Data protection: 4 criteria to evaluate, if data subject is identifiable
As was already examined at dataitlaw.com, one of the best ways, how to use data for commercial or other purposes, is to make them anonymous. Once data are anonymous, there is no need to satisfy legal requirements for personal data processing. Apart from that, according to the principle of minimization of personal data use, data controllers or processors should use anonymous or pseudonymous data where possible.
Despite differences in legal regulation of personal data in the global perspective, the majority of national legislation includes the requirement of “information relating to an identified or identifiable natural person”, as specified for instance by Article 2(a) of the Directive 95/46/EC (find full text here, referred to as “Directive”). Once information is not identifiable to a natural person, it is anonymous information.
The article gives a brief overview of criteria to determine if certain information satisfies the requirements of no identification to specific natural person. Since it is not about a particular country, but tries to give a general overview, it is necessary to analyze these criteria in more detail on a national level and with a legal help.
a. Possibility to identify
Firstly, it is a common principle that once information is identified to a specific individual and the person is distinguished from all other members of the group, it represents personal data. However, information is also personal, if it is “identifiable”, “linkable” or “likely to be ascertained” to a specific individual. Accordingly, the personal data legislation also covers the mere possibility to identify.
b. The relativity of identification
Another principle is the relativity of identification, as specified for instance in Explanatory Memorandum to Recommendation R (97) 18 of the Council of Europe. It is always necessary to analyze, if in the particular situation it is possible to identify the person. The same information might lead to the identification of the person under specific conditions, but would not lead to the identification under other conditions. Accordingly, it is always necessary to analyze the specific situation.
c. Reasonability
The majority of legislation, such as Recital 26 of the Directive or Section 6 of Australian Privacy Act 1988, include the principle that for identification, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person. A mere hypothetical possibility to single out the individual should not be enough to consider the person as “identifiable”.
How to analyze reasonability? According to the Opinion No. 4/2007 of the Working Party (referred to as “Opinion”), the criteria include cost of conducting identification, the intended purpose, the way the processing is structured, the advantage expected by the controller, the interests at stake for the individuals, as well as the risk of organisational dysfunctions (e.g. breaches of confidentiality duties) and technical failures. Similarly to the principle of relativity, it is necessary to analyze the specific situation.
d. The change in time
The reasonability of identification may change in time due to technological advancement. This leads to an interesting question of the relation between development of technology and anonymity of data. Is it enough that data were anonymous at the time of their processing?
The definition of personal data reads: “information relating to an identified or identifiable natural person”. It seems that at any time, data collectors or processors are obliged to prove that their anonymous data are not identifiable to natural person. Similarly, in European context, the Working Party had expressed in the Opinion No. 4/2007, that “this test is a dynamic one and should consider the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed.”
Accordingly, it seems that it is the task of data controller or processor to prove that data are anonymous at any time. That’s why, the aspect of possible change of identification in time must be taken into account before deciding to make data anonymous.
Conclusion
The purpose of this article was to give a brief overview of the requirements for the identification of information to an individual. It is enough that there is a possibility to identify a person, but the means to identify must be reasonable. The analysis should always cover the specific situation, since the identification is relative. This also means that the reasonability to identify an individual might change in time due to technological developments.
There is a certain level of insecurity in the “anonymization” of data, especially due to their relative nature and the possibility to change in time. That’s why, future data collectors or processors should take these risks into account. The solution is more technical than legal. Furthermore, it seems that companies should keep track of technological developments and regularly analyze the possibility to identify data that seemed anonymous at the time of processing.
Do not hesitate to comment or contact us, in case that you have any questions or experience with these issues.
Note: This article is intended as a summary of issues. Its purpose is not a to provide legal advice or create an attorney-client relationship between you and the author of this article.