Is it Personal Data? Solving the Gordian Knot of Anonymisation
My Session Status
Recently, the ruling of the CJEU in the SRB vs EDPS case challenged the stance adopted by data protection authorities concerning the distinction between pseudonymisation and anonymisation. Data protection watchdogs consider that pseudonymized data are always personal data. The dictum of the court in the SRB vs EDPS case is that pseudonymised data can be considered as anonymised and thus non-personal data depending on the re-identification capability of the data holder. This creates legal uncertainties as the legal qualification of data that have been subject to data protection techniques. In this paper, the authors question the extent of the definition of personal data and how it applies to data protection techniques such as pseudonymisation and anonymisation. Eventually, they emphasise that this issue is challenging with regard to the protection of data within the EU borders and beyond.