading to an outright ban in some countries. Of course
there are enormous benefits but also enormous risks. The concern is that
technology is simply moving too fast to understand the potential impact. And
once the proverbial genie is out of the bottle, it might not go back in.
If machine
learning / AI technology is able to build up an accurate picture of any individual
using supposedly anonymised data, then the regulation has to account it.
German Federal Commissioner for Data Protection and Freedom of Information Launches Public Consultation on Anonymization The draft position paper proposes the following answers:
- For personal data to be anonymized, the link to a person must be removed in such a way that re-identification is practically impossible – i.e., the link to the individual can only be restored with a disproportionate expenditure of time, costs and manpower. The controller remains responsible to continuously monitor the validity of the anonymization efforts.
- Anonymization, including through aggregation of data, is a form of processing of personal data that does indeed require a legal basis.
More details