Abstract
On the awareness of the dynamism pertaining to data and its processing, this paper investigates the problem of having two mutually exclusive definitions of personal and non-personal data in the legal framework in force. The taxonomic analysis of key terms and their context of application highlights the risk to crystalize the whole system upon which the digital single market is built, suffocating its future development. With this premise, the paper discusses the extent of the two main data processing tools provided by the GDPR, questioning the ex-ante categorization of data and its outcome, supporting stakeholders in overcoming this issue.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
A European strategy for data, Brussels, 19.2.2020, COM(2020) 66 final.
- 3.
The European Commission confirms that data and artificial intelligence (AI) can help find solutions to many of society’s problems, from health to farming, from security to manufacturing. However, it also stresses on the risks posed by AI. It stresses on the need to enforce it adequately to address the risks that AI systems create.
- 4.
- 5.
- 6.
- 7.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- 8.
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union.
- 9.
To this extent, refer to the first Report on the evaluation of the GDPR published by the Commission on June 2020 https://ec.europa.eu/info/sites/info/files/1_en_act_part1_v6_1.pdf.
- 10.
See the program Gaia-X, https://www.data-infra-strucure.eu/GAIAX/Navigation/EN/Home/home.html.
- 11.
The report stresses on the fact that “the Commission will continue to focus on promoting convergence of data protection rules as a way to ensure safe data flows”.
- 12.
Ibid, 10.
- 13.
The author affirms that a sustainable IoT Big Data management can be effectively designed only after decomposing the set of drivers and objectives for security/privacy of data as well as innovation into: 1) the regulatory and social policy context; 2) economic and business context; and 3) technology and design context. By identifying these distinct objectives for the design of IoT Big Data management, a more effective design and control is possible.
- 14.
In order to clarify the concept, the WP29 04/2007 on the concept of Personal Data states that the contextual presence of 4 elements connotes personal data: 1) Any information, 2) Relating to, 3) An identified or Identifiable, 4) Natural Person.
- 15.
Commission Staff Working Paper, Brussels, 25.1.2012, SEC(2012) 72 final, Impact Assessment.
- 16.
The Directive was also complemented by several instruments providing specific data protection rules in the area of police and judicial cooperation in criminal matters (ex third pillar), including Framework Decision 2008/977/JHA.
- 17.
These diverities are extensively treated in the Impact Assessment.
- 18.
To this aim, as an example, the judgment in Case C-582/14: Patrick Breyer v Bundesrepublik Deutschland.
- 19.
Specifically, on the nature of processed data, Data Protection Authorities (hereinafter referred as DPAs) considered encoded or pseudonymised data as identifiable thus, as such, as personal data in relation to the actors who have means (the “key”) for re-identifying the data, but not in relation to other persons or entities (e.g. Austria, Germany, Greece, Ireland, Luxembourg, Netherlands, Portugal, UK). In other Member States all data which can be linked to an individual were regarded as “personal”, even if the data are processed by someone who has no means for such re-identification (e.g. Denmark, Finland, France, Italy, Spain, Sweden). DPAs in those Member States are “generally less demanding” with regard to the processing of data that are not immediately identifiable, taking into account the likelihood of the data subject being identified as well as the nature of the data.
- 20.
Guidance on the Regulation on a framework for the free flow of non-personal data in the European Union Brussels, 29.5.2019 COM(2019) 250 final.
- 21.
A timid tentative of overcoming this problem, it is contained in the proposal of the Data Governance Act where the Commission proposes to create a formal expert group, the European Data Innovator Boards.
- 22.
The Commission’s policy aims to align European Standards as much as possible with the international standards adopted by the recognized International Standardization Organizations ISO, IEC and ITU. This process is called “primacy of international standardization”, meaning that European standards should be based on International standards (COM(2011)-311, point 7). For more info, cfr: https://ec.europa.eu/growth/single-market/european-standards/policy/international-activities_en.
- 23.
ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.
- 24.
For example, those referred to businesses, those referred to industrial machinery, stars data like the ones related to Mars, labs data on chemical reactions, etc.
- 25.
As such, must comply with the test of compatibility in accordance with the guidelines provided by the Working Party 29 Opinion 03/2013 on purpose limitation and with the de-anonymization risk test as for the Working Party 29 Opinion 05/2014.
- 26.
International Standard Organization (ISO/IEC) 29100:2011 Information technology – Security techniques – Privacy framework (Technologies de l’information – Techniques de sécurité – Cadre privé).
- 27.
According to Art. 4(5) GDPR ‘pseudonymization’ means “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
- 28.
Pseudonymization is a de-identification process referenced in the GDPR as both security and data protection by design mechanism. There are different levels and scenarios of pseudonymity but as for anonymization process, different levels of security. See in details: https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices.
- 29.
The Article 29 Working Party (today EDPB – European Data Protection Board) was set up under the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It provides the European Commission with independent advice on data protection matters and helps in the development of harmonized policies for data protection in the EU Member States. One of the main tasks of the Article 29 WP was to adopt Opinions without a binding character but fundamental in order to clarify critical data protection issues.
- 30.
“The possibility to isolate some or all records which identify an individual in the dataset” WP29 Opinion 05/2014 on Anonymization Techniques, WP216, (0829/14/ EN). (2014).
- 31.
“The ability to link, at least, two records concerning the same data subject or a group of data subjects” WP29 Opinion 05/2014 on Anonymization Techniques, WP216, (0829/14/ EN). (2014).
- 32.
“The possibility to deduce, with significant probability, the value of an attribute from the values of a set of other attributes” WP29 Opinion 05/2014 on Anonymization Techniques, WP216, (0829/14/ EN). (2014).
- 33.
European Parliament resolution of 25 March 2021 (2020/2717(RSP)).
- 34.
The term pseudonymous stems from the Greek word “ψευδώνυμον (pseudṓnymon)” literally “false name”, from ψεῦδος (pseûdos), “lie, falsehood” and ὄνομα (ónoma), “name”.
- 35.
ISO 25237:2017 Health informatics—Pseudonymization. It contains principles and requirements for privacy protection using pseudonymization services for the protection of personal health information.
- 36.
Specifically, art. 25(1) says that “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.
- 37.
ENISA, Recommendations on shaping technology according to GDPR provisions. An overview on data pseudonymization, November 2018.
- 38.
ENISA, Pseudonymization techniques and best practices. Recommendations on shaping technology according to data protection and privacy provisions, November 2019.
- 39.
ENISA, Data Pseudonymisation: Advanced Techniques & Use Cases, January 2021.
- 40.
AEPD, Introduction to the hash function as a personal data pseudonymization technique, October 2019.
- 41.
ENISA, 2021.
- 42.
Art. 2, point (10) “‘data altruism’ means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services”, and art. 15 “Register of recognised data altruism organisations. (1) Each competent authority designated pursuant to Article 20 shall keep a register of recognised data altruism organisations. (2) The Commission shall maintain a Union register of recognised data altruism organisations. (3) An entity registered in the register in accordance with Article 16 may refer to itself as a ‘data altruism organisation recognised in the Union’ in its written and spoken communication.”
References
Abuosba, K.: Formalizing big data processing lifecycles: acquisition, serialization, aggregation, analysis, mining, knowledge representation, and information dissemination. In: 2015 International Conference and Workshop on Computing and Communication, IEMCON (2015)
Aggarwal, C.: On k-anonymity and the curse of dimensionality. In: VLDB (2005)
Biega, A.J., Potash, P., Daumé III, H., Diaz, F., Finck, M.: Operationalizing the legal principle of data minimization for personalization, computers and society. In: Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval (2020)
Bolognini, L., Bistolfi, C.: Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU general data protection regulation. Comput. Law Secur. Rev. 33, 171–181 (2017)
Cavoukian, A.: The 7 Foundational Principles. Identity in the Information Society (2010)
Clifton, C., Kantarcioglu, M., Vaidya, J.: Defining Privacy for Data Mining, in National Science Foundation Workshop on Next Generation Data Mining, Baltimore, MD, pp 126–133, November 2002
Dinur, I., Kobbi, N.: Revealing information while preserving privacy. In: Proceedings of the ACM SIGACT-SIGMOD-SIGART Symposium on Principles of Database Systems (2003)
Domingo-Ferrer, J., Montes, F.: Privacy in statistical databases, PSD. In: International Conference on Privacy in Statistical Databases, UNESCO Chair in Data Privacy, International Conference, PSD 2018, Valencia, Spain, 26–28 September 2018, Proceedings (2018)
Domingo-Ferrer, J., Sánchez, D., Blanco-Justicia, A.: The limits of differential privacy (and its misuse in data release and machine learning) (2011)
Drąg, P., Szymura, M.: Technical and legal aspects of database’s security in the light of implementation of General data protection regulation. In: CBU International Conference on Innovation in Science and Education (2018)
Dwork, C.: The promise of differential privacy: a tutorial on algorithmic techniques. In: Proceedings - Annual IEEE Symposium on Foundations of Computer Science, FOCS (2011)
Elliot, M., Mackey, E., O’Hara, K., Tudor, C.: The anonymization decision-making framework. In: Brussels Privacy Symposium, vol. 1 (2016)
Elliot, M., Domingo Ferrer, J.: The future of statistical disclosure control. Paper published as part of The National Statistician’s Quality Review, London, December 2018
Elliot, M., et al.: Functional anonymization: personal data and the data environment. Comput. Law Secur. Rev. 34(2) (2018)
Finck, M., Pallas, F.: They who must not be identified—distinguishing personal from non-personal data under the GDPR. Int. Data Priv. Law 10(1) (2020)
Gellert, R.: Understanding the notion of risk in the general data protection regulation. Comput. Law Secur. Rev. 34(2) (2018)
Graef, I., Gellert, R., Husovec, M.: Towards a holistic regulatory approach for the european data economy: why the illusive notion of non-personal data is counterproductive to data innovation. SSRN Electron. J. (2018)
Hu, R., Stalla-Bourdillon, S., Yang, M., Schiavo, V., Sassone, V.: Bridging policy, regulation and practice? A techno-legal analysis of three types of data in the GDPR (2017)
Hundepool, A., Willenborg, L.: µ- and T-argus: software for statistical disclosure control. In: Third International Seminar on Statistical Confidentiality, Bled (1996)
Jakob, C.E.M., Kohlmayer, F., Meurers, T., Vehreschild, J.J., Prasser, F.: Design and evaluation of a data anonymization pipeline to promote Open Science on COVID-19. Sci. Data 7, Article no. 435 (2020)
Lane, J., Stodden, V., Bender, S., Nissenbaum, H.: Privacy, Big Data, and the Public Good. Privacy, Big Data, and the Public Good (2014). https://doi.org/10.1017/cbo9781107590205
Leenes, R.: Do you know me? – deconstructing identifiability. Univ. Ott. Law Technol. J. 4(1&2) (2008)
Li, N., Tiancheng, L., Venkatasubramanian, S.: t-closeness: privacy beyond k-anonymity and l-diversity. In: ICDE (2007)
Le Fevre, K., DeWitt, D.J., Ramakrishnan, R.: Incognito: efficient full-domain k-anonymity. In: SIGMOD Conference (2005)
Machanavajjhala, A., Kifer, D., Kifer, D., Gehrke, J., Gehrke, J., Venkitasubramaniam, M.: L-diversity: privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data (2007)
Mourby, M., et al.: Are ‘pseudonymised’ data always personal Data? Implications of the GDPR for administrative data research in the UK. Comput. Law Secur. Rev. 34(2) (2018)
Ohm, P.: Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Rev. 57(6) (2010)
Palmirani, M., Martoni, M.: Big data, data governance, and new vulnerabilities [big data, governance dei dati e nuove vulnerabilità]. Notizie Di Politeia (2019)
Perera, C., Ranjan, R., Wang, L., Khan, S., Zomaya, A.: Big data privacy in the Internet of Things era. IT Prof. (2015)
Pfitzmann, A., Hansen, M.: A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, Technical University Dresden (2010)
Purtova, N.: The law of everything. broad concept of personal data and future of EU data protection law. Law Innov. Technol. 10(1) (2018)
Rubinstein, I.S., Hartzog, W.: Anonymization and risk. Wash. Law Rev. 91(2) (2016)
Samarati P., Sweeney, L.: Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. Harv. Data Priv. Lab. (1998)
Samarati, P.: Protecting respondents’ identities in microdata release. IEEE Trans. Knowl. Data Eng. (2001)
Sollins, K.: IoT big data security and privacy versus innovation. IEEE Internet Things J. (2019)
Stalla-Bourdillon, S., Knight, A.: Anonymous data v. personal data—a false debate: an EU perspective on anonymization, pseudonymization and personal data. Wis. Int. Law J. 34(2) (2017)
Stevens, L.: The proposed data protection regulation and its potential impact on social sciences research in the UK. Eur. Data Prot. Law Rev. (2017)
Sweeney, L.: Computational disclosure control: a primer on data privacy protection, Ph.D. thesis, Massachusetts Institute of Technology (2001)
Sweeney, L.: Information explosion. In: Zayatz, L., Doyle, P., Theeuwes, J., Lane, J. (eds.) Confidentiality, Disclosure, and Data Access: Theory and Practical Applications for Statistical Agencies, Urban Institute, Washington, DC (2001)
Wing, J.M.: The data life cycle. Harv. Data Sci. Rev. (2019)
Xu, J., Wang, W., Pei, J., Wang, X., Shi, B., Fu, A.W.-C.: Utility-based anonymization using local recoding. In: KDD (2006)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Podda, E., Palmirani, M. (2021). Inferring the Meaning of Non-personal, Anonymized, and Anonymous Data. In: Rodríguez-Doncel, V., Palmirani, M., Araszkiewicz, M., Casanovas, P., Pagallo, U., Sartor, G. (eds) AI Approaches to the Complexity of Legal Systems XI-XII. AICOL AICOL XAILA 2020 2018 2020. Lecture Notes in Computer Science(), vol 13048. Springer, Cham. https://doi.org/10.1007/978-3-030-89811-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-89811-3_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-89810-6
Online ISBN: 978-3-030-89811-3
eBook Packages: Computer ScienceComputer Science (R0)