Anonymization

Definition:

The process of converting Personal Data into a form that no longer identifies individuals and where re-identification is not likely* to take place.

Commentary:

In some jurisdictions, such as the UK, EU, Japan and Brazil anonymisation is defined in law to mean data that is out of the scope of data protection law on the basis that the data subject is not or no longer identifiable. In other jurisdictions, such as California, anonymisation is not defined in law, whereas the term de-identified is, with a meaning analogous to the definition of anonymous in the EU. In other jurisdictions, whilst anonymization is not defined in law, Personal Data is defined and linked to the scope of the applicability of the law and therefore anonymised data is impliedly excluded. This is supported by regulatory guidance e.g. in HK and Australia. In jurisdictions such as the EU Brazil and California, account should be taken of all means that could be reasonably likely to be used to identify the individuals (e.g. cost, time, available technology at the time and the related development). How this is interpreted differs from one jurisdiction and regulator to another, meaning approaches to anonymisation vary across jurisdictions. The same techniques that are used to disassociate the identity of a data subject from the analytical value of that data, can also be applied to other types of data, such as a company or transaction. Similarly to how anonymization takes data out of the scope of data protection law, this may also have legal significance.