In the draft report published yesterday on the proposed data protection regulation, the rapporteur, Jan Albrecht, proposes that a new definition to anonymous data be introduced in Recital 23 of the preamble.
He proposes this text to be added to the original wording of the recital:
“This Regulation should not apply to anonymous data, meaning any data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed.”
The original text merely states that “The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.”
As a justification for the introduction of this definition, Albrecht writes in the report that “the concept of personal data is further clarified with objective criteria for anonymous data, based on Council of Europe Recommendation 2006(4)”.
The proposed definition excludes from the category of anonymized data information that can be easily de-anonymized, taking into account the “state of the art in technology” at the time of the processing.