Anony­mizati­on in data pro­tec­tion law and “anony­mizati­on” in per­so­na­li­ty law

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

Topics

, , ,
Take-Aways (AI)
  • Anony­mizati­on remo­ves per­so­nal refe­rence if iden­ti­fi­ca­ti­on is no lon­ger pos­si­ble with rea­sonable effort (rela­ti­ve standard).
  • GDPR takes into account “any means” that could rea­son­ab­ly be used for iden­ti­fi­ca­ti­on (Reci­tal 26).
  • Pseud­ony­mizati­on con­siders per­so­nal data from the per­spec­ti­ve of tho­se wit­hout a key; it remains within the scope of the GDPR.
  • Data pro­tec­tion rights dif­fer from per­so­nal rights: data pro­tec­tion fic­ti­tious inf­rin­ge­ment, the bur­den of justi­fi­ca­ti­on and pro­of lies with the infringer.

Anony­mizati­on in data pro­tec­tion law…

Anony­mizati­on refers to the pro­cess by which data is chan­ged in such a way that it is no lon­ger pos­si­ble to iden­ti­fy the per­son con­cer­ned. Howe­ver, the stan­dard is not abso­lu­te: the decisi­ve fac­tor is that the per­so­nal refe­rence can no lon­ger be estab­lished with rea­sonable effort. This fol­lows from the defi­ni­ti­on of “per­so­nal data”: anony­mizati­on is the pro­cess that results in a spe­ci­fic data no lon­ger fal­ling under the legal defi­ni­ti­on of per­so­nal data. Howe­ver, a rela­ti­ve stan­dard also applies under the GDPR, as can be seen in reci­tal 26 in particular:

In order to deter­mi­ne whe­ther a natu­ral per­son is iden­ti­fia­ble, the fol­lo­wing should be con­side­red All means taken into account by the per­son respon­si­ble or by ano­ther per­son. are likely to be used accor­ding to gene­ral judgmentto iden­ti­fy the natu­ral per­son direct­ly or indirectly.

Con­se­quent­ly, this rela­ti­ve mea­su­re applies (cf. here) also applies to anony­mizati­on (also in Swiss data pro­tec­tion law; for the con­cept of per­so­nal data, see the Logi­step decis­i­on and for anony­mizati­on the decis­i­on VPB 70.73).

For the Pseud­ony­mizati­on (Art. 4(5) GDPR), the same applies in prin­ci­ple, but the per­spec­ti­ve is dif­fe­rent: whe­ther a data is per­so­nal is not con­side­red here in the abstract, but from the per­spec­ti­ve of spe­ci­fic indi­vi­du­als -. for that per­son, which does not have the key, the per­so­nal data is in any case pro­vi­sio­nal­ly anony­mous (which, in con­trast to anony­mizati­on, does not yet lead out of the scope of the GDPR).

… and in the right of personality

This applies in data pro­tec­tion law – but in media report­ing, a dif­fe­rent idea of anony­mizati­on applies. The Press Coun­cil recent­ly had to deal with this (not for the first time) (Opi­ni­on 32/2016):

On Novem­ber 25, 2015, the “Beob­ach­ter” published a focus on the topic of ana­bo­lic ste­ro­ids. On nine pages, the maga­zi­ne descri­bed how lar­ge this mar­ket was, show­ed the con­nec­tion with the gro­wing fit­ness indu­stry, and pro­vi­ded infor­ma­ti­on about the dan­gers of ana­bo­lic ste­ro­ids and other drugs. Two text sec­tions illu­stra­ted, based on an indict­ment, the methods used by a dealer.

This man, listed as an exam­p­le, com­plai­ned to the Press Coun­cil: He had not been anony­mi­zed enough in the artic­le, his envi­ron­ment had been able to reco­gnize that he was meant. The Press Coun­cil rejects this objec­tion: Sin­ce the “Beob­ach­ter” chan­ged the first name and only men­tio­ned the first let­ter of the last name, it suf­fi­ci­ent­ly respec­ted the pri­va­cy of the com­plainant. Thus, at most, the clo­sest envi­ron­ment could still reco­gnize who it was, but not third par­ties who only lear­ned of the event through the media.

[…]

The rea­son for this, howe­ver, is not – or at least not sole­ly – that a public inte­rest is assu­med in the acti­vi­ties of the media and con­se­quent­ly a dif­fe­rent stan­dard is applied. Rather, the­re is a con­cep­tu­al dif­fe­rence bet­ween the right to data pro­tec­tion and the gene­ral right to privacy:

  • A Vio­la­ti­on of per­so­na­li­ty pre­sup­po­ses a cer­tain inten­si­ty of inter­fe­rence or, to put it ano­ther way, a con­cre­te impair­ment that can only be deter­mi­ned on the basis of the cir­cum­stances and in the assess­ment of which, for exam­p­le, the social ade­qua­cy of the beha­vi­or under review must be taken into account (in other words, cer­tain impairm­ents must be accept­ed as unavo­ida­ble in the clo­se social environment).
  • This is in the Data pro­tec­tion law dif­fer­ent­ly: in the event of a vio­la­ti­on of the pro­ce­s­sing prin­ci­ples, a vio­la­ti­on of per­so­na­li­ty is not only pre­su­med but fakedas can be seen in Art. 12 (2) FADP. What is still accep­ta­ble in per­so­na­li­ty law is not neces­s­a­ri­ly so in data pro­tec­tion law, becau­se a vio­la­ti­on occurs more quick­ly and admis­si­bi­li­ty the­r­e­fo­re depends on justi­fi­ca­ti­on. So the­re is no gray area here on the fac­tu­al level – only in the area of justi­fi­ca­ti­on, which may mate­ri­al­ly amount to the same thing; but the bur­den of pro­of for the facts lea­ding to justi­fi­ca­ti­on lies here not with the inf­rin­ged par­ty, but with the inf­ring­er. For this rea­son, among others, the que­sti­on of the rela­ti­on­ship bet­ween data pro­tec­tion law and the gene­ral right of per­so­na­li­ty in the media is an important one, and in my opi­ni­on data pro­tec­tion law should app­ly to the media (cf. this unit).