On February 10, 2020, Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) launched its first public consultation procedure. The consultation invites comments on a position paper of the BfDI which addresses the anonymization of personal data under the General Data Protection Regulation (GDPR), with a particular focus on the telecommunications sector (for example, the anonymization of location data in mobile networks).
The position paper points out that the processing of anonymized data is not regulated by the GDPR, although the GDPR does not make clear under what circumstances data can be considered fully “anonymous”. Moreover, the steps necessary to anonymize personal data may constitute a form of “processing” that, in and of itself, requires a legal basis under the GDPR. Hence, the public consultation addresses the following questions:
- What are the requirements for personal data to be anonymized?
- Does anonymization constitute processing of personal data that requires a legal basis?
- If so, what legal basis can be used for anonymization efforts?
The draft position paper proposes the following answers:
- For personal data to be anonymized, the link to a person must be removed in such a way that re-identification is practically impossible – i.e., the link to the individual can only be restored with a disproportionate expenditure of time, costs and manpower. The controller remains responsible to continuously monitor the validity of the anonymization efforts.
- Anonymization, including through aggregation of data, is a form of processing of personal data that does indeed require a legal basis.
The paper also sets out a number of possible legal bases for such anonymization efforts, in particular:
- 6(4) GDPR (i.e., processing of personal data for a new purpose that is compatible with the original purpose for which they were collected) is one option. For example, it could relied on if customer data collected under Art. 6(1)(b) GDPR (performance of an agreement) that did not include any “particularly sensitive” data and is anonymized for the purpose of optimizing services.
- Under the German Telecommunications Act, location data can be used to provide value-added services (Dienste mit Zusatznutzen – i.e., location-based services) if the user consents to this, or if the data have been anonymized.
- Anonymization could also be based on Art. 6(1)(c) GDPR (compliance with a legal obligation) & Art. 17 GDPR (right to erasure), because the legal obligation to erase personal data can be met by anonymizing the data. This also applies to traffic data (Verkehrsdaten) collected pursuant to sec. 96(1), 2nd sentence of the German Telecommunications Act.
Interested stakeholders may submit comments via email to konsultation@bfdi.bund.de until March 9, 2020.