iStockphoto-Chainarong Prasertthai

Does anonymising personal data have a future?

Advising the European Data Governance

Dr. S-W – 04/2021

On November 25, the EU Commission presented a proposal for a data governance law, COM(2020)767. German Social Insurance has taken a position on this with concrete proposals for change. You can find the opinion here.

It is now the turn of the Council and the European parliament. In its opinion of March 25 about the European data strategy - - Parliament has already advocated a European data governance framework and addressed data governance issues in this context. Of particular note is the principle that the free exchange of data should be limited (only) to non-personal data. The same applies to the development of AI: This should be practised using non-personal datasets. At the same time, Parliament has a clear idea of when personal data leaves a protected area: only after it has been anonymised "securely, effectively and irreversibly" - in the knowledge that this will not always be possible in view of technical progress. More research is needed to discover the re-identification risks. 

Embedded in this principle is the expectation that health data should not be shared without full and informed consent; and in doing so, Parliament is going beyond the standards of the European General Data Protection Regulation. At the same time, the Parliament supports the EU Commission's position that the nine "common European data spaces" to be created in the future, including the space for the public sector, should also be made accessible to commercial market participants - but as previously mentioned, this should be restricted to non-personal data. In particular, data made available to third parties in the context of "data altruism" should also benefit general interest purposes, not just purely commercial interests. Nevertheless, the creation of a legal framework and a clear definition of horizontal and cross-sector personal data spaces should be considered alongside other data spaces.

The starting signal for the deliberations in the European Parliament, especially with regard to the "Data Governance Act", was an expert hearing in the lead ITRE committee (committeeon industry, research and energy) of the European Parliament that was held on March 25. Here, MEPs raised the question whether personal data could indeed be irreversibly anonymised. The answer from "Findata", the Finnish licensing authority for the use of health and social data, was clear: this was practically impossible. The only alternative is to process such data in a "secure environment."

Finland, this is not a problem, as citizens traditionally trust the authorities to "do the right thing". Finland, amongst others, also raised the question of whether all citizens are indeed willing to share their personal data with third parties or whether additional instruments and incentives are needed. Rapporteur Niebler took up the question and suggested that more attention should be paid to the willingness of citizens to make their data available in the context of "data altruism" and that alternatives should be explored. She noted with interest the view, widely shared by the experts, that younger people would have fewer problems sharing their data.

On the following day, EPP MEP Angelika Niebler published her draft report. Among other things, MEP Niebler sees her report as an attempt to make the regulation "SME-friendly", to facilitate the conditions for data traders ("data intermediaries") to operate and to broaden their scope of activities and to limit "exclusive agreements" for using public data to one year.

In the subsequent discussion of the Niebler report by the ITRE Committee on April 13, not only was the issue of "general interest" raised, especially by the "left", but there were also calls for personal data held by public bodies to be excluded from the scope of the regulation. As for the GREENS, they noted that the role of the "data traders" should focus primarily on industrial data and not so much on personal data.