Follow ACC Docket Online:  

This Week in Privacy: Do You Need Permission to Anonymize Your Data?

"This Week in Privacy” is a new column for in-house counsel who need advice in the privacy and cybersecurity sectors. K Royal is a director at TrustArc. To have your legal privacy questions answered, email ms.kroyal@gmail.com with “This Week in Privacy" in the subject line.


Q: I want to anonymize personal data so that I can use it and retain it longer, but I heard that anonymizing under EU law is considered to be processing and that I may need permission.


A: The new EU General Data Protection Regulation (GDPR) defines pseudonymization as:

“The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (Source: Aritcle 5)

If pseudonymization is processing, so too is anonymization. But anonymization carries a much larger burden to be truly anonymous. Read this opinion by the Article 29 Working Party for more insight.

If it is processing, then it must have a legal basis to do so. This legal basis may come in the form of consent. Anonymizing personal data would count as further processing of the data (under GDPR Article 6), which requires certain evaluation. Additionally, if it is sensitive personal data or data requiring special consideration (e.g., under EU regulations, sensitive personal data includes criminal convictions or information from minors under the age of 16 — or 13 in some member states), then further processing may be subject to additional notices and explicit consent.

Before anonymization, personal data is still subject to the requirements under the GDPR. If the data was not collected for the primary purpose of anonymizing it, then analysis is required for the anonymization portion. 

About the Author

K Royal is the technology columnist for ACCDocket.com, and director at TrustArc. @heartofprivacykroyal


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.