The European Data Protection Supervisor is like Cnut facing down a tide of bureaucratic encroachment into our privacy
I should preface this post with two comments:
- My degree is in English Language and Literature. This leaves me sadly unqualified to understand European legalese, for which the minimum of a two-one in Contorted Logic is required.
- I like Peter Hustinx. I respect the European Data Protection Supervisor. But I cannot see him as anything other than a latter-day Cnut merely demonstrating that nothing can stop the tide of bureaucratic incursion into our personal privacy.
It is with this background that I looked at his latest ‘Opinion’ on the Proposal for a Regulation of the European Parliament and of the Council on European statistics on safety from crime. I own that I struggled as much to understand it as I did to stay awake; and had little success with either.
Article 8(2) to (4) of Directive 95/46/EC and Article 10(2) to (4) of Regulation (EC) No 45/2001 contain exceptions to the prohibition of processing these categories of data. In the present case, Article 8(4) of Directive 95/46/EC and Article 10(4) of Regulation (EC) No 45/2001, which allow the processing of such data for reasons of “substantial public interest”, could apply.
So I readily admit that I have not a clue what this Opinion is about, other than it appears that the EDPS is exhorting the EU to obey EU laws. And that might be the problem. EU law is a complex, contradictory mess. It can be accepted by most people that personal data can be kept private by making it anonymous. If data cannot be associated with any particular individual, then that personal data is confidential and effectively remains anonymous.
The problem is, the EU doesn’t seem to understand what this means.
As regards the possibility of identifying data subjects, two different notions are relevant in the EU legislation on statistics: “confidential data” and “anonymous data”. According to Regulation (EC) No 223/2009, data which allow statistical units (which might be natural persons, households, economic operators or other undertakings) to be “identified, either directly or indirectly”, are considered “confidential data” and are therefore subject to statistical confidentiality. However, Regulation (EC) No 831/2002 defines confidential data as data “which allow only indirect identification”.
Throughout this Opinion, poor Mr Hustinx has continually to specify which piece of EU legislation to which the EU should, in his opinion, adhere. That much is simply a farce. But the actual definition of legal anonymity beggars belief:
…the definition provided in Recital 26 of Directive 95/46/EC and Recital 8 of Regulation (EC) No 45/2001, according to which personal data are “rendered anonymous” when the data subject is “no longer” identifiable, taking into account “all the means likely reasonably to be used either by the controller or by any other person to identify the said person”
I have no idea what this means. But this is what it sounds like to me: anonymous does not legally mean anonymous, it means obfuscated. And obfuscation can be described as anonymous if the process of clarification would defeat the script kiddie in his bedroom. This means that data is still defined as legally anonymous even though it is not anonymous to the supercomputers of our own and/or foreign law enforcement or other agencies; or any other person or organization willing to use more resources than is likely reasonably to be used. In short, anonymous is meaningless.
So the moral of this little post is simple. If any European agency asks for your personal data and promises anonymity, don’t give it up. Europe lies in the classic Orwellian fashion: it redefines the truth.