Research Outline

GDPR and Anonymous Data


To determine what protections GDPR includes for anonymous data, and for personal information that’s inferred from anonymous data, whether GDPR legislation be updated to also cover anonymous data or the use thereof, whether GDPR is fit for purpose in relation to anonymous data and whether the fact that so called anonymous data can indeed be repersonalised, is accounted for within GDPR, and organizations investigating this space.

Early Findings

  • The use of the term, "reasonably likely" makes the regulation vague and has raised questions as to the ability of the regulation to protect the privacy of data subjects.
  • While the GDPR is hard on data collectors who keep "anonymous data" that can easily be traced to individuals, it does not account for cases where there a high probability of identifying individuals from "anonymous data". However, whenever "anonymous data" is repersonalised, the data collector is held liable.
  • Panoptykon Foundation, a digital rights organization based in Poland, Jim Killock of the Open Rights Group, Michael Veale of University College London, and Dr Johnny Ryan of Brave filed similar complaints with Data Protection Authorities against ad auction companies, including Google, for illegally profiling the religious beliefs, ethnicities, diseases, disabilities, and sexual orientation of internet users.