Viewing the GDPR through a De-Identification Lens: A Tool for Compliance, Clarification, and Consistency
International Data Protection Law (Oxford University Press), Volume 8, Issue 1, 1 February 2018, Pages 86–101
22 Pages Posted: 1 Feb 2017 Last revised: 16 Jun 2018
Date Written: November 3, 2017
In May 2018, the General Data Protection Regulation (GDPR) will become enforceable as the basis for data protection law in the European Economic Area (EEA). Compared to the 1995 Data Protection Directive that it will replace, the GDPR reflects a more developed understanding of de-identification as encompassing a spectrum of different techniques and strengths. And under the GDPR, different levels of de-identification have concrete implications for organizations’ compliance obligations – including, in some cases, relief from certain obligations. Thus, organizations subject to the GDPR can and should consider de-identification as a key tool for GDPR compliance.
Nevertheless, there are many respects in which GDPR obligations remains unclear. Regulators and policymakers can help advance the rights of data subjects and further the objectives of the GDPR, while providing additional clarity, by interpreting, applying, and enforcing these GDPR provisions in a way that encourages and rewards the appropriate use of de-identification.
This article examines how the GDPR addresses de-identification. It reviews several substantive obligations under the GDPR, including notice, consent, data subject rights to access or delete personal data, data retention limitations, data security, breach notification, privacy by design and by default, and others. In each case, it describes how the use of different levels of de-identification can play a role in complying with the relevant obligations. It proposes that the incentives to apply de-identification found in these provisions should be reinforced by guidance and enforcement decisions that will reward the use of de-identification and encourage the highest practical level of de-identification. Such an approach will bring clarity to the rules, enable practical tools for compliance, help foster greater consistency with data protection regimes in other jurisdictions, and advance the purposes of the regulation.
Keywords: privacy, data protection, europe, anonymization, identity, security
Suggested Citation: Suggested Citation