Bridging Policy, Regulation, and Practice? A Techno-Legal Analysis of Three Types of Data in the GDPR
in 'Data Protection and Privacy: The Age of Intelligent Machines' Edited by Ronald Leenes Rosamunde van Brakel, Serge Gutwirth and Paul De Hert, Hart Publishing, 2017.
39 Pages Posted: 12 Sep 2017
Date Written: September 1, 2017
Abstract
The paper aims to determine how the General Data Protection Regulation (GDPR) could be read in harmony with Article 29 Working Party’s Opinion on anonymisation techniques. To this end, based on an interdisciplinary methodology, a common terminology to capture the novel elements enshrined in the GDPR is built, and, a series of key concepts (i.e. sanitisation techniques, contextual controls, local linkability, global linkability, domain linkability) followed by a set of definitions for three types of data emerging from the GDPR are introduced.
Importantly, two initial assumptions are made:
1) the notion of identifiability (i.e. being identified or identifiable) is used consistently across the GDPR (e.g. Article 4 and Recital 26);
2) the Opinion on Anonymisation Techniques is still good guidance as regards the classification of re-identification risks and the description of sanitisation techniques.
It is suggested that even if these two premises seem to lead to an over-restrictive approach, this holds true as long as contextual controls are not combined with sanitisation techniques. Yet, contextual controls have been conceived as complementary to sanitisation techniques by the drafters of the GDPR. The paper concludes that the GDPR is compatible with a risk-based approach when contextual controls are combined with sanitisation techniques.
Keywords: personal data, anonymisation, pseudonymisation, GDPR, identified
JEL Classification: K29, K39
Suggested Citation: Suggested Citation