21 minute read
7. Organizational implementation of the de facto anonymization by third parties
07
Organizational implementation of the de facto anonymization by third parties
The controller can carry out an effective de facto anonymization of personal data itself or use a service provider. If the original data set cannot be deleted (for example due to statutory retention obligations or because justified processing of the original data set is to be carried out), the involvement of a third party may reduce the risk of re-identification. This is because if the third party deletes the original data set and other users (i.e., not the person holding the original data set) are only provided with the anonymized data set, a further security threshold has been created for the third party and these additional users with regard to possible re-identification. This procedure can also be a helpful organizational measure within a group of companies. In our opinion, however, the use of third parties is not mandatory, provided that internal structures (for example so-called Chinese walls) create organizational foundations that effectively exclude the consolidation of information that is available in a company.32
7.1 Organizational measures
In addition to the technical requirements for de facto anonymization, companies must also take accompanying organizational measures to ensure that re-identification is prevented. Such measures include authorization concepts that describe access rules for users or user groups, clear data governance structures (e.g. including the use of independent control bodies) that regulate the handling and access to data as well as anonymization through standards and guidelines, but also contracts and directives that prohibit and sanction the re-identification of anonymized data. With the help of contractual provisions in particular, a controller can agree on how to act towards third parties in the event of (possibly unintentional) re-identification. This does not make the anonymization as such more effective or more efficacious, but underlines and proves the honest efforts of the controller to achieve an effective anonymization. For example in the context of discretionary decisions of a data protection authority and its possible legal consequences, the authority may audit and evaluate these measures.
If a third party (i.e., an external service provider or an affiliated group company) is called in for the de facto anonymization of the data, the distribution of roles under data protection law must be determined in more detail according to the general criteria.
7.2.1 Processor
If the third party only de-identifies personal data on the instructions of the controller, so that the commissioning company alone decides on the means and purpose of data processing, the third party is acting as a processor. Therefore, a data processing agreement would have to be concluded with the service provider within the meaning of Article 28 GDPR and also the other statutory requirements must be complied with.
In practice, it may occur that a processor would like to reserve the right to anonymize personal data for its own purposes (e.g. for internal analysis and statistical purposes). If it is assumed that the de facto anonymization constitutes data processing (see 3.2), the following problems arise with this approach:
.in this case, the processor does not act on the instructions of the client, there is a risk that it could be classified as a joint controller,
.the de facto anonymization may trigger information obligations (see 9.1) and
.if the anonymized data should become re-identifiable later (for example due to technical progress) and thus become personal, the data transmitted to the processor would have to be erased as well or replaced by “re-anonymized” data.
Therefore, this procedure and the corresponding consequences should be contractually excluded or clearly regulated between the parties (for example by agreeing on joint control for the activities in which the service provider does not act on behalf of the controller, if this represents joint control according to the GDPR, which also regulates the information and possible erasure obligations).
7.2.2 Joint control
The involvement of third parties can take place in such way that the parties involved act as joint controllers for the processing (cf. Article 26 GDPR). This is the case if the (original) controller jointly determines the purposes and means of data processing with the third party.
Example:
The third party performing the de facto anonymization has an economic interest in the processing of personal data and would like to use the de facto anonymized data together with the controller to provide a service.
In this constellation, the joint controllers must define the respective data protection roles and responsibilities in an agreement in accordance with Article 26 GDPR.
7.2.3 (Separate) controllers
The third party can also act as a (separate) controller. This is conceivable in cases in which the third party (further) processes the data in other ways and without the possibility of influencing or other joint planning by the original controller. In view of the broad understanding of the courts and supervisory authorities regarding joint control within the meaning of Article 26 GDPR, such a constellation should only be possible in exceptional cases. In that case, namely, it must be ensured that the original and the new controller do not jointly decide on the purposes and means of data processing.
