5 minute read
Preface
The importance of data for the digital transformation of German industry is increasingly becoming the focus of digital policy discussion. In its European strategy for data, the EU Commission aims at creating a single market for data based on European values and standards, which particularly addresses the high level of data protection in Europe.
In order to turn the national and European data economy into a successful model solution with a high level of data protection, Europe must now find practical solutions for the use of anonymized data as quickly as possible. After all, anonymized data holds great potential for the economic value chain if they are tapped using statistical and analytical methods. This does not necessitate compromising the level of data protection.
Many industrial companies are under constantly increasing competitive pressure, to optimize their data-based production and business processes. For the development of digital business models, they are dependent on the use of anonymized data. In the absence of a sufficiently differentiated legal framework and in view of the lack of technical standards, this is however difficult in practice.
GDPR-compliant anonymization of personal data remains a risky undertaking in view of the probable inconsistent interpretation by data protection authorities and the severe fines in the event of a data breach. When in doubt, companies therefore often shy away from the efficient use of anonymized data. Concerns about the violation of data protection regulations should no longer prevent companies from developing digital business models. Europe must significantly increase the pace of legally compliant handling of data if it seriously wants to make up for the digitalization gap and the required data usage.
This cross-sector guide is intended to clarify some fundamental questions for companies. Best practice examples from industry will provide guidance on how to anonymize personal data in the most legally secure way. We would be delighted if this guide can make a contribution to the better use of anonymized data in practice.
Iris Plöger
Member of the executive board Federation of German Industries
Dr Bertram Burtscher
Partner, head of the TMT Sector Group (Vienna) Freshfields Bruckhaus Deringer LLP
01 Introduction
The data protection requirements of the GDPR and the German Federal Data Protection Act (BDSG) apply to “personal data,” i.e. information that relates directly or indirectly to natural persons. The processing of personal data is only permitted if there is a legal basis. In addition, the data protection regulations provide for further obligations of the data controller, which should, for example, ensure the principles of lawfulness, fairness and transparency, purpose limitation, data minimization, integrity and accountability. Therefore, not all analyses or other use of personal data that are useful or necessary for digital innovation or other economic applications are permitted under data protection law.
On closer inspection, however, it is not necessary to use personal data in many cases. If the data is “valuable” for the controller or third parties even without information relating to identified or identifiable natural persons, anonymization provides the option of using this data without being subject to the strict data protection regulations. One major challenge is that there are hardly any specific guidelines that explain the circumstances under which data will be considered anonymous in the time of big data. In particular, the term “anonymization” is used very inconsistently in practice. For example, replacing initial letters of names in court decisions has been referred to as “anonymization,” although from a legal point of view this is at best a (weak) pseudonymization.1
This guide is dedicated to companies in the private sector and is intended to provide an overview of the data protection law framework for possible anonymization measures. For public administration and in particular law enforcement authorities, additional requirements may apply that are not the subject of this guide. Sector-specific particularities (e.g. for financial institutions, telecommunications services or the health, pharmaceutical or automotive industries, etc.) are not discussed in detail in this guide, as further framework conditions may have to be taken into account.
This guide cannot replace legal advice in specific cases, nor does it cover all issues in this context. This guide is also expressly not a technical guide for the concrete implementation of anonymization measures. The editors and authors are not liable for the content of this guide.
In an increasingly digitized society, data is of immense importance. The data strategy of the European Commission of February 2020 also sees enormous advantages of big data for European citizens, especially in
1 Cf. for example Berlin Administrative Court, ruling of 27 February 2020 – 27 L 43/20, ZD 2020, 324.
the area of mobility. The creation of a single market for data, data should be able to be shared for the benefit of companies, researchers and public administration2 . However, this change presents companies with growing challenges: Driving digital innovation while at the same time complying with the complex requirements for the protection of personal data remains a challenge for commercial companies in all sectors even two years after the General Data Protection Regulation (GDPR) came into effect, supplemented by the provisions of the German Federal Data Protection Act (BDSG), not least because of the lack of binding guidance in the practical implementation of the sometimes new and rigorously sanctioned legal requirements.
Against this background, there is an enormous interest in the industry in anonymizing data in order to effectively exclude the scope of the data protection regulations and thus to benefit from data-based value creation. This guide supports companies in managing this task. It provides quick access to the concept of “anonymization” to decision-makers and specialists in the corporate areas entrusted with data protection issues such as IT, law, compliance and data protection and, taking into account specific solution strategies from a broad spectrum of industry, seeks to outline a path towards best practices in order to achieve compliance with the legal requirements for effective anonymization. The data protection requirements of the GDPR and the BDSG apply to “personal data,” i.e. information that relates directly or indirectly to natural persons. The processing of personal data is only permitted if there is a legal justification. In addition, the data protection regulations provide for further obligations of the data controller, which should, for example, ensure the principles of lawfulness and transparency, purpose limitation, data minimization, integrity and accountability. Therefore, not all analyses or other uses of personal data that are useful or necessary for digital innovation or other economic applications are permitted under data protection law.
2 European data strategy – The EU as a model for a digital society, available at https://ec.europa.eu/info/strategy/ priorities-2019-2024/ europe-fit-digital-age/european-data-strategy_de.
