Does anonymising personal data have a future?
Advising the European Data Governance
Dr. S-W – 04/2021
On November 25, the EU Commission presented
a proposal
for a data governance law, COM(2020)767. German Social Insurance has taken
a position on this with concrete proposals for change. You can find the opinion here.
It
is now the turn of the Council and the European parliament. In its opinion of March 25 about the European data strategy - - Parliament has already
advocated a European data governance framework and addressed data governance
issues in this context. Of particular note is the principle that the free
exchange of data should be limited (only) to non-personal data. The same
applies to the development of AI: This should be practised using non-personal
datasets. At the same time, Parliament has a clear idea of when personal data
leaves a protected area: only after it has been anonymised "securely,
effectively and irreversibly" - in the knowledge that this will not always
be possible in view of technical progress. More research is needed to discover
the re-identification risks.
Embedded
in this principle is the expectation that health data should not be shared
without full and informed consent; and in doing so, Parliament is going beyond
the standards of the European General Data Protection Regulation. At the same
time, the Parliament supports the EU Commission's position that the nine
"common European data spaces" to be created in the future, including
the space for the public sector, should also be made accessible to commercial
market participants - but as previously mentioned, this should be restricted to
non-personal data. In particular, data made available to third parties in the
context of "data altruism" should also benefit general interest purposes,
not just purely commercial interests. Nevertheless, the creation of a legal
framework and a clear definition of horizontal and cross-sector personal data
spaces should be considered alongside other data spaces.
The
starting signal for the deliberations in the European Parliament, especially
with regard to the "Data Governance Act", was an expert hearing in
the lead ITRE committee (committeeon industry, research and energy) of the European
Parliament that was held on March 25. Here, MEPs raised the question whether
personal data could indeed be irreversibly anonymised. The answer from
"Findata", the Finnish licensing authority for the use of health and
social data, was clear: this was practically impossible. The only alternative
is to process such data in a "secure environment."
Finland,
this is not a problem, as citizens traditionally trust the authorities to
"do the right thing". Finland, amongst others, also raised the
question of whether all citizens are indeed willing to share their personal data
with third parties or whether additional instruments and incentives are needed.
Rapporteur Niebler took up the question and suggested that more attention
should be paid to the willingness of citizens to make their data available in
the context of "data altruism" and that alternatives should be
explored. She noted with interest the view, widely shared by the experts, that
younger people would have fewer problems sharing their data.
On the following day, EPP MEP Angelika
Niebler published her draft
report. Among other things, MEP Niebler sees her report as an attempt to
make the regulation "SME-friendly", to facilitate the conditions for
data traders ("data intermediaries") to operate and to broaden their
scope of activities and to limit "exclusive agreements" for using
public data to one year.
In the subsequent discussion of the Niebler
report by the ITRE Committee on April 13, not only was the issue of
"general interest" raised, especially by the "left", but
there were also calls for personal data held by public bodies to be excluded
from the scope of the regulation. As for the GREENS, they noted that the role
of the "data traders" should focus primarily on industrial data and
not so much on personal data.