Find out today what the legal world will be talking about tomorrow.
BfDI publishes its position on anonymization under the GDPR
Anonymization of personal data is of great importance to many companies for a number of reasons. Anonymized data may be used, for example, to train an artificial intelligence (“AI”) and to improve a company’s own performances and processes.
Comments on the BfDI Position Paper
In its Position Paper, the BfDI understands the term “anonymization” as removing any personal reference with regard to data or data sets. According to the BfDI, this does not require absolute anonymization. It is sufficient, if no one would be able to (re-)identify any personal data. In terms of data protection laws, it would usually be sufficient to remove any personal reference in a manner that any re-identification is impractical. Such a re-identification is in general impractical, if it is only possible to reestablish any personal reference with disproportionate application of time, cost, and manpower.
Apparently, however, the BfDI considers any anonymization to be “processing” within the meaning of the GDPR. Even if other data protection commissioners share this opinion, this view is likely too broad. There are a number of different technical implementations to handle data anonymously. Therefore, a more differentiated point of view should be taken as to whether the specific implementation of an anonymization also constitutes a processing of personal data under the GDPR. Companies intend to and should be able to use anonymization as a data protection instrument and for better and new (data-driven) business models.
The BfDI goes on to discuss various legal bases for anonymization of personal data. In principle, it would be possible to use all legal bases provided by the GDPR, such as consent (Article 6 (1) (a) GDPR) or an overriding legitimate interest (Article 6 (1) (f) GDPR). The BfDI particularly addresses a change of purpose (Article 6 (4) GDPR), which could allow anonymization (together with the original legal basis). According to the BfDI, it should be in general possible to fulfill the requirements of a respective change of purpose in order to anonymize personal data. This means, for example, that personal data processed to fulfil a customer order may be anonymized based on Article 6 (4) GDPR in conjunction with Article 6 (1) (b) GDPR. The data controller could then use this anonymized data to train an AI or to improve its own range of services.
The BfDI further points out that an obligation to erase data under data protection law may be met by anonymization (Article 17 (1) (a) in conjunction with Article 6 (1) (c) GDPR).
The BfDI’s view on checking the validity of an anonymization as an ongoing task of the data controller is to be examined critically. This might be misconstrued as a kind of “data monitoring obligation.” While anonymization procedures must be regularly evaluated according to the state of the art, (correctly) anonymized data are and remain anonymous until a (new) personal reference is established through new processing at a later time.
Finally, the BfDI holds that the additional requirements of the GDPR must be observed. These include in particular sufficient privacy notices and – usually – also a data protection impact assessment (“PIA”). The latter in particular is probably to be reviewed critically. There are good arguments against the necessity of such a PIA, which is why in many cases a (full) PIA will not be necessary, particularly where the personal reference has been removed.
Prospects and practical relevance for companies
The BfDI’s Position Paper, within the scope of its responsibility for federal administration and in the postal and telecommunications sector, is most certainly not the end of the discussion relating to anonymization under data protection laws. State supervisory authorities had also expressed differing views in the consultation process. At the same time, several statements by the BfDI are welcome clarifications.
However, a more differentiated approach is necessary. Handling of data (not everything is “processing”) as well as complying with GDPR requirements, such as a (full) PIA or a “data monitoring obligation,” are aspects that require a more distinctive approach. Such an approach may enable companies to make use of their often-quoted data treasures in a manner that is compliant with data protection laws.
SKW Schwarz will continue to actively participate in this discussion.