7.3 Special features of de-identification within the group/a group of companies
There is no “company group privilege” in the GDPR, which is why the above statements also apply to affiliated companies within the meaning of Section 15 of the German Stock Corporation Act (AktG). However, one particularity can result from the parent company’s right to issue instructions within the group. Admittedly, the right to issue instructions can be a measure to ensure anonymization, for example if the group code of conduct qualifies re-identification attempts of otherwise anonymized data as a business ethics incident groupwide with potentially drastic consequences. However, this alone is not enough for de facto anonymization. For example, if a subsidiary de-identifies the personal data of one or more group companies, the parent company frequently has the option of obtaining the original data set from its subsidiaries within the scope of its rights of instruction from a corporate law perspective (even if illegal instructions generally do not have to be complied with). In its decision on the classification of dynamic IP addresses, which was still handed down under the Data Protection Directive, the CJEU33 still saw these as personal data, provided that the processor (in this case a website operator) has the legal possibility to decrypt the personal reference. This is also comparable with the situation in corporate groups, especially where there are shared IT systems. Accompanying the technical implementation, sufficient data governance measures should therefore ensure (if applicable also with the help of company law means) that the use or processing of data that does not meet the data protection requirements is not possible, even within the same organizational unit.
08
Legality of de-identification measures
The GDPR does not regulate whether de facto anonymization requires its own justification or whether it triggers further obligations under the GDPR. The BDI is of the opinion that de facto anonymization is privileged overall in the GDPR and therefore does not require a separate legal basis.34 However, if one follows the opinion of the BfDI35 and understands anonymization as processing within the meaning of Article 4 no. 2 GDPR, the GDPR is also to be applied in full to this processing. Against this background, this guide – as an aid – also deals with the requirements for de facto anonymization from a data protection point of view, in particular with regard to possible bases of justification under the GDPR (see 3.2).
.Insofar as personal data are collected on the basis of consent, information about the de-identification measures must be provided with sufficient transparency in accordance with the transparency requirement in order to justify the de facto anonymization.
If the transparency requirement is not met, the data subjects can be asked for further consent. Obtaining additional consent only for the purpose of de facto anonymization is hardly feasible in practice, unless the anonymization process was already covered by the original consent. The data subject will generally not have any interest in giving their consent again, and the practical implementation of the consent to be obtained would involve a high level of organizational and personnel effort. There are good reasons to argue that the implementation of de-identification measures can also be based on the other justification grounds, provided that the data subjects are informed of this.36
34 BDI e.V., opinion on the BfDI consultation procedure “Anonymization of personal data” dated 23 March 2020, available at: https://www. bfdi.bund.de/DE/Infothek/Transparenz/Konsultationsverfahren/01_
Konsulation-Anonymisierung-TK/Stellungnahmen/BDI. pdf?_blob=publicationFile&v=1. 35 The Federal Commissioner for Data Protection and Freedom of
Information, position paper on anonymization under the GDPR with special consideration of the telecommunications industry, valid as of: 29 June 2020, page 5. 36 It is sometimes argued that consent with regard to the same processing activity has a kind of “blocking effect” that makes it inadmissible to rely on a different legal basis. Actualy though, anonymization represents an additional processing activity, for which a possible blocking effect based on consent granted does not apply. Since Article 6 (4) GDPR, which regulates the admissibility of the change of purpose, does not apply in these cases (“the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent […]”), the admissibility in this case is governed by letter b) to f) of Article 6 (1) GDPR or, in the case of special categories of personal data, by Article 9 (2) GDPR. . If personal data is also first collected for the purpose of de facto anonymization and the collection and processing is not based on consent, the application of one of the justification reasons from letters b) to f) of Article 6 (1) GDPR is required. It should be noted that de-identification measures that result in de facto anonymization regularly do not affect the rights and freedoms of data subjects or only affect them insignificantly, so that these will only outweigh the interests of the controller if other reasons or other processing occurs.37 However, this does not mean that personal data may be collected from all available sources without limitation, provided that the sole purpose is anonymization (see 8.2).
.If personal data is anonymized as a security measure (cf. Article 32 GDPR) or due to a request for erasure (cf. Article 17 GDPR), this is regularly done on the basis of a legal obligation to which the controller is subject and is justified in accordance with letter c) of Article 6 (1) GDPR.
.If personal data already collected for another purpose are to be de facto anonymized retroactively (and the initial collection was not based on the consent of the data subjects or on a legal provision of the Union or the member states within the meaning of Article 23 GDPR), the admissibility is governed by Article 6 (4) GDPR. See section 8.1 below for more details).
.In the case of the de facto anonymization of special categories of personal data which are specially protected by law in accordance with Article 9 GDPR, the requirements of Article 9 (2) GDPR must also
37 In particular, innovations that arise through the use of data are also in the interest of the general public and therefore also in the interest of the persons affected by the de facto anonymization. In this respect, it could be argued that natural persons do not directly participate in the [benefit] of the evaluation of the data generated by their behavior that cannot be further attributed to them following the complete deidentification in the sense of a de facto anonymization. However, the previous data subjects do not bear the costs of the innovations, either, and will ultimately benefit directly and indirectly from new technologies that arise from the analysis of de facto anonymized data: as possible users of these new technologies and indirectly through a sustainable and successful German and European data economy. Voices in the literature partly discuss the possibility of a teleological reduction of the prohibition in Article 9 (1) GDPR, so that only the barriers of letter e) and letter f) of Article 6 (1) GDPR apply for anonymization of special categories of personal data (cf. Hornung/Wagner in ZD 2020, 223), although this approach has not yet been confirmed by either courts or supervisory authorities.
be met,38 where the anonymization process of special categories of personal data can in principle also be justified by Article 6 (4) GDPR (see point 8.1)
8.1 Admissibility of de-identification measures in the event of a “change of purpose”
As a rule, personal data should be de-identified that were collected for a purpose other than de facto anonymization. Article 6 (4) GDPR regulates the requirements for a change of purpose. What is critical is that the original collection and processing of the personal data was lawful and that the purpose of the first processing and the second processing are compatible. For this test, Article 6 (4) GDPR contains a non-exhaustive list of criteria for assessing the compatibility of the purpose of collection and further processing. These criteria also include “the existence of appropriate safeguards, which may include encryption or pseudonymization.” The purpose of de-identification measures to achieve de facto anonymization will usually be that personal data can be analyzed after the de facto anonymization without affecting the rights of the data subjects. The consequences of the de facto anonymization are therefore that subsequent further use of the data is “neutral” for the previous data subjects, since the personal reference has been de facto removed. Hence, de-identification measures that specifically serve to create a safeguard in accordance with letter e) of Article 6 (4) GDPR regularly constitute a permissible change in purpose.
According to its wording, Article 6 (4) GDPR does not require that in addition to the original initial collection, a legal basis pursuant to sentence 1 of Article 6 (1) GDPR must exist for “further processing.” According to the likely prevailing opinion,39 this is not actually called for in the case of a change of purpose in addition to the requirements of Article 6 (4) GDPR. Rather, the further processing in the event of a permissible change in purpose is legitimized by the permission criterion on which the original data processing was based. In particular by Recital 50 of the GDPR speaks in favor of this, because according to this “no legal basis separated from that which allowed the collection of the personal data is required.” If one were to also consider a legal basis for the processing of personal data for the changed purpose to be necessary in addition to the requirements of Article 6 (4) GDPR for each change of purpose, the regulation of Article 6 (4) GDPR and the strict separation made therein between (i) further processing for incompatible purposes on the basis of other legal bases and (ii) further processing for compatible purposes would not have been needed, because processing for a purpose other than the original purpose could in any case always be based on a standard of permission under Article 6 (1) GDPR.
