BfDI: Posi­ti­on paper on anonymization

The Ger­man Federal Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on (BfDI; respon­si­ble for public data pro­tec­tion, but in the tele­com­mu­ni­ca­ti­ons [TC] sec­tor also for pri­va­te indi­vi­du­als) has – fol­lo­wing a public hea­ring – published a posi­ti­on paper on anony­miz­a­ti­on under the GDPR, with par­ti­cu­lar refe­rence to the TC sector.

Con­cept of anonymization

The BfDI first addres­ses the Con­cept of anony­miz­a­ti­on which is not expli­ci­tly defi­ned in the GDPR. The star­ting point is the con­cept of per­so­nal data: what is anony­mous is not per­so­nal data. As with the defi­ni­ti­on of per­so­nal data, no abso­lu­te stan­dard the­re­fo­re applies:

Abso­lu­te anony­miz­a­ti­on in such a way that it is not pos­si­ble for anyo­ne to re-estab­lish the refe­rence to a per­son is often not pos­si­ble and is gene­ral­ly not requi­red by data pro­tec­tion law. As a rule, it is suf­fi­ci­ent that the refe­rence to a per­son can be is remo­ved in such a way that re-iden­ti­fi­ca­ti­on is prac­ti­cal­ly not fea­si­ble becau­se the per­so­nal refe­rence can only be resto­red with a dis­pro­por­tio­na­te effort in terms of time, costs and manpower.

Legal basis of anony­miz­a­ti­on without deletion

The anony­miz­a­ti­on pro­cess its­elf repres­ents a Pro­ces­sing of per­so­nal data and requi­res – accord­ing to the GDPR – a legal basis. In par­ti­cu­lar, the que­sti­on ari­ses as to when anony­miz­a­ti­on still repres­ents a com­pa­ti­ble pur­po­se and is cove­r­ed by the ori­gi­nal legal basis.

In this con­text, it is par­ti­cu­lar­ly plea­sing to note that the BfDI assu­mes that a com­pa­ti­ble pur­po­se can be based on the legal basis of the ori­gi­nal pur­po­se and then does not requi­re an inde­pen­dent legal basis. This can be based on sen­tence 2 of reci­tal 50, but is dis­puted in the doctrine.

Anony­miz­a­ti­on is com­pa­ti­ble in this sen­se if the cri­te­ria accord­ing to Arti­cle 6 (4) of the GDPR are met. Here, the BfDI sta­tes that the pur­po­se of anony­miz­a­ti­on is not to remo­ve the refe­rence to a per­son, but “the under­ly­ing actu­al inte­rest of the con­trol­ler”; this should the­re­fo­re be inclu­ded in the con­si­de­ra­ti­on. In my opi­ni­on, this is wrong, becau­se the under­ly­ing inte­rest does not rela­te to the pro­ces­sing of per­so­nal data and must the­re­fo­re be exclu­ded from con­si­de­ra­ti­on under data pro­tec­tion law. From the point of view of the BfDI, it would be per­mis­si­ble, for examp­le, to anony­mi­ze custo­mer data in order to deter­mi­ne the dis­tri­bu­ti­on of ser­vices by regi­on and age cohorts.

Anony­miz­a­ti­on as dele­ti­on equivalent

The BfDI fur­ther sta­tes that anony­miz­a­ti­on is per­mis­si­ble if dele­ti­on is as well, becau­se anony­miz­a­ti­on is basi­cal­ly equi­va­lent to deletion:

Accord­ing to the syste­ma­tics of the GDPR, deleting the data is the­re­fo­re appar­ent­ly only one of several pos­si­bi­li­ties to ful­fill the requi­re­ments of Art. 5 (1) (e) GDPR. It is then not necessa­ry if the per­so­nal refe­rence can be effec­tively eli­mi­na­ted by anony­miz­a­ti­on. […] It fol­lows that in the case whe­re only anony­mi­zed infor­ma­ti­on, i.e. infor­ma­ti­on without per­so­nal refe­rence, is avail­ab­le, the obli­ga­ti­ons under the GDPR and thus also the obli­ga­ti­on to any fur­ther sto­rage limi­ta­ti­on under Art. 5(1)(e) GDPR do not apply.

It could be argued against the pos­si­bi­li­ty of ful­fil­ling the dele­ti­on obli­ga­ti­on through anony­miz­a­ti­on that a resi­du­al risk of re-iden­ti­fi­ca­ti­on remains with anony­miz­a­ti­on com­pa­red to dele­ti­on. Howe­ver, it can be argued against this, that both pro­ces­ses – dele­ti­on and anony­miz­a­ti­on – entail a remo­val of the per­so­nal refe­rence and that even dele­ti­on does not necessa­ri­ly lead to a final dest­ruc­tion of the data. The fact that it is era­su­re and dest­ruc­tion are two alter­na­ti­ve pro­ces­sing ope­ra­ti­ons, is also cla­ri­fied by the wor­d­ing “the dele­ti­on or dest­ruc­tion” in Art. 4 No. 2 GDPR. This rea­so­ning can also be app­lied to the right to era­su­re under Art. 17 GDPR.

From the point of view of the BfDI, the obli­ga­ti­on to dele­te per­so­nal data can be only be ful­fil­led by anony­miz­a­ti­on if the per­so­nal data were collec­ted law­ful­ly (cf. Art. 17(1)(a) GDPR).

Thus, by the way the Austri­an data pro­tec­tion aut­ho­ri­ty also deci­ded.

More hints

Final­ly, the BfDI points to spe­cial legal regu­la­ti­ons of anony­miz­a­ti­on, in this case of the Ger­man tele­com­mu­ni­ca­ti­ons legis­la­ti­on, to the trans­pa­ren­cy obli­ga­ti­on of the respon­si­ble par­ty and to data pro­tec­tion impact assess­ments. Regar­ding the latter:

In the case of anony­miz­a­ti­on, the per­son respon­si­ble must usual­ly assu­me that a high risk existsbecau­se the cri­ter­ion of “lar­ge-sca­le pro­ces­sing” and, at least cur­r­ent­ly, the cri­ter­ion of “new tech­no­lo­gies” regu­lar­ly app­ly to anony­miz­a­ti­on. […] As a rule, a data pro­tec­tion impact assess­ment must be car­ri­ed out befo­re anonymization.