Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Pseudonymous Identifiers and the DP Regulation

Statewatch have published what appears to be a document from the Council of (European) Ministers containing comments on the proposed Data Protection Regulation. It’s interesting to see that there seems at last to be a recognition that the current legal treatment of indirectly linked identifiers is unsatisfactory. At the moment European law has been interpreted as saying that identifiers such as IP addresses are either personal data or not, and once their status is set it can never changed no matter who holds them. A comment attributed to the President of the Council highlights why this isn’t right:

To the original data controller, identification will most likely never be disproportionate, but this may be the case for third parties that e.g. only see an id number or some other “abstract identifier”, which they cannot use to identify the data subject

In other words it may well be reasonable to impose all the duties of data protection law on parties (such as the ISP that assigns the IP address to a user) that know the link between the identifier and individual, but not on other parties who have only the identifier and no way to make the link. There are even promising suggestions that such identifiers should be distinguished by having a different name – “pseudonymous identifiers”. This would both create an incentive to use these privacy protecting identifiers, and make systems that use them (for example federated access management) a lot easier to use.

However there doesn’t seem to be any agreement on the right way to treat pseudonymous identifiers. The original draft Regulation says (without giving any clue why or when) that “identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances”. The Council’s views seem to diverge widely, with some proposing to revert to the current position and others suggesting tests involving how much effort would be involved in making the link or whether the link is actually made (current UK law considers the likelihood of linking). My own preference, which would depend on the risk of harm (i.e. how likely is it that the link will be made and how much would that damage privacy) doesn’t seem to have been suggested. But at least the problem seems to have been recognised and discussion of solutions started.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *