Is AEPD Blog a Foreshadowing of Upcoming EDPB Guidance?

The Spanish data protection authority (AEPD) has been active in anonymization guidance. Is this AEPD guidance a foreshadowing of the upcoming EDPB guidance on anonymization and pseudonymization in 2023?

The following summary and FAQs highlight key points from the AEPD's recent guidance titled Anonymization III: The risk of re-identification.

SUMMARY

• Anonymizing data is not an easy opt-out of the GDPR.

• Determining whether data is anonymized applies to the entire life of the data (i.e., the life of the data subject it relates to), and determining whether the data meets the standard of anonymization must be continually reviewed.

• To meet the GDPR standard of anonymization, you must consider a worst-case re-identification scenario (including the use of additional data, attacks by malicious actors, internal access, and government requests, or a combination thereof) and take steps, with accountability in the process, to ensure that re-identification nonetheless cannot occur.

• Any residual risk remaining after an accountable anonymization process has been completed must be mitigated using additional measures; otherwise, the anonymization process itself will not be lawful under the GDPR.

FAQs

Q1: What level of protection against re-identification does the AEPD say is required under the GDPR?

A1: State-of-the-art protection against re-identification, including in worst-case conditions, is required.

The AEPD says: "The anonymization processing is not a trivial process. The person in charge must employ the right professionals, with knowledge of the state of the art in anonymization techniques, and with experience in reidentification attacks. After an accountable and suitable anonymization processing for the data set, it?must be assessed through analysis and practical tests?that it is not possible to re-identify the data set. For this purpose,?worst-case conditions must be considered, such as attempts at re-identification by?internal or external persons, with?access to auxiliary data,?even those only available by illegal means, by court orders or by information agencies. It should be taking into account that they have adequate resources and the controller should?extrapolate the possible evolution of known techniques. If under these conditions the whole, or?just a part of the dataset can be re-identified, there would be no question about risk of re-identification, that dataset is?simply not anonymous.”

Q2: Does the AEPD expect perfection?

A2: No. The data controller must undertake practical tests to determine the likelihood of re-identification, and this process must be accountable. If any possibility of re-identification risk is present, the data controller must apply additional measures that go beyond anonymization to reduce the residual probability of re-identification risk.?

The AEPD acknowledges that “…there is no human activity that reaches perfection and there will always be a residual probability of reidentification that must be assumed by the controller.? This residual probability means accepting that total and absolute infallibility does not exist”… [however] … “The controller has to assess the impact of a re-identification on the fundamental rights of data subjects. In turn, assuming that there is always a residual probability of re-identification, the controller should assess the risk of re-identification faced by data subjects and apply additional measures to reduce that risk if necessary.”

Q3: What interplay does the AEPD see between anonymization and accountability under the GDPR?

A3: Failing to address residual re-identification risks following anonymization is tantamount to failing to satisfy accountability obligations (see GDPR Article 5(2), see also GDPR Article 24). Additional measures must be taken to reduce the risks of re-identification.

The AEPD says that?"Applying a simplified vision of the anonymization processing, with?automatisms,?without formal analysis, and?ignoring a validation phase of the final result?means failing to comply with the obligations of accountability…If there is a significant impact on the rights of individuals, taking into account that?there is a residual probability of re-identification to be assumed, certain?measures will have to be taken to reduce the risk to data subjects."

Q4: Is it safe to assume that once data is determined to be “anonymous” that it is outside the scope of the jurisdiction of the GDPR and the data controller has no further obligations?

A4. No. Data controllers remain responsible for the lawfulness of processing used to create anonymous data, which includes obligations of accountability (as noted in Q3 above) as well as necessity and proportionality under the GDPR. Data controllers must take a future-focused approach to anonymization, recognising that data that is anonymous now may not be in the future. True anonymization requires a continual re-evaluation of the status of the data set, including any additional information, technologies, or processes that have come into effect since the initial assessment of anonymity.

The AEPD states that “The life of a personal data is as long as that of the data subject”…“If there is a significant impact on the rights of individuals, taking into account that there is a residual probability of re-identification to be assumed, certain measures will have to be taken to reduce the risk to data subjects.” [and] “If an anonymization processing cannot generate a set of data with the necessary quality requirements, such processing will not comply with the requirement of necessity to which all processing legitimized by Articles 6(1)(b) to 6(1)(f) of the GDPR. If, on the other hand, the risk of re-identification does not meet proportionality criteria, then alternatives to anonymization will have to be taken into account.”

To learn more about the requirements for GDPR-compliant anonymization and pseudonymization, download a copy of the?peer-reviewed law journal article "Technical Controls that Protect Data in Use and Prevent Misuse."

For information on Statutory Pseudonymization, join the?LinkedIn Statutory Pseudonymization group, with 9,400+ senior legal, privacy, data use, and innovation executives as members

To learn about Anonos award-winning Data Embassy anonymization and pseudonymization software, visit us at anonos.com.