WP 29: Anonymisation Techniques

Anonymized data do fall out of the scope of GDPR. In the Opinion 05/2014 on Anonymisation Techniques, the Working Party analyses the effectiveness and limits of existing anonymization techniques against the EU legal background of data protection and provides recommendations to handle these techniques by taking account of the residual risk of identification inherent in each of them.

The Working Party acknowledges the potential value of anonymisation in particular as a strategy to reap the benefits of ‘open data’ for individuals and society at large whilst mitigating the risks for the individuals concerned. In some cases anonymization should be applied with discretion since data in an identifiable format should be used in an identifiable format in order to enable the exercise of access rights by data subjects (see European Cour of Justice C-553/07 College von byrgermeester en welthonders van Rotterdam vs. M.E.E. Rijkaboer). However, case studies and research publications have shown how difficult it is to create a truly anonymous dataset whilst retaining as much of the underlying information as required for the task.

Anonymisation constitutes a further processing of personal data; anonymisation data towards the e-Privacy Directive in several cases (i.e. traffic data, genetic data) should be used so as to to irrversible prevent identification. Additionally, anonymized data do fall out of the scope of data protection legislation, but data subjects may still be entitled to protection under other provisions (such as those protecting confidentiality of communications).

The main anonymisation techniques, namely randomization and generalization, are described in this opinion. In particular, the opinion discusses noise addition, permutation, differential privacy, aggregation, k-anonymity, l-diversity and t-closeness. It explains their principles, their strengths and weaknesses, as well as the common mistakes and failures related to the use of each technique.

Pseudonymisation is also addressed to clarify some pitfalls and misconceptions: pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a dataset with the original identity of a data subject, and is accordingly a useful securitymeasure.

The Opinion concludes that anonymisation techniques can provide privacy guarantees and may be used to generate efficient anonymisation processes, but only if their application is engineered appropriately – which means that the prerequisites (context) and the objective(s) of the anonymisation process must be clearly set out in order to achieve the targeted anonymisation while producing some useful data. The optimal solution should be decided on a case-by-case basis, possibly by using a combination of different techniques, while taking into account the practical recommendations developed in this Opinion. The Opinion referrs additionally to other terms such as subjects’ consent and profiling. See more for Opinion 52014 on Anonymisation Techniques WP 216.2014.