WP29: anonymisation techniques

10 April 2014

Homepage | News
G 29

Anonymisation: escape from the regulation on personal data

The WP 29 has published its opinion about the main anonymisation techniques, in order to explain how to implement them.

The WP opinion recalled that an anonymisation processis a processing of personal data within the meaning of Directive 95/46 / EC. It also clarified “that anonymized data do fall out of the scope of data protection legislation” (unlike pseudonymised data).

Does the 1995 Directive apply to anonymised data?

It also analysed how to evaluate an anonymization solution. Thus, it argued that an anonymization solution must be built on a case-by-case basis and adapted to the intended uses. 

How to evaluate an anonymization solution?

In order to help evaluate a good anonymization solution, the WP 29 proposed three criteria:

  • Singling out , which corresponds to the possibility to isolate some or all records which identify an individual in the dataset;
  • Likability, which is the ability to link, at least, two records concerning the same data subject or a group of data subjects (either in the same database or in two different databases). If an attacker can establish (e.g. by means of correlation analysis) that two records are assigned to a same group of individuals but cannot single out individuals in this group, the technique provides resistance against “singling out” but not against likability;
  • Inference, which is the possibility to deduce, with significant probability, the value of an attribute from the values of a set ofother attributes”.

So :

  • adataset for which it is not possible to individualize or correlate or infer is a priori anonymous;
  • a dataset for which at least one of the three criteria is not met can only be considered anonymous after a detailed re-identification risk analysis.

The techniques of anonymisation 

The Opinion WP29 also described the main anonymisation techniques used today.

These techniques are grouped around two main principles: transform the data so that they no longer refer to a real person and generalize the data so that they are no longer specific to one person but common to a set of people. For each technique, an analysis of its strengths and weaknesses against the three evaluation criteria is provided, as well as practical recommendations for its use.

Anonymisation and re-identification of data are particularly active research topics and therefore it is essential for any data controller implementing anonymisation solutions to carry out a regular monitoring to preserve, over time, the anonymous nature of the data produced.

Lien vers l’article > 

The right to dereference established by the CJEU