Show simple item record

dc.contributor.authorWeitzenboeck, Emily Mary
dc.contributor.authorLison, Pierre
dc.contributor.authorCyndecka, Malgorzata Agnieszka
dc.contributor.authorLangford, Malcolm
dc.date.accessioned2022-03-28T05:41:53Z
dc.date.available2022-03-28T05:41:53Z
dc.date.created2022-03-07T08:10:15Z
dc.date.issued2022
dc.identifier.issn2044-3994
dc.identifier.urihttps://hdl.handle.net/11250/2987775
dc.description.abstractMuch of the legal and technical literature on data anonymization has focused on structured data such as tables. However, unstructured data such as text documents or images are far more common, and the legal requirements that must be fulfilled to properly anonymize such data formats remain unclear and underaddressed by the literature. In the absence of a definition of the term ‘anonymous data’ in the General Data Protection Regulation (GDPR), we examine its antithesis—personal data—and the identifiability test in Recital 26 GDPR to understand what conditions must be in place for the anonymization of unstructured data. This article examines the two contrasting approaches for determining identifiability that are prevalent today: (i) the risk-based approach and (ii) the strict approach in the Article 29 Working Party’s Opinion on Anonymization Techniques (WP 216). Through two case studies, we illustrate the challenges encountered when trying to anonymize unstructured datasets. We show that, while the risk-based approach offers a more nuanced test consistent with the purposes of the GDPR, the strict approach of WP 216 makes anonymization of unstructured data virtually impossible as long as the original data continues to exist. The concluding section considers the policy implications of the strict approach and technological developments that assist identification, and proposes a way forward.
dc.language.isoengen_US
dc.rightsNavngivelse-Ikkekommersiell-DelPåSammeVilkår 4.0 Internasjonal*
dc.rights.urihttp://creativecommons.org/licenses/by-nc-sa/4.0/deed.no*
dc.titleThe GDPR and Unstructured Data: Is Anonymisation Possible?en_US
dc.typeJournal articleen_US
dc.typePeer revieweden_US
dc.description.versionpublishedVersion
cristin.ispublishedtrue
cristin.fulltextoriginal
cristin.qualitycode1
dc.identifier.doihttps://doi.org/10.1093/idpl/ipac008
dc.identifier.cristin2007894
dc.source.journalInternational Data Privacy Law (IDPL)en_US
dc.relation.projectNorges forskningsråd: 308904
dc.relation.projectDirektoratet for internasjonalisering og kvalitetsutvikling i høgare utdanning: CELL: 10037


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record

Navngivelse-Ikkekommersiell-DelPåSammeVilkår 4.0 Internasjonal
Except where otherwise noted, this item's license is described as Navngivelse-Ikkekommersiell-DelPåSammeVilkår 4.0 Internasjonal