Cyber Security

Anonymisation and pseudonymisation – a few considerations based on examples of Covid19 apps

Written by Paulina Komorowska, CMS’ IP/TMT Group.

The outbreak of the COVID-19 pandemic has generated a new reality. The need to protect public health has brought up many discussions on the use of technology and data to ensure safety for the population. As a result, the aspects of anonymisation and pseudonymisation of data have, once again, become crucial.

To anonymise data, according to the Article 29 Data Protection Working Party it must be “stripped of sufficient elements such that the data subject can no longer be identified”. Therefore, the process of de-identifying a natural person must be irreversible. There are many techniques for anonymising data, however EU legislation does not provide for a specific or preferable solution. What is key is that the standard of anonymisation is very high and any possibility of identifying an individual will disqualify the data as anonymised. Data in such cases would usually be considered as pseudonymised.

Based on the above criteria, practice has shown that there are certain categories of data that are rather unlikely to be anonymised. An example of such is location data. Anonymisation of location data is difficult to achieve and in principle only location datasets – as opposed to individual location data – can become the subject of anonymisation. 

On the contrary, pseudonymisation of data is a reversible process. Pursuant to the GDPR, when personal data is pseudonymised, it cannot be attributed to a particular individual without the use of additional information which is kept separately and securely. Pseudonymisation definitely reduces the risks of singling-out, linking records and inference. However, it does not exclude them entirely. Therefore, pseudonymised data comes within the scope of data protection and is covered by the provisions of the GDPR. Pseudonymised data is often mistakenly regarded as anonymised data. The key factor in distinguishing them is the reversibility of these processes. 

In light of the current handling of the pandemic, it seems natural to collate the above with development of apps which are aimed at preventing the spread of COVID-19.  At the moment, two models are considered: (i) location apps and (ii) contact tracing apps. Both are subject to recently issued guidelines from the European Data Protection Board (EDPB).

With regard to apps using location data, the EDPB stressed that “preference should always be given to the processing of anonymised data rather than personal data”. However, as indicated at the outset, anonymization of location data is exceptionally challenging. Furthermore, if data is not anonymised, several legal requirements must be met to access and process such data. Data about geographic location (other than traffic data) can only be obtained from electronic communication providers based on the user’s consent, similarly to cases where location data is obtained from terminal equipment such as smartphones (save for technical storage or access for the sole purpose of the transmission of a communication over an electronic communication network, or when it is strictly necessary to provide an information society service explicitly requested by the subscriber or user). 

Presumably because of the difficulties related to the processing of location data, the EDPB seems to prefer contact tracing apps which do not require the processing of individual users’ location but rely on information on proximity. The EDPB also indicated that the processing of such data does not need to be based on consent but could be based on the performance of a task in the public interest. Regardless of the chosen model that will eventually become our reality, the EDPB stressed that individual rights and freedoms should be responsibly taken care of, ensuring that “every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation”.

It is undoubtedly a technological challenge to strike a balance between preserving a dataset’s utility and preventing de-anonymisation. However, the robustness of anonymisation should be assessed continuously. Businesses and governments using data location solutions should consider the risk that datasets, which are currently considered anonymised, may become pseudonymised. The assessment should always regard state of the art of anonymisation techniques.