The EU Article 29 Working Party’s Opinion on Privacy and Anonymity: It’s Harder Than You Think

On April 10, 2014, the European Union’s Article 29 Data Protection Working Party adopted “Opinion 05/2014 on Anonymisation Techniques” (WP216). The Working Party, made up of the national data protection authorities of the EU member states, acknowledges that there is no one-size-fits-all solution and that most anonymisation techniques have inherent limitations.

However, the publication of the Opinion is timely, as ever-increasing amounts of data are being captured via devices and networks, stored cheaply and interrogated ever more creatively as technologies evolve. This wholesale collection and processing of data may provide clear benefits for society, individuals and organisations, but, under EU law, such benefits must be derived lawfully, and that requires respecting the protection of the individual’s personal data and the right to a private life.

Recital 26 of the EU Data Protection Directive (95/46/EC) excludes anonymised data from the scope of the EU data protection regime. The key issues here are that, in determining whether data can be used to identify a person, “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”, and that, to be anonymised, data must be “retained in a form in which identification of the data subject is no longer possible” (emphasis added). However, the Directive gives no further guidance as to how anonymisation or de-identification can be performed.

Anonymisation Techniques

The Working Party notes that different anonymisation practices and techniques exist with variable degrees of robustness. It is up to the data controller to balance the anonymisation effort and costs (in terms of both time and resources) against the increasing low-cost availability of technical means to identify individuals in datasets. This is especially true in light of the increasing public availability of other datasets that may be cross-referenced. The greater the ability to cross-reference, the greater the potential risk of harm to individuals that would be caused should anonymisation fail.

The three key risk areas that need to be considered and addressed in any successful anonymisation process are:

• singling out — the ability to isolate records in a dataset to identify an individual;

• linkability — the ability to link records relating to an individual across single or multiple databases; and

• inference — the ability to deduce one individual’s attributes from the values of other data in a dataset, based on an understanding of the pattern of change applied to a dataset.

To address these risks, the Opinion explores two different approaches to anonymisation: randomization and generalization.

Randomization

The techniques for randomization include processes that alter the veracity of the data in order to remove the strong link between the data and the individual. The effectiveness of this may be supported by additional steps, such as noise addition, permutation and differential privacy. The Opinion goes into some detail on the impact of these different processes in attaining lawful anonymisation.

However, what is clear is that, as randomization does not, by itself, reduce the singularity of each record, as each will still be derived from a single data subject, it should be combined with generalization techniques to provide stronger privacy protection.

Generalization

Generalization is a distinct methodology for achieving anonymisation and works by generalizing, or diluting, the attributes of data subjects in any given field. This can be achieved in a number of ways, and the Opinion looks in detail at aggregation and k-anonymity, l-diversity and t-closeness, and points out weaknesses in these processes across the three risk categories. The key weaknesses are that, with k-anonymity, aggregation can be made over too small a group, allowing for inferences to be easily made, whereas l-diversity and t-closeness remain susceptible to linkability across datasets. For example, where data is collected by city, this may be changed to a region, or referencing years may be switched to decades or multiple year groups.

But generalization is not infallible, and whilst it can be effective to prevent singling out of individuals, it does not allow effective anonymisation in all cases, especially where the datasets are prone to linkability and inference based on the information stored. Again, data controllers will need to consider how linkability and inference of information can be achieved when determining the scope and depth of any generalization criteria.

Beware Pseudonymisation

Pseudonymisation is where one attribute in a record is replaced by another, for example, coded identifiers being used instead of names, or subsets of Internet protocol addresses being replaced by hash-key generated alphanumerics. Pseudonymisation, when used alone, will not result in an anonymous dataset; it will merely reduce the linkability of a dataset with the original identity of an individual. For this reason, pseudonymisation is a useful security measure but not a method of anonymisation.

The Opinion considers a number of different pseudonymisation processes, including: hash functions; encryption with secret key; deterministic encryptions (keyed-hash function with deletion of key); and tokenisation. None of these processes satisfactorily addresses the risk issues of singling out, linkability or inference, as it has been shown that, in many practical examples, it is simple, whether relying on location data, time and access logs or other datasets, to re-identify pseudonymised data. Therefore, the requirement of permanent and irrevocable de-identification in the anonymisation process is not met.

The Anonymisation Process

The Opinion also highlights an often overlooked point that data controllers should be aware of: The act of rendering personal data anonymous is a data processing operation in itself. Data controllers should undertake the process of anonymisation only in circumstances where the base personal data concerned has been collected in compliance with applicable data protection laws and provision for anonymisation as part of the processing has been made. Furthermore, data controllers should treat the application of anonymisation techniques to personal data as a form of “further use”. Such processing will be compatible with the original use only where the anonymisation technique selected is itself suitable and reliable in light of the criteria set out above.

Conclusions

True to form, the Working Party has set a very high standard in determining what techniques and processes will achieve anonymisation under the current EU data protection regime. The Opinion provides some very useful guidance on why other processes, especially pseudonymisation, simply will not be effective as tools for lawfully anonymising personal data. The Working Party stresses that anonymisation techniques can provide privacy guarantees, but only if their application is engineered appropriately. This requires the objective and the context of the anonymisation process to be clearly set out in order to achieve the targeted anonymisation level.

Data controllers must be aware that even an anonymised dataset can still present residual risk to data subjects. Indeed, even when it is no longer possible to precisely retrieve the record of an individual, it may remain possible to glean information about that individual with the help of other sources of information that are available (publicly or not).

In the era of Open Data, the amount of data that can potentially be linked across numerous databases or sources presents a significant risk, and one which the data controller must assess. This is a heavy burden, especially in light of the ever-increasing amount of data being captured and the ever-evolving intelligence of computers to locate and interrogate such data.

Rohan Massey is a Partner and Head of the Intellectual Property, Media & Technology Practice of McDermott Will & Emery UK LLP, London. He may be contacted at rmassey@mwe.com.