A principled approach to defining anonymization
47 Pages Posted: 11 May 2022 Last revised: 6 Sep 2024
Date Written: May 9, 2022
Abstract
The concept of anonymization plays a central role in data protection law, defining a broad category of information that falls outside the scope of regulation, and thereby enabling companies, government agencies, and researchers to carry out a wide range of data processing activities. Yet, despite the significance of the concept, it is undertheorized and poorly articulated in regulatory guidance.
This article puts forth principles for the regulation of anonymization, and for data protection regulation more broadly. It also provides model language as a starting point for explicitly incorporating these principles into data protection guidance. These principles are grounded in the past 20+ years of research in data privacy. These principles are not intended as absolutes, but better anonymization techniques and regulations will generally satisfy more of these principles - or are the principles intended to be exhaustive.
Keywords: Information Privacy, Data Protection, EDPL, Anonymization, Deidentification
JEL Classification: C00, K10, K19, K30, K39
Suggested Citation: Suggested Citation