Date
September 9, 2021
 
Written by
Gary LaFever
After Schrems II and the Amazon Fine: Overcome GDPR Compliance Challenges and Achieve Innovation Breakthroughs with GDPR Pseudonymisation LinkedIn Logo

After Schrems II and the Amazon Fine: Overcome GDPR Compliance Challenges and Achieve Innovation Breakthroughs with GDPR Pseudonymisation

In a recent article, Processing Identifying Data is Unlawful in Many Situations, compelling arguments have been presented for why GDPR Pseudonymisation is the state-of-the-art solution for GDPR-compliant processing of data that is exposed to:

  • Cloud Risk because processing is not restricted to the EU and personal data is processed in the clear in US cloud; and
  • Lawful Processing Risk because processing cannot be justified based on:
  • Consent (valid consent requires a specific description of each separate future processing activity and their corresponding purposes at the time of data collection, which is impossible for most analytics, AI or ML); or
  • Contract (which is strictly construed to require desired processing to be essential – and not just ancillary – to the purpose of the contract, being useful for the purpose is not sufficient).

Schrems II is inevitably a turning point for organisations to make material changes to handling international data transfers.

Organisations cannot expect to conduct data transfers as they did before the ruling clarified the "Cloud Risk" inherent in processing EU personal data in the clear using US cloud services, regardless of the location of services.[1] Furthermore, the Amazon fine highlights that organisations are exposed to "Lawful Processing Risk" when processing for data analytics, AI and ML operations cannot be justified based on 'consent' and 'contract' legal bases, regardless of the nationality of the controller or processor.

Pseudonymisation technology recommended by the GDPR and affirmed by the European Data Protection Board and the European Commission[2] helps to overcome both of these challenges. Schrems II and the Amazon fine have overarching effects beyond clarifying restrictions on the processing of EU personal data. GDPR Pseudonymisation enables organisations to conduct international data transfers according to Schrems II requirements and to lawfully process EU data by:

  • Technologically ensuring data protection by limiting re-identification risk;
  • Satisfying the legitimate interests test by minimising risks to data subjects and enabling lawful processing of personal data;
  • Expanding opportunities for lawful use, sharing and combining data; and
  • Improving the accuracy of analytics, AI and ML.

Furthermore, properly implemented GDPR Pseudonymisation also:

  • Enforces embedded distributed trust controls that travel with the data to dynamically reduce the risk of re-identification while enabling more expansive data use, sharing, and combining.
  • Replaces indirect identifiers and attribute information that can lead to unauthorised re-identification with dynamically assigned replacement pseudonyms that are not re-linkable, thereby introducing maximum "entropy" (uncertainty) within and between data sets to reduce the risk of r-identification.
  • Does not limit the scope of processing or degrade the accuracy/relevancy of data as required by other de-identification techniques to manage re-identification risk.

The benefits of GDPR Pseudonymisation extend beyond overcoming Cloud Risk and Lawful Processing Risk when using EU personal data. They provide structure for enhanced global data innovation and value creation by using GDPR Pseudonymisation.

For example, GDPR Pseudonymisation helps to:

  • Transform global economies by leveraging Fourth Industrial Revolution (4IR) technology to reimagine consent and permission mechanisms differently.[3]
  • De-identify Protected Health Information (PHI) in compliance with California Consumer Privacy Act (CCPA) requirements, which are more stringent than requirements under the US Health Insurance Portability and Accountability Act (HIPAA).[4]
  • Avoid disruptions to data flows under US state privacy laws (e.g., California, Colorado, and Virginia) requiring the deletion of identifying data from both an organisation's systems as well as all third parties to whom data was shared, in response to "do not sell my data requests." [5]

GDPR Pseudonymisation-enabled Anonos Variant Twins enable the global sharing and processing of controllably re-linkable, non-identifying personalised data to help unlock data's commercial and societal value.

Technology Comparison for Maximum Data Value at Scale

Gartner Group recognises Anonos as a Gartner Cool Vendor because patented "Variant Twins" create controllably re-linkable yet non-identifiable data sets from personalised data. This enables compliant data processing with no degradation in accuracy or speed of processing compared to identifying cleartext data.

>>If you have any questions, please contact me via LinkedIn.

-------------------

[1] See https://www.linkedin.com/pulse/identifying-data-maybe-unlawful-gdpr-pseudonymisation-magali-feys/; see also https://emtemp.gcom.cloud/ngw/eventassets/en/conferences/hub/cloud/documents/move_from_cloud_first_to_clo_467017.pdf Many cloud-native Software-as-a-Service (SaaS) offerings and cloud-first strategies violate Schrems II prohibitions on processing identifying EU personal data in US-operated clouds, regardless of the location of the servers, due to surveillance concerns. However, GDPR Pseudonymisation can enable Schrems II compliance if an organisation can establish as its default the processing of Pseudonymised data whenever, wherever, and as often as possible (as required by GDPR Articles 25 and 32) so that non-Pseudonymised (i.e., identifying) data is processed only when necessary (helping to satisfy GDPR Articles 5(1)(b) Purpose Limitation and 5(1)(c) Data Minimisation), provided that: (a) there is a legal basis to do so under Article 6 (e.g., based on Article 6(1)(a) consent, 6(1)(b) contract, 6(1)(f) legitimate interests, or 9(2)(j) scientific research by leveraging Pseudonymisation-enabled technical and organisational measures to satisfy the "balancing of interests" test); and (b) the processing satisfies derogation requirements (e.g., Article 49(1)(a) based on consent, Articles 49(1)(b) or (c) based on contract), which were expanded to enable repetitive use for specific situations in the final EDPB Schrems II Guidance at https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

[2] Id.

[3] See https://www.weforum.org/agenda/2021/08/data-marketplaces-can-transform-economies/ and https://www.linkedin.com/pulse/european-parliament-highlights-need-more-effective-data-gary-lafever/

[4] See https://www.lowenstein.com/news-insights/publications/client-alerts/as-of-january-1-the-california-consumer-privacy-act-regulates-de-identified-patient-information-prompt-action-required-privacy

[5] See https://www.zdnet.com/article/colorado-becomes-latest-state-to-pass-data-privacy-law/

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS