Definition of Anonymous
Home » The GDPR » Main Concepts » Identification, Pseudonymization, and Anonymization » Anonymization » Definition of Anonymous

The following discusses in detail what anonymous actually means.

Anonymous data is defined in sentence 5 of Recital 26 GDPR.

“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

Anonymous data is thus the opposite of personal data: Data is anonymous if it is not or no longer personal.

anonymous data <=>not personal data

Recital 26 GDPR helps with the determination whether data is personal (and consequently also when it is anonymous). In particular, sentence 3 of the Recital is relevant here:

“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”

It contains two significant elements:

(i) The controller or any other person can identify the data subject, and

(ii) account should be taken of all the means reasonably likely to be used.

What is meant by “means reasonably likely to be used” is further explained in sentence 4:

“To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.” [1]

Sentence 4 of Recital 26 GDPR also adds a temporal criterion: “[…] taking into consideration the available technology at the time of the processing and technological developments.” In other words, it is not sufficient for anonymity if data doesn’t allow the identification of data subjects at the time of processing, it must also hold in the future. Hence, reasonably likely to be used in the future must be taken into account including the following:

  • New actors motivated in (re-)identification,
  • new additional information that becomes available,
  • new methodology of re-identification, and
  • increased computing power (including possibly quantum computing).

Based on this analysis, anonymous data can now be defined:

Definition: Anonymous data

Data is anonymous if any possible actor is unable to directly or indirectly (re-)identify data subjects in the data with means reasonably likely to be used now or in the future.

Note that the above definition of anonymous, like the definition of anonymous given in Recital 26 GDPR, can be seen as being a “success state”. This term was proposed by Mourby et al[2]for the definition of pseudonymization in Art. 4(5) GDPR, but equally applies here to anonymous. Here, data is anonymous only if the attempts of preventing identification were successful. In other words, the state of success has been reached.
 

References

1The following summary by Hans Graux provides further legal background on the concept:“These criteria were examined in greater detail in the so-called Breyer decision of the European Court of Justice. In the Breyer case, the applicant requested public authorities to delete a part of their access logs relating to their public websites. He argued that they contained his IP address as a result of his prior use of the websites, and that the IP addresses constituted personal data. The Court affirmed that IP addresses could indeed be qualified as personal data, even if they are dynamic, and even taking into account that identification would require cooperation of the ISPs (who can normally trivially link IP addresses to subscribers).The Court also stressed that, in order to make this assessment in a specific case, “it must be determined whether the possibility to combine a dynamic IP address with the additional data held by the internet service provider constitutes a means likely reasonably to be used to identify the data subject. […] [I]n particular, in the event of cyber attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings. Thus, it appears that the online media services provider has the means which may likely reasonably be used in order to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, on the basis of the IP addresses stored”. Quoting the Advocate General, the Court also opined that such means would not be available “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant”.The Breyer case is occasionally referenced as a hallmark decision that introduced a risk based approach to deciding the legal qualification of personal and non-personal data. Only if the risk of identification was found to be ‘insignificant’, would data be qualified as purely non-personal. In practical terms, its impact was to significantly increase the awareness of the complexity of the assessment of data: after Breyer, it was no longer sufficient to stress that identification would not normally happen, or that it would require significant efforts, or access to third party data sources. If means existed for the controller that might be likely reasonably to be used for identification, the data should be considered as personal data, and the GDPR would thus need to comply with. As a result, the reach of data protection law was perceived as significantly broader post-Breyer.”

2Mourby, M, Mackey, E, Elliot, M, Gowans, H, Wallace, SE, Bell, J, Smith, H, Aidinlis, S & Kaye, J 2018, ‘Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK‘, Computer Law and Security Review, vol. 34, no. 2, pp. 222-233.https://doi.org/10.1016/j.clsr.2018.01.002 (last visited 24/03/2021).

 

Skip to content