A change of purpose according to Article 6 (4) GDPR is also possible for special categories of personal data. In the compatibility check under letter c) of Article 6 (4) GDPR,40 the need for protection of the data category concerned, in particular whether special categories of personal data in accordance with Article 9 GDPR are affected, must also be taken into account. Conversely, it follows that special categories of personal data may also be processed for other purposes in the context of a change in purpose. However, this requires a particularly careful examination of the connection with the original purpose and the reasonable expectations of the data subject as well as the necessary safeguards. This check should regularly be in the interest of the controller, since the anonymization of special categories
38 Voices in the literature partly discuss the possibility of a teleological reduction of the prohibition in Article 9 (1) GDPR, so that only the barriers of letter e) and letter f) of Article 6 (1) GDPR apply for anonymization of special categories of personal data (cf. Hornung/Wagner in ZD 2020, 223), although this approach has not yet been confirmed by either courts or supervisory authorities. 39 Cf., for example, the Federal Commissioner for Data Protection and
Freedom of Information, Position paper on anonymization under the
GDPR with special consideration of the telecommunications industry, valid as of: June 29, 2020, page 6 et seq.; Article 29 Working Party, WP 216: Opinion 5/2014 on Anonymization Techniques, page 8; Ziegenhorn/ von Heckel, NVwZ 2016, 1585 (1589); Taeger, in: Taeger/Gabel, GDPR/
BDSG, 3rd Ed. 2019, Article 6 margin no. 145 et seq.; Schulz, in: Gola,
GDPR, 2nd Ed. 2018, Article 6 margin no. 210; Rossnagel, in: Simitis/
Hornung/Spiecker gen. Döhmann, Data Protection Law – GDPR with
BDSG, 2019, Article 6 (4) margin no. 11; Monreal, ZD 2016, 507 (510);
Kühling/Martini, EuZW 2016, 448 (451); Culik/Döpke, ZD 2017, 226 (330). 40 Cf. Heberlein, in: Ehmann/Selmayr/Heberlein, GDPR, 2nd Ed. 2018,
Article 6 margin no. 58.
of personal data is particularly useful for the protection and interests of the data subject.
8.2 Obligations to review the legality of the (initial) collections
Where personal data is not collected directly from the data subjects for the purpose of de facto anonymization, the controller cannot argue, even if per se no conflicting interests of the data subjects are apparent with regard to de facto anonymization (see Chapter 8), that personal data can be collected “freely” from all possible sources.
On the one hand, the principle of transparency must be maintained and, even in the case of indirect data collection, the data subjects must be informed in accordance with Article 14 GDPR (see 9.1). On the other hand, the data source must also be taken into account when evaluating the admissibility of de-identification measures. If, for example, data is collected by so-called web crawlers (a computer program that automatically searches the World Wide Web and analyzes websites) in violation of the terms of use or statutory provisions, or if it is marketed by address dealers in a manner contrary to data protection legislation, the unlawful origin or collection cannot be “cured” by retroactive de facto anonymization. If the controller seeks to rely on legitimate interests in accordance with letter f) of Article 6 (1) GDPR, the aspects of data collection for the benefit of the data subjects are to be included in the balancing of interests, and will regularly lead to a predominance of the interests of the data subjects, so that their data may no longer be stored and also may not be de-identified.
If data is not collected independently, but acquired, for example, as part of a company acquisition, the buyer becomes the new controller. If the buyer becomes aware that the personal data has been collected unlawfully, it is not allowed to process the data and it will usually have to erase it. However, if the buyer has no reason to assume that personal data was originally collected illegally, a de facto anonymization of the data and subsequent use of the de facto anonymized data is generally possible under the conditions set out in this guide.
Example:
Personal data is transferred as an asset or with an acquired company share in the context of a corporate acquisition and there is no evidence for the buyer that the collection of the data was inadmissible. It will have to be demanded of the acquirer to conduct due diligence to verify whether data has been lawfully collected. Evidence of original legality should be documented. If the legality of the initial collection cannot be clearly documented, the buyer should at least take all other reasonable steps to check the legality. For example, the buyer can have the seller warrant the legality of the collection.
Share Deal
Purchaser
Company / company share
Data set
(contains personal data)
Asset Deal
Purchaser
Further data protection requirements with regard to de facto anonymization 09
If it is assumed that the application of de-identification measures constitutes data processing (see 3.2), the additional data protection requirements described below must be observed in particular (this also applies to special categories of personal data).
In accordance with Article 13 or 14 GDPR, the data subjects must be informed about the collection of personal data and the implementation of de-identification measures for de facto anonymization. The information in accordance with Article 13 (1) and (2) GDPR (if data was collected directly from the data subject) must be provided at the time the data is collected, the information in accordance with Article 14 (1) and (2) GDPR (if data was collected from third parties) on the other hand within a reasonable period of time after the personal data have been obtained.
