Feeds

EU mulls almost-anonymisation of folks' data to cut biz some slack

What does it matter if millions of 'Joe Bloggs' records are leaked?

Combat fraud and increase customer satisfaction

Officials from justice departments across the EU have been asked to explore to what extent the pseudonymisation of personal data can be used to "calibrate" businesses' obligations to data protection.

Pseudonymisation (such as assigning fake names to people), as opposed to anonymisation (complete stripping of identity), allows the same individual to be assigned the same pseudonym across various data sets.

This information can then be linked or grouped together for analysis without putting the original sensitive data at risk, thus potentially cutting the number of data-protection rules and regulations companies must follow.

The Irish Presidency of the Council of Ministers has asked an agenda-setting body within the Council to ask the Council to formally invite the Working Party on Information Exchange and Data Protection (DAPIX) to look into the issue.

The Irish Presidency said that some EU member states have expressed opposition to "the level of prescriptiveness" of some provisions proposed by the European Commission that, if introduced, would overhaul rules on data protection in the EU.

The Presidency has therefore called on DAPIX to look at whether the pseudonymisation of personal data can be a tool for reducing businesses' obligations under the new framework.

The Commission first published its draft General Data Protection Regulation last year. If backed it would introduce a single data protection law across all 27 EU member states. Since then separate scrutiny of the proposals have been taking place within the two EU organisations that would need to agree on a new framework before it could be introduced - the European Parliament and Council of Ministers.

Risk to people's rights when handling sensitive data

Under the Commission's proposals it would be mandatory for organisations to conduct data protection impact assessments before conducting personal data processing activities that present "specific risks" to individuals' rights. Organisations would additionally have to seek prior authorisation from data protection authorities to proceed with processing in such cases.

However, the Irish Presidency said that "some" EU member states had raised objections with the plans. The Ministry of Justice in the UK has previously claimed that the provisions were disproportionate and overly bureaucratic and costly for businesses to adhere to.

"Some member states question the obligation to engage in prior consultation with the supervisory authority where such an [impact] assessment indicates that the proposed processing operations are indeed likely to present a high degree of specific risk," the Irish Presidency's said in its note to the Committee of Permanent Representatives (COREPER). "Processing could not then commence during the suggested consultation period."

Some member states are also pushing for rules regarding the appointment of data protection officers (DPOs) to be watered down, according to the Irish Presidency's note. Those countries oppose draft provisions which would force certain organisations, including those involved in "risky processing", to employ DPOs, and instead believe that there should be incentives for businesses to appoint DPOs on an optional basis, it said.

"Some Member States, while accepting the designation of a data protection officer in case of risky processing, nonetheless consider that designation should be optional rather than mandatory," the note said. "Moreover, some benefit in terms of lighter obligations should apply in cases where such an officer is designated. This would help to incentivise the designation of such officers."

The Irish Presidency said that a section of the Commission's draft Regulation, which sets out the responsibilities of data controllers and data processors under the proposed new regime, needs to be "further refined in order to establish criteria for distinguishing different types of risk that may entail different types of obligations on the controller" and said that this should take into account the needs of micro, small and medium-sized businesses.

It also said that there needs to be further assessment of "whether, and if so how" pseudonymisation can "can contribute to the calibrating of controllers' and processors' data protection obligations while maintaining protection levels".

Nailing down exactly what's at stake when processing private info

DAPIX should therefore be instructed to develop criteria that can allow organisations to "distinguish risk levels" in their personal data processing "in order to calibrate the application of their data protection obligations" and also look into whether pseudonymisation can be considered "as a means of calibrating" organisations' obligations under the new framework, the Irish Presidency said.

A committee of MEPs in the European Parliament, tasked with scrutinising the proposed data protection reforms, recently backed plans which would enable pseudonymised processing to take place without the consent of the individuals to whom the data relates. The Industry, Research and Energy Committee is one of four European Parliament committees looking into the data protection reforms. The lead committee is the one on Civil Liberties, Justice and Home Affairs (LIBE) which is due to vote on the its own report in April.

LIBE's paper, if backed, would form the basis of the Parliament's position during negotiations with the Council of Ministers. Parliament and Council negotiators will seek to agree on a single framework to put to a formal vote of the full Parliament and Ministers across the EU.

The UK's data protection watchdog, the Information Commissioner has previously said that whilst it believes pseudonymised data should be classed as "personal data", it believes there is a case for absolving organisations from some data protection responsibilities when dealing with pseudonymised information.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Top three mobile application threats

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
UK.gov chucks £28m at F1 tech for buses and diggers plan
Well, not really F1 but who's heard of LMP and VLN*?
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.