Tag Archives: anonymization

The Data Subject, Titulaire of the Right to Data Protection: The Case of Anonymization and Pseudonymization

Abstract:      

“The data subject” is the “titulaire” (fr.) of the subjective right to the protection of personal data, being identified as such by the transposition law into the Romanian legal system of the Data Protection Directive (Directive 95/46). This study aims to analyze the conditions under which the person can enjoy the system of protection of her personal data. Hence, it will tackle the problem of the “quality” of the data subject – can the data subject ever be a legal person, or must it always be a natural person? It will also analyze the concepts of anonymization and pseudonymization, having regard to both the national and European legal provisions, as well as to the EU data protection reform package. The conclusions will show, on the one hand, that the legal person can have its private data protected under exceptionally situations and only in certain fields, and on the other hand that pseudonymization has the potential to meet both the need of protection of the individual in the digital era and the interests of the data controllers. In order for this to happen, pseudonymization must be rationally regulated in the future European data protection law, which is currently under debate.

 

Note: Downloadable document is in Romanian.

Full Text Paper: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2345701

Going back to basics

Being in the process of writing my thesis, I have realized how important it is to stop from searching through the whirling flux of current information and new developments in the area of privacy and information technology, or more generally “law and technology”, and look back at the beginning of this craziness.

One might find answers for questions she didn’t even know she needed to answer. Or, at least, she might find some reassurance that the legal thought in this field is capable of steadiness and coherence.

This is why I decided to share with you the principles enshrined in the first “internationalization” effort of personal data protection that I know of, RESOLUTION (73) 22 ON THE PROTECTION OF THE PRIVACY OF INDIVIDUALS VIS-A-VIS ELECTRONIC DATA BANKS IN THE PRIVATE SECTOR (Adopted by the Committee of Ministers of the Council of Europe on 26 September 1973).

1.

The information stored should be accurate and should be kept up to date. In general, information relating to the intimate private life of persons or information which might lead to unfair discrimination should not be recorded or, if recorded, should not be disseminated.

2.

The information should be appropriate and relevant with regard to the purpose for which it has been stored.

3.

The information should not be obtained by fraudulent or unfair means.

4.

Rules should be laid down to specify the periods beyond which certain categories of information should no longer be kept or used.

5.

Without appropriate authorisation, information should not be used for purposes other than those for which it has been stored, nor communicated to third parties.

6.

As a general rule, the person concerned should have the right to know the information stored about him, the purpose for which it has been recorded, and particulars of each release of this information.

7.

Every care should be taken to correct inaccurate information and to erase obsolete information or information obtained in an unlawful way.

8.

Precautions should be taken against any abuse or misuse of information. Electronic data banks should be equipped with security systems which bar access to the data held by them to persons not entitled to obtain such information, and which provide for the detection of misdirections of information, whether intentional or not.

9.

Access to the information stored should be confined to persons who have a valid reason to know it. The operating staff of electronic data banks should be bound by rules of conduct aimed at preventing the misuse of data and, in particular, by rules of professional secrecy.

10.

Statistical data should be released only in aggregate form and in such a way that it is impossible to link the information to a particular person.

The original text of the Resolution can be found here.

We encounter access rights, purpose limitation, erasure of obsolete data and even the idea of anonymization. In 1973.

I got my ounce of inspiration from wondering how the essence of these principles are still relevant so many decades after they were published. And I hope you will also find yours.