The Re-Identification of Anonymous Data and the Processing of Personal Data for Further Purposes: Challenges to Privacy (La Re-Identificazione Dei Dati Anonimi E Il Trattamento Dei Dati Personali Per Ulteriore Finalità: Sfide Alla Privacy) (in Italian)
Mario Viola de Azevedo Cunha – European University Institute Law Department
Danilo Doneda – affiliation not provided to SSRN
Norberto Nuno Gomes de Andrade – European University Institute – Law Department
Ciberspazio e diritto, Vol. 11, No. 4, pp. 641-655, 2010
Abstract:
This article examines two important trends within the field of data protection: the re-identification of anonymous data and the processing of personal data for further purposes than the original ones defined at the moment of collection. Despite configuring two important challenges to privacy, both of these aspects have not received the deserved attention from the specialized legal doctrine, remaining in a “juridical limbo” that could lead to serious legal problems for the protection of privacy.
This article, at a more concrete level, focuses on recent developments observed in the field of data protection that have drawn the attention to the taxonomy of some of its fundamental concepts. Such developments, in effect, seem to put into question the tendency to simply define anonymous or statistical data as the exact opposite of personal data and, therefore, to exempt them from the data protection regulatory framework.
The more extensive and detailed collection of personal data resulting from data mining processes, together with the increasing possibilities of de-anonymization of data, have not only broaden the range of purposes of data processing, they have also changed the approach to the concept of anonymous or statistical data.
Consequently, the article calls the attention to the need to establish new criteria to guide the processing of data, be they anonymous or not, for purposes going beyond the originally defined ones. In this respect, the article underlines that the binary separation between personal and anonymous data seems to be at odds with the need to reconsider the concept of anonymous data and to acknowledge its different normative profiles.
In this sense, the paper purports to identify the most frequent “further processing purposes” of personal data within the private sector, as well as to identify the criteria used by the European data protection authorities to determine whether these further purposes may be deemed as legitimate ones. Furthermore, the article also develops a distinction between personal and anonymous data (including data for statistical purposes), clarifying when the data should (really) be considered anonymous and, therefore, could not be subject to data protection legislation.