May 10, 2021
Anonymisation is increasingly being used as a means to share data without harming the fundamental rights of individuals. However, along with its growing popularity, some misconceptions related to anonymisation have become widespread says the EDPS.
The objective of the document is to raise awareness about misunderstandings surrounding anonymisation, and to motivate readers to check claims made about the technology being used rather than accepting it without verification.
The ten myths the paper addresses are:
- “pseudonymisation is the same as anonymisation”: the fact is that “pseudonymisation” is defined in the GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information …”; the use of “additional information” can lead to the identification of individuals, meaning that pseudonymised data is still personal data and therefore falls within the scope of the GDPR;
- “encryption is anonymisation”: encryption is not an anonymisation technique, but it can be a powerful pseudonymisation tool; the transformations applied to the information by encryption algorithms in order to allow decryption count as “additional information”, which make the personal data readable and, consequently, identification possible;
- “anonymisation of data is always possible”: the fact is that it is not always possible to lower the re-identification risk below a previously defined threshold whilst retaining a useful dataset for processing; for example, if the dataset is too small or the categories of data so different among individuals that it is possible to single individuals out;
- “anonymisation is forever”: the fact is that there is a risk that some anonymisation processes could be reverted in the future as technology evolves; circumstances might change over time and new technical developments and the availability of additional information might compromise previous anonymisation processes;
- “anonymisation always reduces the probability of re-identification of a dataset to zero”: the fact is that the anonymisation process and the way it is implemented will have a direct influence on the likelihood of re-identification risks; although a 100% anonymisation is the most desirable goal from a personal data protection perspective, in some cases it is not possible, and a residual risk of re- identification must be considered;
- “anonymisation is a binary concept that cannot be measured”: the fact is that it is possible to analyse and measure the degree of anonymisation; except in certain specific cases where data is highly generalised (e.g. the number of yearly visitors to a website per country), the re-identification risk is never zero;
- “anonymisation can be fully automated”: the fact is that automated tools can be used during the anonymisation process, however, given the importance of the context in the overall process assessment, human expert intervention is needed;
- “anonymisation makes the data useless”: the fact is that a proper anonymisation process keeps the data functional for a given purpose; in other words, utility will depend on the purpose and the acceptable re- identification risk;
- “following an anonymisation process that others used successfully will lead our organisation to equivalent results”: the fact is that anonymisation processes need to be tailored to the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons; and
- “there is no risk and no interest in finding out to whom this data refers to”: the fact is that personal data has a value in itself, for the individuals themselves and for third parties; re-identification of an individual could have a serious impact on their rights and freedoms.
To access the document in full, click here.