Mechanisms of dissociation of personal data and the “Internet of things”

Written on 10 Feb 2015

Dissociation of personal data is becoming critical for companies whose business models are based on the so-called “Internet of things” or “Big Data” technologies.

Phenomena such as “Big Data” or “E-Health”, involve that companies whose businesses are based on these technologies are faced with a real challenge concerning compliance with data protection regulations. The core in which these technologies or business models are based involves the processing of personal data of customers or users beyond the purposes for which they were collected. So companies, in their capacity as data controllers, may carry out such processing, at least, in two different manners: (i) by obtaining consent that involves ex ante compliance; or (ii) by using dissociation mechanisms making their customers or users not recognizable at all.

We should note that one of the key elements in improving the protection of privacy in the framework of “open data” (based on both statistical and data analysis) is to establish dissociation procedures properly designed, allowing proper management of stored data, which, at this stage, lacks a sufficiently developed legislation.

On the other hand, it is worth mentioning the great development of “wearables” meaning that all elements used by consumers (for example, watches or clothing) will store personal data that will be used to adapt these devices to their preferences or even to analyze future market trends for certain population groups.

In regard to “E-Health”, which involves the introduction of information technology systems and communications in the provision of health services, it should be noted that health data, being sensitive data, may cause a greater impact in the privacy of patients if not properly processed. The Spanish Data Protection Agency has already had the opportunity to state its position on various occasions regarding the dissociation of personal data in the context of, for example, clinical trials. However, such opinions were not related to the current technologies.

To ensure that personal data becomes a dissociated data is necessary that the data subject’s identity remains completely and irreversibly detached from the data obtained after the dissociation procedure. At EU level, Article 29 Working Group states that once the process has been carried out, the identification of the person should be “irreversible”, being the company unable to re-associate the data with a data subject. The application of such a concept is quite difficult from a practical perspective, considering that, in most cases, IT companies have enough algorithms to reverse the process. Therefore, the larger the data set to be processed is, the more difficultly the procedure will be reversed.

In its Opinion 5/2014 on anonymisation techniques, the aforementioned Working Group proposes to meet three criteria that help to know the robustness of applied art (singling out, linkability and inference). The Working Group notes that the pseudonymisation (replacement of an attribute for another in a record) can be considered a useful security measure but not as an absolute anonymisation technique because it can easily allow the identification of the data subject. The Working Group emphasizes that the best approach would be to combine several anonymisation techniques to obtain a more robust and solid result.

Prior to the publication of that Opinion 5/2014, the Information Commissioner’s Office in the UK, published a code of practice in which, with practical examples, explained how such anonymisation procedures should be implemented.

In any case, a position such as the Working Group of Article 29 would not eliminate the need to analyze the dissociation procedures, from a legal perspective and on a case by case basis, taking into account that the current legislation in force may not be able to be as fast as the technological advances in this field.