Viewing the GDPR through a De-Identification Lens: A Tool for Compliance, Clarification, and Consistency

International Data Protection Law (Oxford University Press), Volume 8, Issue 1, 1 February 2018, Pages 86–101

22 Pages Posted: 1 Feb 2017 Last revised: 16 Jun 2018

See all articles by Mike Hintze

Mike Hintze

Hintze Law PLLC; University of Washington School of Law

Date Written: November 3, 2017

Abstract

In May 2018, the General Data Protection Regulation (GDPR) will become enforceable as the basis for data protection law in the European Economic Area (EEA). Compared to the 1995 Data Protection Directive that it will replace, the GDPR reflects a more developed understanding of de-identification as encompassing a spectrum of different techniques and strengths. And under the GDPR, different levels of de-identification have concrete implications for organizations’ compliance obligations – including, in some cases, relief from certain obligations. Thus, organizations subject to the GDPR can and should consider de-identification as a key tool for GDPR compliance.

Nevertheless, there are many respects in which GDPR obligations remains unclear. Regulators and policymakers can help advance the rights of data subjects and further the objectives of the GDPR, while providing additional clarity, by interpreting, applying, and enforcing these GDPR provisions in a way that encourages and rewards the appropriate use of de-identification.

This article examines how the GDPR addresses de-identification. It reviews several substantive obligations under the GDPR, including notice, consent, data subject rights to access or delete personal data, data retention limitations, data security, breach notification, privacy by design and by default, and others. In each case, it describes how the use of different levels of de-identification can play a role in complying with the relevant obligations. It proposes that the incentives to apply de-identification found in these provisions should be reinforced by guidance and enforcement decisions that will reward the use of de-identification and encourage the highest practical level of de-identification. Such an approach will bring clarity to the rules, enable practical tools for compliance, help foster greater consistency with data protection regimes in other jurisdictions, and advance the purposes of the regulation.

Keywords: privacy, data protection, europe, anonymization, identity, security

Suggested Citation

Hintze, Michael, Viewing the GDPR through a De-Identification Lens: A Tool for Compliance, Clarification, and Consistency (November 3, 2017). International Data Protection Law (Oxford University Press), Volume 8, Issue 1, 1 February 2018, Pages 86–101. Available at SSRN: https://ssrn.com/abstract=2909121 or http://dx.doi.org/10.2139/ssrn.2909121

Michael Hintze (Contact Author)

Hintze Law PLLC ( email )

505 Broadway E #151
Seattle, WA 98102
United States

University of Washington School of Law ( email )

William H. Gates Hall
Box 353020
Seattle, WA 98105-3020
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
638
rank
38,837
Abstract Views
1,983
PlumX Metrics