Wonder

Research Outline

Prepared for Katie L. | Delivered April 8, 2020

GDPR and Anonymous Data

Goals

To determine what protections GDPR includes for anonymous data, and for personal information that’s inferred from anonymous data, whether GDPR legislation be updated to also cover anonymous data or the use thereof, whether GDPR is fit for purpose in relation to anonymous data and whether the fact that so called anonymous data can indeed be repersonalised, is accounted for within GDPR, and organizations investigating this space.

Early Findings

According to GDPR regulations: To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. 6This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. 
The use of the term, "reasonably likely" makes the regulation vague and has raised questions as to the ability of the regulation to protect the privacy of data subjects.
While the GDPR is hard on data collectors who keep "anonymous data" that can easily be traced to individuals, it does not account for cases where there a high probability of identifying individuals from "anonymous data". However, whenever "anonymous data" is repersonalised, the data collector is held liable.
Panoptykon Foundation, a digital rights organization based in Poland, Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave filed similar complaints with Data Protection Authorities against ad auction companies, including Google, for illegally profiling the religious beliefs, ethnicities, diseases, disabilities, and sexual orientation of internet users.
 On February 10, 2020, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) announced a public consultation process regarding anonymization under the European Union (EU) General Data Protection Regulation (GDPR) and, in particular, anonymization within the telecommunications sector. The purpose of the consultation is to provide the BfDI’s position regarding the legal framework for anonymizing personal data and to solicit and evaluate public comments. 