Companies in Europe want to share the personal data of consumers with other firms or turn it into business applications without violating privacy rule
Companies in Europe want to share the personal data of consumers with other firms or turn it into business applications without violating privacy rules, but there is no consensus on how to avoid revealing such potentially sensitive information.
Privacy restrictions in the European Union’s 2018 General Data Protection Regulation initially caused companies to reconsider whether they could cash in on personal data collected on consumers. Now, some companies are finding ways to avoid revealing that data, including consumers’ identities.
Austrian telecoms carrier A1 Telekom Austria, for example, spent two years developing a method to maintain the anonymity of its customers, and last month joined a data marketplace run by vehicle-technology firm HERE Global B.V. The company only shares aggregated location data on groups of 20 people or more with other companies buying through the marketplace, reducing the risk it could identify any individuals.
A1 joined the marketplace to test whether it can sell its location data to companies developing vehicle and transportation applications, said Mario Mayerthaler, the carrier’s head of innovation. To comply with the GDPR, the company needed to make sure it wouldn’t expose private data about customers when sharing information with other firms, he said.
“The GDPR, I wouldn’t say it’s a hurdle, but it really takes a lot of effort,” Mr. Mayerthaler said.
Many companies are unsure how to properly render data anonymous so it isn’t possible to identify an individual.
“We need more legal certainty and technical standards on how to anonymize data in compliance with the GDPR,” said Michael Dose, a manager in digitalization and innovation at the Federation of German Industries, a Berlin-based trade group representing more than 100,000 companies in different sectors.
EU regulators have imposed sanctions against several companies that have failed to properly remove any information that could identify a person.
In 2019, for instance, Denmark’s privacy authority fined taxi company Taxa 4×35 for retaining customer data for longer than necessary. Taxa 4×35 claimed it anonymized customer records, but the regulator found the company deleted customer names while keeping other personal data. Taxa 4×35 didn’t respond to a request for comment.
Healthcare and pharmaceutical companies frequently remove identifying information from data they collect in clinical trials before sharing it with researchers and other firms. U.S. healthcare firms are adopting similar practices, and major U.S. hospital groups started a company to collect and sell access to their anonymized data for research and drug development purposes, The Wall Street Journal has reported.
Techniques such as encryption or replacing identifying information with a hash code aren’t considered strong enough measures to fully anonymize data and remove all personally identifiable information, according to European rules, said Athena Bourka, an expert in data protection at Enisa, the European cybersecurity agency.
“It’s really difficult. The possibilities for re-identification are huge,” Ms. Bourka said.
While providing a pseudonym can protect data, EU privacy regulators still consider the information itself to be personal because it could be traced to an individual, meaning the GDPR still applies. Companies can make data anonymous by converting it into aggregated information, Ms. Bourka said.
The European Data Protection Board, the umbrella group of European privacy regulators, said last year that anonymization is an alternative to deleting data that companies no longer need. They haven’t provided guidance on how companies should properly make data anonymous so the GDPR no longer applies.
German and French authorities have published recommendations to help companies make personal information in data anonymous. Separately, the GDPR defines pseudonymization as when companies process personal data but protect it so it can’t be traced to an individual without additional information. That could be done with an encryption key, for example, which would decode protected data.
Pseudonymization techniques such as encryption secure data by hiding personal details, but the data can still be linked to an individual, Ms. Bourka said.
To make data anonymous, companies should assess how it could be exposed in a particular situation, said Mark Elliot, professor of data science at the University of Manchester in the U.K. He advised the U.K. Office for National Statistics in 2016 on how to anonymize personal data such as living cost and labor statistics, and conducted simulated attacks on the data to test whether it was properly protected.
“Don’t focus on techniques, focus on risks,” he said in an email.
To protect the identities of clinical trial participants, biotechnology company Biogen Inc. uses technology to disguise details about individuals and shares the least amount of its data with external researchers and other companies. When they request access to Biogen’s clinical trials data, Lukasz Kniola, the company’s principal analyst for data sharing, said he asks for precise details and only shares what is necessary. If a researcher doesn’t need information about participants’ nationality or age, for example, Mr. Kniola won’t include it.
In other situations, companies may share personal data that can identify individuals with business partners or other third parties without first aggregating it, but may still apply safeguards such as encryption.
A researcher or company accessing Biogen’s data must also sign a contract agreeing not to attempt to identify trial participants, said Lee Parker, the company’s director of data privacy for Europe.
Anonymizing data will only get trickier because more powerful computers and the growing amount of personal information available in online databases and on social media are making it easier to identify people, said Pierre-Yves Lastic, a data protection consultant and former deputy head of privacy at pharmaceutical company Sanofi SA .
Many companies hire external statistics analysts to test their methods for making data anonymous and make sure a skilled person can’t link the data to an individual, he said.
“The only way of getting the risk all the way down to zero would be not to ever share this data,” Mr. Kniola said.
Write to Catherine Stupp at [email protected]