Feeds

EU mulls almost-anonymisation of folks' data to cut biz some slack

What does it matter if millions of 'Joe Bloggs' records are leaked?

Top three mobile application threats

Officials from justice departments across the EU have been asked to explore to what extent the pseudonymisation of personal data can be used to "calibrate" businesses' obligations to data protection.

Pseudonymisation (such as assigning fake names to people), as opposed to anonymisation (complete stripping of identity), allows the same individual to be assigned the same pseudonym across various data sets.

This information can then be linked or grouped together for analysis without putting the original sensitive data at risk, thus potentially cutting the number of data-protection rules and regulations companies must follow.

The Irish Presidency of the Council of Ministers has asked an agenda-setting body within the Council to ask the Council to formally invite the Working Party on Information Exchange and Data Protection (DAPIX) to look into the issue.

The Irish Presidency said that some EU member states have expressed opposition to "the level of prescriptiveness" of some provisions proposed by the European Commission that, if introduced, would overhaul rules on data protection in the EU.

The Presidency has therefore called on DAPIX to look at whether the pseudonymisation of personal data can be a tool for reducing businesses' obligations under the new framework.

The Commission first published its draft General Data Protection Regulation last year. If backed it would introduce a single data protection law across all 27 EU member states. Since then separate scrutiny of the proposals have been taking place within the two EU organisations that would need to agree on a new framework before it could be introduced - the European Parliament and Council of Ministers.

Risk to people's rights when handling sensitive data

Under the Commission's proposals it would be mandatory for organisations to conduct data protection impact assessments before conducting personal data processing activities that present "specific risks" to individuals' rights. Organisations would additionally have to seek prior authorisation from data protection authorities to proceed with processing in such cases.

However, the Irish Presidency said that "some" EU member states had raised objections with the plans. The Ministry of Justice in the UK has previously claimed that the provisions were disproportionate and overly bureaucratic and costly for businesses to adhere to.

"Some member states question the obligation to engage in prior consultation with the supervisory authority where such an [impact] assessment indicates that the proposed processing operations are indeed likely to present a high degree of specific risk," the Irish Presidency's said in its note to the Committee of Permanent Representatives (COREPER). "Processing could not then commence during the suggested consultation period."

Some member states are also pushing for rules regarding the appointment of data protection officers (DPOs) to be watered down, according to the Irish Presidency's note. Those countries oppose draft provisions which would force certain organisations, including those involved in "risky processing", to employ DPOs, and instead believe that there should be incentives for businesses to appoint DPOs on an optional basis, it said.

"Some Member States, while accepting the designation of a data protection officer in case of risky processing, nonetheless consider that designation should be optional rather than mandatory," the note said. "Moreover, some benefit in terms of lighter obligations should apply in cases where such an officer is designated. This would help to incentivise the designation of such officers."

The Irish Presidency said that a section of the Commission's draft Regulation, which sets out the responsibilities of data controllers and data processors under the proposed new regime, needs to be "further refined in order to establish criteria for distinguishing different types of risk that may entail different types of obligations on the controller" and said that this should take into account the needs of micro, small and medium-sized businesses.

It also said that there needs to be further assessment of "whether, and if so how" pseudonymisation can "can contribute to the calibrating of controllers' and processors' data protection obligations while maintaining protection levels".

Nailing down exactly what's at stake when processing private info

DAPIX should therefore be instructed to develop criteria that can allow organisations to "distinguish risk levels" in their personal data processing "in order to calibrate the application of their data protection obligations" and also look into whether pseudonymisation can be considered "as a means of calibrating" organisations' obligations under the new framework, the Irish Presidency said.

A committee of MEPs in the European Parliament, tasked with scrutinising the proposed data protection reforms, recently backed plans which would enable pseudonymised processing to take place without the consent of the individuals to whom the data relates. The Industry, Research and Energy Committee is one of four European Parliament committees looking into the data protection reforms. The lead committee is the one on Civil Liberties, Justice and Home Affairs (LIBE) which is due to vote on the its own report in April.

LIBE's paper, if backed, would form the basis of the Parliament's position during negotiations with the Council of Ministers. Parliament and Council negotiators will seek to agree on a single framework to put to a formal vote of the full Parliament and Ministers across the EU.

The UK's data protection watchdog, the Information Commissioner has previously said that whilst it believes pseudonymised data should be classed as "personal data", it believes there is a case for absolving organisations from some data protection responsibilities when dealing with pseudonymised information.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

SANS - Survey on application security programs

More from The Register

next story
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.