Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. Pseudonymisation, while granting higher data security, also enhances data utility. In exchange for the lower level of privacy intrusion, and in order to encourage data controllers to resort to pseudoanonymisation, certain requirements are less stringent.
As a result, the complexities surrounding the concept of personal data are likely to increase given the three possible categories of information:
- The framework set forth by the Regulation applies to personal data, defined as any information relating to a natural person who can be identified, directly or indirectly, by reference to an identifier. The Regulation expressly considers as identifiers a name, an identification number, location data, online identifier or other factors related with the physical, physiological, genetic, mental, economic, cultural or social identity of a person. In this respect, the Regulation is crystal clear about the fact that technology based identifiers such as MAC addresses qualify as personal data.
- Anonymous data, which is information not related to an identified or identifiable natural person, or data that does not allow identification of an individual, is therefore excluded from the scope of the Regulation.
- In between personal and anonymous data there is a third category, so-called pseudonymous data. Pseudonymous data does not directly disclose a data subject’s identity, but it may still identify an individual by way of association with additional information. Under the Regulation, pseudonymous data is still regarded as personal information and therefore subject to data protection guarantees.
Crucially, the Regulation creates incentives for controllers applying pseudonymisation, as the regime affecting pseudonymous data is less stringent. For example, pseudonymisation is a measure for processing personal data for scientific, historical and statistical purposes. In addition, data controllers might be facilitated to process pseudonymous data beyond their original collection purposes. Accordingly, in the context of the privacy by design, pseudonymisation will play a great role, representing a good practice that should be implemented, together with other guarantees, in order to ensure safe data processing.
New types of regulated data
The Regulation introduces a number of new definitions of special categories of data.
Genetic data is defined as personal data relating to the genetic characteristics of an individual that have been inherited or acquired, which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question. Biometric data is defined as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual which allows or confirms the unique identification of that individual, such as facial images, or dactyloscopic data. Both these new categories of data are included among the special categories of data, but only where they are being processed in order to uniquely identify a person.
The Regulation also contains a definition of “data concerning health”: personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status. Member States are given the right to introduce further conditions, including limitations, relating to processing in relation to all three of these categories of special data.
There are new grounds for processing special categories of data that facilitate the processing of health data for scientific (i.e. research) purposes. Health data may also be processed for public interest reasons in the area of public health, such as protecting against serious cross-border threats or ensuring high standards of quality and safety of health care on the basis of Union law or Member State law which provide for suitable protections, in particular professional secrecy. There is also a new ground of processing where necessary for the purposes of preventive or occupational medicine, and for the assessment of the working capacity of the employee which will be useful for employers.
In some of the drafts of the Regulation data protection impact assessments were mandatory for certain processing of special categories of data. These are no longer expressly mentioned. Instead the requirement for a data protection impact assessment is linked to processing “likely to result in a high risk for the rights and freedoms of individuals”. DPAs may publish a list of the kind of processing operations which fall within this requirements, and it is likely that at least some processing of health data will require privacy impact assessments.
Likely practical impact
A key takeaway from this myriad of concepts is that those using pseudonymous data in the context of their activities (e.g. for R&D purposes, or in the health sector for clinical studies) will have to assess the anonymisation and pseudonymisation techniques being used, in order to establish whether the processed data is subject to data protection principles or not.
However in general terms and looking at the glass half full, we are heading for greater flexibility for organisations involved in the processing of personal data for scientific research and public health purposes, as long as certain privacy enhancing measures are in place.
What will happen next?
At the moment the standards according to which data is considered as anonymous or pseudonymous are established by the DPAs at a national level. Once the Regulation comes into force, the requirements and the applicable regime will become more uniform and this will provide greater legal certainty.
What to do now?
- Assess the different types of information handled by the organisation in line with the new categories in the Regulation.
- Determine whether it will be possible to benefit from the greater flexibility afforded to pseudonymous data.
- Plan and develop processes for carrying out data protection impact assessments (for example for profiling or use of biometric data).
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.