18 Aug The anonymisation of personal data: new clarifications by the Supervisory Authority
Authors: Marco Emanuele Carpenelli, Francesca Tugnoli, Eleonora Margherita Auletta
The recent intervention by the Italian Supervisory Authority
The Provision of 1 June 2023 (“Decision”)[1] by the Italian Supervisory Authority confirms its own jurisprudence and the guidance by the Article 29 Working Party in its well-known Opinion 5/2014[2]. The Decision offers new and interesting insights into the enforcement techniques required to ensure the complete anonymisation of personal data.
The aforementioned Decision originates from the report of a medical doctor. He complained of an alleged infringement of the rules on personal data protection by the company to which he had undertaken to transmit the data of his patients in exchange of a series of advantages and benefits, including economic ones. This is after subjecting the data to a process of anonymisation, a process that later proved to be inadequate. In particular, the general practitioners taking part in the initiative were required to add a further function (so-called ‘add-on’) to the management software in use with the aim of automatically anonymising the personal data of the patients and, subsequently, conveying them to the company’s database.
However, as already anticipated, as a result of the investigation conducted by the Supervisory Authority, it became clear that the ‘add-on’ mentioned by the company did not make it possible to effectively anonymise the information acquired from the medical practitioners, but merely ‘pseudonymised’ it. Therefore, an unlawful processing of data was carried out in violation of the principles of lawfulness and transparency set out in Article 5(1)(a) of Regulation (EU) 2016/679 (hereinafter, ‘GDPR’).
Let us find out why.
The objections of the Supervisory Authority: the inadequacy of the measures implemented by the company in carrying out the anonymisation of personal data
The above-mentioned ‘add-on’ functionality did not appear to be capable of ensuring the anonymisation of personal data transmitted by the general medical practitioners. This is because:
– Since it is based on replacing the patient’s ID with an irreversible unique cryptographic code (‘hash’), it does not guarantee the removal of singularities (so-called ‘single out’), which is the necessary requirement to qualify the processing as anonymisation[3]. A fundamental requirement for anonymisation is that the process must prevent a person from being ‘isolated’ in a group of persons, thus tracing them back and ‘identifying’ them indirectly[4];
– the Decision of an additional organisational measure carried out by a third party in charge of the processing did not prove, in the opinion of the Data Protection Authority, to be suitable to remove the unique association between the individual and the code with which he was represented in the database, and was therefore not a sufficient measure. In particular, the third party was centrally responsible for discarding or performing additional operations to replace the hash with a progressive code on records which, due to their statistical characteristics, might present significant risks of re-identification. In fact, this organisational measure merely made the re-identification of the data subject more complex, without preventing the presence of singularities in the final dataset at the third party; and
– with a view of ensuring greater guarantees of anonymity, the company had recently introduced a new measure inspired by the so-called k-anonymity[5], a technique that ensures the generalisation of patient data in similar groups (e.g., the same age and location). In implementing this measure, the company however neglected the consideration that the k-anonymity technique loses its effectiveness when, as is the issue in the Decision, a hash is linked to each individual, even if made more complex by the presence of an unknown disturbance element (the so-called “salt”), and this hash is uniquely associated with the various records contained in the tables.
Conclusions
In light of the considerations above, the Supervisory Authority has found that the processing in question cannot be qualified as “anonymisation” but rather as a form of “pseudonymisation” within the meaning of Article 4(5) of the GDPR. In this regard, the aforementioned techniques constitute mere organisational measures aimed at ensuring the security of the processing, since they favour a greater complexity in the reconciliation between the patient’s identity and their medical history, but they are not capable of undermining the nature of the personal data processed, which therefore remains subject to the GDPR[6].
Operational takeaways: what lessons to draw from the Decision?
In the light of the Decision, what is confirmed is, the evident ‘relative’ nature of the concept of ‘personal data’, i.e., depending on the information context in which it is placed (Article 4(1) of the GDPR).
In other words, in order to establish whether or not data actually has the nature of ‘personal data’, it is necessary to carefully explore the informational context in which the data itself is placed, verifying whether the data controller still retains the actual possibility of tracing the natural persons in question. This must be done by linking all the different components of its information assets, including those available to third parties forming part of its organisational network. In this sense:
– where the data controller is still able to re-identify data subjects, the data must still be considered personal data, even if pseudonymised, and this will entail the application of data protection legislation; and
– if the data controller is no longer able to re-identify the data subjects, the data shall not be considered personal data and any use thereof shall be considered irrelevant for the purposes of the data protection legislation.
[1] Provision of 1 June 2023 [doc. web n. 9913795].
[2] WP29, Opinion 05/2014 on Anonymisation Techniques, adopted on 10 April 2014.
[3] See WP29, Opinion 05/2014 on Anonymisation Techniques, adopted on 10 April 2014: “Focusing only on the robustness of the encryption mechanism as a measure of the degree of “anonymisation” of a dataset is misleading as many other technical and organizational factors affect the overall security of an encryption mechanism or hash function”.
[4] In the Decision, the Supervisory Authority also points out that, in addition to single out, the anonymisation process must prevent an anonymised data from being linked to data referable to a person in a separate set of data (so-called ‘linkability’) and from deducing new information referable to a person from an anonymised data (so-called ‘inference’).
[5] According to the Decision, k-anonymity “[…] It involves grouping individuals based on specific combinations of attributes, appropriately generalized, so that each grouping includes at least k subjects that are indistinguishable from each other […]”.
[6] It should be noted, in fact, that only truly anonymous data escape the application of data protection law, as indicated in recital 26 of the GDPR.
