Anonymization and Risk

59 Pages Posted: 19 Aug 2015 Last revised: 12 Aug 2017

See all articles by Ira Rubinstein

Ira Rubinstein

New York University (NYU) - Information Law Institute

Woodrow Hartzog

Boston University School of Law; Stanford Law School Center for Internet and Society

Date Written: August 17, 2015

Abstract

Perfect anonymization of data sets that contain personal information has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the best way to move data release policy past the alleged failures of anonymization is to focus on the process of minimizing risk of reidentification and sensitive attribute disclosure, not preventing harm. Process-based data release policy, which resembles the law of data security, will help us move past the limitations of focusing on whether data sets have been “anonymized.” It draws upon different tactics to protect the privacy of data subjects, including accurate deidentification rhetoric, contracts prohibiting reidentification and sensitive attribute disclosure, data enclaves, and query-based strategies to match required protections with the level of risk. By focusing on process, data release policy can better balance privacy and utility where nearly all data exchanges carry some risk.

Keywords: Privacy, anonymization, deidentification, data release, risk, data security, open data

Suggested Citation

Rubinstein, Ira and Hartzog, Woodrow, Anonymization and Risk (August 17, 2015). 91 Washington Law Review 703 (2016), NYU School of Law, Public Law Research Paper No. 15-36, Available at SSRN: https://ssrn.com/abstract=2646185

Ira Rubinstein (Contact Author)

New York University (NYU) - Information Law Institute ( email )

40 Washington Square South
New York, NY 10012-1301
United States

Woodrow Hartzog

Boston University School of Law ( email )

765 Commonwealth Avenue
Boston, MA 02215
United States

HOME PAGE: http://https://www.bu.edu/law/profile/woodrow-hartzog/

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States

HOME PAGE: http://cyberlaw.stanford.edu/profile/woodrow-hartzog

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
1,800
Abstract Views
14,124
Rank
19,432
PlumX Metrics