A great deal has been written about the GDPR’s Right to Erasure provision, also known as the right to be forgotten. To be specific, this provision stipulates that personal data must be erased immediately when it’s no longer needed for the original processing purpose, or the data subject has withdrawn their consent, and there is no other legal ground for keeping it. A similar requirement has also been included in the California Consumer Privacy Act (CCPA) scheduled to become active on January 1, 2020.
The question that regularly arises around this provision is that of data anonymization, or de-identification. Is the right to erasure provision in the GDPR satisfied by manually or programmatically anonymizing the data subject’s personal information to the point where their identity cannot be reconstructed?
Is Anonymization Enough?
Some of you may be asking yourself, “What don’t you understand about the word erasure?” The GDPR committee would not have chosen that word if they didn’t mean delete, dispose of, remove, obliterate, etc. However, some experts don’t believe they necessarily meant the physical act of deletion. Rather, ensuring a data subject’s identity is completely removed and unable to be recalled may be enough.
This raises important questions for companies that rely on this type of information for ongoing data analytics projects. For example, does anonymizing the data subject’s first and last name, birthdate, address, etc., but keeping their zip code, gender, age, height and weight, meet the GDPR’s goal of “erasing” a data subject’s personal information (PI) while maintaining enough other data to add value to data analytics processes?
Until recently, that question had not been addressed by the GDPR authority and was left open to interpretation — increasing possible non-compliance liability.
What Counts as Erasure?
That changed in a case decided last year (DSB-D123.270/0009-DSB/2018, German). The Austrian Data Protection Authority (DPA), a member of the EU GDPR authority, made a decision on a case that highlighted this question: Does it meet the regulation’s intent for personal data erasure if PI is anonymized (or de-identified) instead of deleted programmatically? In this case, the DPA ruled that the anonymization of personal data can be utilized to meet the regulation’s data erasure requirement.
The original case brought before the Austrian DPA had to do with a data subject’s request that all personal data be deleted. In this case, the company chose to erase some data and anonymize other data to maintain the usability of the anonymized data for other uses, i.e., data analytics.
The data subject’s issue was the company had only anonymized portions of his personal data instead of deleting it completely. This person expressed concern that there would be enough PI left to re-construct their identity. However, the DPA ruled that was not the case.
Irrevocable Identity Erasure
In the GDPR and other privacy regulations (such as the CCPA), the right to erasure strongly implies unrecoverable deletion, or anonymization, and the inability to ever re-identify the data subject. The deletion/anonymization process steps must be documented and binding.
For the GDPR’s right to erasure provision to be met, the data subject’s identity cannot be recoverable from the remaining (anonymized) data. To accomplish GDPR-compliant anonymization, all references to the original data subject must be destroyed in an unrecoverable manner.
The overriding question is this: Is the intent of the GDPR right to erasure regulation met by a compliant anonymization process? Based on the recent DPA ruling and common sense, the obvious answer is yes — as long as the proper, documented anonymization steps are both tested and followed.