Download this Paper Open PDF in Browser

Anonymization and Risk

59 Pages Posted: 19 Aug 2015 Last revised: 12 Aug 2017

Ira Rubinstein

New York University (NYU) - Information Law Institut

Woodrow Hartzog

Northeastern University School of Law and College of Computer and Information Science; Stanford Law School Center for Internet and Society

Date Written: August 17, 2015

Abstract

Perfect anonymization of data sets that contain personal information has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the best way to move data release policy past the alleged failures of anonymization is to focus on the process of minimizing risk of reidentification and sensitive attribute disclosure, not preventing harm. Process-based data release policy, which resembles the law of data security, will help us move past the limitations of focusing on whether data sets have been “anonymized.” It draws upon different tactics to protect the privacy of data subjects, including accurate deidentification rhetoric, contracts prohibiting reidentification and sensitive attribute disclosure, data enclaves, and query-based strategies to match required protections with the level of risk. By focusing on process, data release policy can better balance privacy and utility where nearly all data exchanges carry some risk.

Keywords: Privacy, anonymization, deidentification, data release, risk, data security, open data

Suggested Citation

Rubinstein, Ira and Hartzog, Woodrow, Anonymization and Risk (August 17, 2015). 91 Washington Law Review 703 (2016); NYU School of Law, Public Law Research Paper No. 15-36. Available at SSRN: https://ssrn.com/abstract=2646185

Ira Rubinstein (Contact Author)

New York University (NYU) - Information Law Institut ( email )

40 Washington Square South
New York, NY 10012-1301
United States

Woodrow Hartzog

Northeastern University School of Law and College of Computer and Information Science ( email )

416 Huntington Avenue
Boston, MA 02115
United States

HOME PAGE: http://https://www.northeastern.edu/law/faculty/directory/hartzog.html

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States

HOME PAGE: http://cyberlaw.stanford.edu/profile/woodrow-hartzog

Paper statistics

Downloads
947
Rank
19,294
Abstract Views
7,165