Once personal data is anonymised, it is not regulated by the GDPR. Therefore anonymised datasets can be used for example for product development or improved services. But can an organisation do that without getting into trouble?
The Spanish telecommunication company, Telefonica, has been selling anonymised datasets for years and see it as a new needed revenue stream in times where phone services have gotten cheaper or free. The Danish telecommunication company, TDC, decided against it some years ago, as the company thought it was not ethical selling the data without proper consent from those individuals behind the data.
The case of anonymisation is full of challenges. Lots of data brokers and others sell anonymised datasets and companies and others are buying them to enrich their existing data. But are anonymisation techniques efficient? And what are the risk of being recognised and identified in the data sets? To illustrate such risk, a Danish man, Otto Jensen, was identified from a so-called anonymised location data set by the Danish tv-station TV2. It is often very easy to de-anonymise data sets, especially when data is tagged with location data.
De-anonymisation Should Be Illegal
The increased amount of data in all sectors and the availability of technologies to collect and analyse data, makes the German proposal from a Data Ethik Kommission back in 2019 about forbidding de-anomymisation a very good idea. Here, three years after, the Germans are still working at the idea. The Federal Government has made a coalition agreement, whereby they de-anonymisation is illegal and punishable.
“We promote anonymization techniques, create legal certainty through standards, and introduce the criminal liability illegal de-anonymisation,” says the Koalitionsvertrag 2021 – 2025.
The plan of the German federal government on promoting digital citizen rights encompasses this law-making proposal on sanctioning de-anonymisation. Therefore, this topic – including creating awareness of caveats concerning various cases of (de-)anonymisation – is part of the discussion among the independent German Federal and State Data Protection Supervisory Authorities (German abbreviation “DSK“).
The State Data Protection Commissioner of Schleswig-Holstein, Marit Hansen, puts it this way:“Naively implementing the idea of sanctioning de-anonymisation could cause unwanted side effects. In particular, controllers or processors may have little incentives for employing sufficient anonymisation methods or improving them if the penal code ruled ‘attacking’ the anonymisation function unlawful.”
She points out that research on methods for data protection or security regularly are based on trying to circumvent or otherwise attack the systems employing those methods.
“If attacking anonymisation methods was criminalised, this may hinder research on anonymisation – but we are in need of better understanding and improvements of anonymisation methods,” she says.
In her opinion, this also affects controllers or processors who should be able to scrutinize their anonymisation methods, e.g. for conducting a proper DPIA (anonymisation is explicitly mentioned in the list of criteria for a DPIA).
Yes from Users
As the use of anonymised datasets are legal, the ethics behind selling and buying them should be considered. Also because it often happens in a grey zone from data brokers.
According to DataEthics.eu the principle of individual data control should apply also to anonymised data sets. Hence, the users should be informed about the inclusion of their data in anonymised datasets and about disclosure or planned sales to third party, and also, if possible, give consent. If a company or academic researchers are capitalising on anomymised data sets, the users should at least have access to the results and possibly benefit from them.
What is most needed now is to ensure that:
- those using anonymised datasets disclose information about it and preferably notify the data subjects
- control mechanisms are established to check and monitor if applied anonymisation techniques are efficient
- politicians introduce legislation forbidding de-anonymisation of datasets.