If it is already clear at the time of the initial collection that the personal data should also be anonymized, the information must likely at least include anonymization as the processing purpose, the data (categories) concerned and, if applicable, the functionality of the de-identification as well as other circumstances relating to the de facto anonymization.
If it is decided at a later point in time that the personal data already legally collected should be anonymized (cf. H.I.), the data subject must, in principle, be informed about this change in purpose in accordance with Article 13 (3), 14 (4) GDPR. At least in the case of the indirect collection of personal data, such information should regularly prove impossible or lead to disproportionate efforts in accordance with letter b) of Article 14 (5) GDPR; whether this is the case, however, must be checked and documented in detail. In the case of directly collected data, however, neither the GDPR nor the BDSG expressly provide for such a relief.
From an evaluative standpoint, it could be argued that information is not required, at least in the case of retroactive de facto anonymization, since the rights and freedoms of the data subjects are not usually interfered with and therefore information does not have to be provided to maintain transparency. This is not provided by any of the statutory exceptions, and thus far there are no corresponding published official opinions. In any case, though, it is in line with interests not to make any disproportionate demands on the provision of information. Generic information about the fact that data is de facto anonymized, for example on the website of the controller, could be sufficient in individual cases, for example.
This should also apply, for example, to cases in which the data collected is only available to the controller in pseudonymized form and an identification of the data subject – potentially not possible or only possible with additional risks for the data subject – would have to be done solely for the purpose of notification. If the initial collection of personal data was based on consent, no information about a possible de facto anonymization was provided in the context of this consent and the personal data should then the de facto anonymized on the basis of another justification (e.g. letter f) of Article 6 (1) GDPR), the information must regularly be subjected to higher requirements so that the principle of transparency is adequately maintained. The data subjects can rely on the fact that their data will not be processed for purposes other than those communicated to them and that the controller will not “tacitly” change the legal basis.41
41 Cf. the Article 29 Data Protection Group guidelines recognized by the European Data Protection Committee with regard to consent in accordance with Regulation (EU) 2016/679, WP259 rev. 01, page 27 (there in the event of a revocation of consent).
9.2 Documentation
The process of de-identifying personal data leading to de facto anonymization should be documented for each use case. The GDPR itself does not contain an explicit obligation to provide documentation, but Article 5 GDPR in conjunction with Recitals 74 and 78 suggests that the controller must be able to provide evidence of which technical and organizational measures have been taken. 42
In particular, the documentation should be able to provide answers to the following questions:
.Which categories of personal data are subject to de-identification;
.On what legal basis is the “initial” collection of personal data carried out and how were the data subjects informed; . What is the specific purpose for which the personal data are de facto anonymized, on what legal basis does this take place and what “robustness” of the data is required in order to be able to use de facto anonymized data for the intended purpose;
.Which de-identification techniques are used and to what extent do these correspond to the current state of the art;
.In what form has been and is continuously checked that the selected techniques lead to effective de facto anonymization.
42 Cf. Kompetenzzentrum für Öffentliche IT, Anonymisierung: Schutzziele und Techniken, page 20.
9.3 Data protection impact assessment
To date, the data protection authorities have only occasionally commented on the obligation to carry out a data protection impact assessment for anonymization. Whether a data protection impact assessment must be performed is generally based on the degree of probability of a high risk that the respective processing is likely to represent for natural persons. If such a high risk is likely to occur, a data protection impact assessment must be carried out. In principle, this cannot be the case with the de-identification measures presented in this guide, provided that they concern “non-special” categories of personal data. However, some data protection authorities have resorted to the practice of drawing up a so-called “blacklist” (i.e., a list of required data protection impact assessments). In Germany, individual data protection authorities consider a data protection impact assessment to be necessary in the case of anonymization if special categories of personal data within the meaning of Article 9 (1) GDPR are anonymized for the purpose of disclosure to third parties.43
43 Cf. https://www.lda.bayern.de/media/dsfa_muss_liste_dsk_de.pdf.
