Pseudonymous Identifiers and the DP Regulation

Statewatch have published what appears to be a document from the Council of (European) Ministers containing comments on the proposed Data Protection Regulation. It’s interesting to see that there seems at last to be a recognition that the current legal treatment of indirectly linked identifiers is unsatisfactory. At the moment European law has been interpreted as saying that identifiers such as IP addresses are either personal data or not, and once their status is set it can never changed no matter who holds them. A comment attributed to the President of the Council highlights why this isn’t right:

To the original data controller, identification will most likely never be disproportionate, but this may be the case for third parties that e.g. only see an id number or some other “abstract identifier”, which they cannot use to identify the data subject

In other words it may well be reasonable to impose all the duties of data protection law on parties (such as the ISP that assigns the IP address to a user) that know the link between the identifier and individual, but not on other parties who have only the identifier and no way to make the link. There are even promising suggestions that such identifiers should be distinguished by having a different name – “pseudonymous identifiers”. This would both create an incentive to use these privacy protecting identifiers, and make systems that use them (for example federated access management) a lot easier to use.

However there doesn’t seem to be any agreement on the right way to treat pseudonymous identifiers. The original draft Regulation says (without giving any clue why or when) that “identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances”. The Council’s views seem to diverge widely, with some proposing to revert to the current position and others suggesting tests involving how much effort would be involved in making the link or whether the link is actually made (current UK law considers the likelihood of linking). My own preference, which would depend on the risk of harm (i.e. how likely is it that the link will be made and how much would that damage privacy) doesn’t seem to have been suggested. But at least the problem seems to have been recognised and discussion of solutions started.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *