Feeds

EU mulls almost-anonymisation of folks' data to cut biz some slack

What does it matter if millions of 'Joe Bloggs' records are leaked?

High performance access to file storage

Officials from justice departments across the EU have been asked to explore to what extent the pseudonymisation of personal data can be used to "calibrate" businesses' obligations to data protection.

Pseudonymisation (such as assigning fake names to people), as opposed to anonymisation (complete stripping of identity), allows the same individual to be assigned the same pseudonym across various data sets.

This information can then be linked or grouped together for analysis without putting the original sensitive data at risk, thus potentially cutting the number of data-protection rules and regulations companies must follow.

The Irish Presidency of the Council of Ministers has asked an agenda-setting body within the Council to ask the Council to formally invite the Working Party on Information Exchange and Data Protection (DAPIX) to look into the issue.

The Irish Presidency said that some EU member states have expressed opposition to "the level of prescriptiveness" of some provisions proposed by the European Commission that, if introduced, would overhaul rules on data protection in the EU.

The Presidency has therefore called on DAPIX to look at whether the pseudonymisation of personal data can be a tool for reducing businesses' obligations under the new framework.

The Commission first published its draft General Data Protection Regulation last year. If backed it would introduce a single data protection law across all 27 EU member states. Since then separate scrutiny of the proposals have been taking place within the two EU organisations that would need to agree on a new framework before it could be introduced - the European Parliament and Council of Ministers.

Risk to people's rights when handling sensitive data

Under the Commission's proposals it would be mandatory for organisations to conduct data protection impact assessments before conducting personal data processing activities that present "specific risks" to individuals' rights. Organisations would additionally have to seek prior authorisation from data protection authorities to proceed with processing in such cases.

However, the Irish Presidency said that "some" EU member states had raised objections with the plans. The Ministry of Justice in the UK has previously claimed that the provisions were disproportionate and overly bureaucratic and costly for businesses to adhere to.

"Some member states question the obligation to engage in prior consultation with the supervisory authority where such an [impact] assessment indicates that the proposed processing operations are indeed likely to present a high degree of specific risk," the Irish Presidency's said in its note to the Committee of Permanent Representatives (COREPER). "Processing could not then commence during the suggested consultation period."

Some member states are also pushing for rules regarding the appointment of data protection officers (DPOs) to be watered down, according to the Irish Presidency's note. Those countries oppose draft provisions which would force certain organisations, including those involved in "risky processing", to employ DPOs, and instead believe that there should be incentives for businesses to appoint DPOs on an optional basis, it said.

"Some Member States, while accepting the designation of a data protection officer in case of risky processing, nonetheless consider that designation should be optional rather than mandatory," the note said. "Moreover, some benefit in terms of lighter obligations should apply in cases where such an officer is designated. This would help to incentivise the designation of such officers."

The Irish Presidency said that a section of the Commission's draft Regulation, which sets out the responsibilities of data controllers and data processors under the proposed new regime, needs to be "further refined in order to establish criteria for distinguishing different types of risk that may entail different types of obligations on the controller" and said that this should take into account the needs of micro, small and medium-sized businesses.

It also said that there needs to be further assessment of "whether, and if so how" pseudonymisation can "can contribute to the calibrating of controllers' and processors' data protection obligations while maintaining protection levels".

Nailing down exactly what's at stake when processing private info

DAPIX should therefore be instructed to develop criteria that can allow organisations to "distinguish risk levels" in their personal data processing "in order to calibrate the application of their data protection obligations" and also look into whether pseudonymisation can be considered "as a means of calibrating" organisations' obligations under the new framework, the Irish Presidency said.

A committee of MEPs in the European Parliament, tasked with scrutinising the proposed data protection reforms, recently backed plans which would enable pseudonymised processing to take place without the consent of the individuals to whom the data relates. The Industry, Research and Energy Committee is one of four European Parliament committees looking into the data protection reforms. The lead committee is the one on Civil Liberties, Justice and Home Affairs (LIBE) which is due to vote on the its own report in April.

LIBE's paper, if backed, would form the basis of the Parliament's position during negotiations with the Council of Ministers. Parliament and Council negotiators will seek to agree on a single framework to put to a formal vote of the full Parliament and Ministers across the EU.

The UK's data protection watchdog, the Information Commissioner has previously said that whilst it believes pseudonymised data should be classed as "personal data", it believes there is a case for absolving organisations from some data protection responsibilities when dealing with pseudonymised information.

Copyright © 2013, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.