The answer to this FAQ is provided by excerpting quotes from the expert panelists on the initial Schrems II webinar
which are summarized below:
Magali Feys (Anonos)
- Anonymisation to GDPR standards is very difficult and often impractical to achieve in today’s big data world without deleting important value from the data ecosystem for all time, significantly diminishing the value and potential innovation available from the data.
- Increasing availability of big data and ever-advancing processing capabilities means that what is “anonymous” today will not be “anonymous” for different use cases when additional data is available. As a result, relying on exclusion from GDPR jurisdiction is a high-risk, short-term strategy.
- Anonymisation is not the silver bullet that many believe because “obtaining truly anonymised data nowadays in the age of big data, machine learning, and the capacity to quickly interconnect various data sources and databases is very difficult if not virtually impossible to achieve.”
- Merely using terms like “Anonymisation” or “Pseudonymisation” is not enough. These terms must be supported using advanced organisation and technical measures to satisfy high GDPR requirements and described in a record of processing activities (ROPA) “in order to be relied upon to transfer the data outside of the EU.”
- One “hot potato” that we hope the EDPB provides an answer to is if you Pseudonymise personal data in the EU and keep the key necessary to re-identify the data in the EU and then transfer the data overseas to another country where they don't have access to the key, is the data considered “Anonymous” in that country for purposes of GDPR Chapter since there are no means reasonably likely to be used to de-identify the data.
“The problem with anonymisation really is and I think we'll come to that is that that's the only [information] you will have. And if you then for your purposes you need to have more [information]. Well, tough enough, that's the only [information] you're going to get … people trying to get out of under GDPR by applying anonymisation are actually limiting themselves with regard to innovation in the future. So, I think anonymisation can really only work case by case and I don’t think in all sectors as such.” Mark Webber (Fieldfisher)
“Anonymisation takes yourself out of the GDPR. It's not actually practical in many situations. Businesses need data... Yes, it removes us from the GDPR. Yes, it is difficult to do, and I think we can discount it from this conversation because if we can achieve true anonymisation, brilliant. But we can’t because we use data utility to all of Maggie’s points. In addition, a number of clients that we work with have a policy. There is no such thing as anonymisation in our business because frankly what’s anonymised today probably isn’t in 3 or 4 years’ time given the advent of computing or new technologies or pairing or singling out and the rest.” Anna Buchta (EDPS)
“So, data which is anonymised in principle is no longer personal data in the meaning of the GDPR. So, that might seem like the silver bullet that in one go solves all the problems with compliance, accountability, all the other obligations including in relation to transfers, of course. But there is a big but. There is considerable research also on the technical side that shows that true anonymisation obtaining truly anonymised data nowadays in the age of big data, machine learning, and the capacity to quickly interconnect various data sources and databases is very difficult if not virtually impossible to achieve.” Romain Robert (NOYB)
“Regarding anonymisation…If you don’t need the data anymore, they should be anonymised but not just because you transferred them. So, if you don’t need the data, they should be anonymised and then you are already not in the scope of the GDPR and the question of the transfer is not relevant anymore...We are working on cases where we will probably challenge this alleged anonymisation of companies transferring the data out of the EU. So, I hope that we are going to have a clear answer from the Court and from maybe the ECJ on this kind of question because we really think that is a crucial question. In this respect, if anonymisation and Pseudonymisation as presented by this company are real Pseudonymisation and real Anonymisation under the GDPR and whether it can be relied upon to transfer the data outside of the EU. So, we are working on this as well.” Patrick Van Eecke (Cooley)
“We heard that if you've got anonymous data, that it's not personal data. You're out of scope of the GDPR. You're out of scope of the Chapter 5 of the GDPR on data transfers. So, with anonymous data, you can actually transfer to anywhere in the world because it's anonymous...“Now, we know from Anna, that she has some doubts on full anonymisation. And yes, of course, we need to make sure that from a technical perspective, you do need to take into account the necessary measures to truly anonymise….“But if you go and look at Recital 26, these are two such important words, it says reasonably likely to be used. This is not binary. This means that all the means reasonably likely to be used to identify an individual. Well, then, of course, then it is not anonymous data… But actually, I want to take it one step further, namely Pseudonymisation. We all agree that Pseudonymisation as such is not anonymisation. It's not anonymous data. But if you put that discussion in the context of data transfers where you pseudonymise on EU territory the data, you keep the key, you transfer the data overseas to another country where they don't have access to the data, the country considers that the data over there are anonymous data. From a contextual perspective, yes because there are no means reasonably likely to be used to de-identify those data. If we would be able to make that statement, that means there is no Chapter 5 that should be applicable because there is no data transfer. Of course, this is something still waiting for the EDPB to come up with such kind of a bold statement. But this would be in certain scenarios it could be a solution…So, if you're having to pseudonymise and the controller has the key based in the European Union, you could claim that technically, indeed, that is not possible. So, I just want to put it on the table because I do know this is a topic that you can go in different directions to. But still, I do believe that this kind of hot potato is something that the EDPB should be discussing and should come up with a kind of what's the way forward on that.” John Bowman (Promontory)
“Every organization that is subject to the GDPR has to do a ROPA - the record of processing activities. So, before you even think about transferring the data, you got to know what your data processing activities are, sensitivity of the data, the legal basis that you base that processing upon, and if it's transferred out of the EU to a third country without an adequacy decision, what measures do you put in place. So, of course, this comes back to the Schrems question, enhanced and supplementary measures, which are based on SCC transfers and those could be technical and organizational measures. Obviously, we're still awaiting the guidance from the EDPB, which of course will be incredibly helpful when it comes. But, in the meantime, do everything that you can to protect that data in transit and ensure that the recipient has the appropriate safeguards in place.”