Feeds

EU mulls almost-anonymisation of folks' data to cut biz some slack

What does it matter if millions of 'Joe Bloggs' records are leaked?

Choosing a cloud hosting partner with confidence

Officials from justice departments across the EU have been asked to explore to what extent the pseudonymisation of personal data can be used to "calibrate" businesses' obligations to data protection.

Pseudonymisation (such as assigning fake names to people), as opposed to anonymisation (complete stripping of identity), allows the same individual to be assigned the same pseudonym across various data sets.

This information can then be linked or grouped together for analysis without putting the original sensitive data at risk, thus potentially cutting the number of data-protection rules and regulations companies must follow.

The Irish Presidency of the Council of Ministers has asked an agenda-setting body within the Council to ask the Council to formally invite the Working Party on Information Exchange and Data Protection (DAPIX) to look into the issue.

The Irish Presidency said that some EU member states have expressed opposition to "the level of prescriptiveness" of some provisions proposed by the European Commission that, if introduced, would overhaul rules on data protection in the EU.

The Presidency has therefore called on DAPIX to look at whether the pseudonymisation of personal data can be a tool for reducing businesses' obligations under the new framework.

The Commission first published its draft General Data Protection Regulation last year. If backed it would introduce a single data protection law across all 27 EU member states. Since then separate scrutiny of the proposals have been taking place within the two EU organisations that would need to agree on a new framework before it could be introduced - the European Parliament and Council of Ministers.

Risk to people's rights when handling sensitive data

Under the Commission's proposals it would be mandatory for organisations to conduct data protection impact assessments before conducting personal data processing activities that present "specific risks" to individuals' rights. Organisations would additionally have to seek prior authorisation from data protection authorities to proceed with processing in such cases.

However, the Irish Presidency said that "some" EU member states had raised objections with the plans. The Ministry of Justice in the UK has previously claimed that the provisions were disproportionate and overly bureaucratic and costly for businesses to adhere to.

"Some member states question the obligation to engage in prior consultation with the supervisory authority where such an [impact] assessment indicates that the proposed processing operations are indeed likely to present a high degree of specific risk," the Irish Presidency's said in its note to the Committee of Permanent Representatives (COREPER). "Processing could not then commence during the suggested consultation period."

Some member states are also pushing for rules regarding the appointment of data protection officers (DPOs) to be watered down, according to the Irish Presidency's note. Those countries oppose draft provisions which would force certain organisations, including those involved in "risky processing", to employ DPOs, and instead believe that there should be incentives for businesses to appoint DPOs on an optional basis, it said.

"Some Member States, while accepting the designation of a data protection officer in case of risky processing, nonetheless consider that designation should be optional rather than mandatory," the note said. "Moreover, some benefit in terms of lighter obligations should apply in cases where such an officer is designated. This would help to incentivise the designation of such officers."

The Irish Presidency said that a section of the Commission's draft Regulation, which sets out the responsibilities of data controllers and data processors under the proposed new regime, needs to be "further refined in order to establish criteria for distinguishing different types of risk that may entail different types of obligations on the controller" and said that this should take into account the needs of micro, small and medium-sized businesses.

It also said that there needs to be further assessment of "whether, and if so how" pseudonymisation can "can contribute to the calibrating of controllers' and processors' data protection obligations while maintaining protection levels".

Nailing down exactly what's at stake when processing private info

DAPIX should therefore be instructed to develop criteria that can allow organisations to "distinguish risk levels" in their personal data processing "in order to calibrate the application of their data protection obligations" and also look into whether pseudonymisation can be considered "as a means of calibrating" organisations' obligations under the new framework, the Irish Presidency said.

A committee of MEPs in the European Parliament, tasked with scrutinising the proposed data protection reforms, recently backed plans which would enable pseudonymised processing to take place without the consent of the individuals to whom the data relates. The Industry, Research and Energy Committee is one of four European Parliament committees looking into the data protection reforms. The lead committee is the one on Civil Liberties, Justice and Home Affairs (LIBE) which is due to vote on the its own report in April.

LIBE's paper, if backed, would form the basis of the Parliament's position during negotiations with the Council of Ministers. Parliament and Council negotiators will seek to agree on a single framework to put to a formal vote of the full Parliament and Ministers across the EU.

The UK's data protection watchdog, the Information Commissioner has previously said that whilst it believes pseudonymised data should be classed as "personal data", it believes there is a case for absolving organisations from some data protection responsibilities when dealing with pseudonymised information.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.