Bridging Policy, Regulation, and Practice? A Techno-Legal Analysis of Three Types of Data in the GDPR

in 'Data Protection and Privacy: The Age of Intelligent Machines' Edited by Ronald Leenes Rosamunde van Brakel, Serge Gutwirth and Paul De Hert, Hart Publishing, 2017.

39 Pages Posted: 12 Sep 2017

See all articles by Runshan Hu

Runshan Hu

University of Southampton

Sophie Stalla-Bourdillon

Vrije Universiteit Brussel (VUB); University of Southampton

Mu Yang

University of Southampton

Valeria Schiavo

Luiss Guido Carli University

Vladimiro Sassone

University of Southampton

Date Written: September 1, 2017

Abstract

The paper aims to determine how the General Data Protection Regulation (GDPR) could be read in harmony with Article 29 Working Party’s Opinion on anonymisation techniques. To this end, based on an interdisciplinary methodology, a common terminology to capture the novel elements enshrined in the GDPR is built, and, a series of key concepts (i.e. sanitisation techniques, contextual controls, local linkability, global linkability, domain linkability) followed by a set of definitions for three types of data emerging from the GDPR are introduced.

Importantly, two initial assumptions are made:

1) the notion of identifiability (i.e. being identified or identifiable) is used consistently across the GDPR (e.g. Article 4 and Recital 26);

2) the Opinion on Anonymisation Techniques is still good guidance as regards the classification of re-identification risks and the description of sanitisation techniques.

It is suggested that even if these two premises seem to lead to an over-restrictive approach, this holds true as long as contextual controls are not combined with sanitisation techniques. Yet, contextual controls have been conceived as complementary to sanitisation techniques by the drafters of the GDPR. The paper concludes that the GDPR is compatible with a risk-based approach when contextual controls are combined with sanitisation techniques.

Keywords: personal data, anonymisation, pseudonymisation, GDPR, identified

JEL Classification: K29, K39

Suggested Citation

Hu, Runshan and Stalla-Bourdillon, Sophie and Yang, Mu and Schiavo, Valeria and Sassone, Vladimiro, Bridging Policy, Regulation, and Practice? A Techno-Legal Analysis of Three Types of Data in the GDPR (September 1, 2017). in 'Data Protection and Privacy: The Age of Intelligent Machines' Edited by Ronald Leenes Rosamunde van Brakel, Serge Gutwirth and Paul De Hert, Hart Publishing, 2017. , Available at SSRN: https://ssrn.com/abstract=3034261

Runshan Hu

University of Southampton ( email )

University Rd.
Southampton SO17 1BJ, Hampshire SO17 1LP
United Kingdom

Sophie Stalla-Bourdillon (Contact Author)

Vrije Universiteit Brussel (VUB) ( email )

Pleinlaan 2
http://www.vub.ac.be/
Brussels, 1050
Belgium

University of Southampton ( email )

University Rd.
Southampton SO17 1BJ, Hampshire SO17 1LP
United Kingdom

Mu Yang

University of Southampton ( email )

University Rd.
Southampton SO17 1BJ, Hampshire SO17 1LP
United Kingdom

Valeria Schiavo

Luiss Guido Carli University ( email )

Rome
Italy

Vladimiro Sassone

University of Southampton ( email )

University Rd.
Southampton SO17 1BJ, Hampshire SO17 1LP
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
833
Abstract Views
3,183
Rank
47,348
PlumX Metrics