The European Union may have standard unified data protection laws by 2014, and the European Commission is currently debating what kind of data falls under their proposed protection scheme. The potentially far-reaching law, called the General Data Protection Regulation (GDPR), aims to update the current EU directive that does not take into account social media data or the complexities of cloud computing. Where pseudonymous data fits into this new law, however, is subject to heated debate.
Pseudonymous data refers to online information that may not identify an individual directly, but often allows indirect identification rather easily. This includes anything from Internet user names to IP addresses to user-generated data such as forum posts, search terms, or friend lists on social media. While some argue that this pseudonymous data does not require the same stringent protection as clearly personal online information, others claim that this data demands the same privacy protection.
In a March 2013 speech in Brussels, Valerie Reding, Vice-President of the EU Commission in charge of GDPR, strongly stated her support for vigilant protection of data, pseudonymous or otherwise. “Data protection is a fundamental right,” she said, “[and] privacy is an integral part of human dignity and personal freedom.” She continued to clarify: “Pseudonymous data is personal data . . . [it] must not become a Trojan horse at the heart of the regulation, allowing the non-application of its provisions.” Reding made clear that she supports data protection including indirect personal data, or any data that allows for eventual accurate identification of an individual. She ended her address by calling for “robust safeguards” for citizens while also making solutions workable for businesses.
The Washington-based Center for Democracy and Technology (CDT) further clarifies the definition of pseudonymous data and argues for its broad protection. In a position paper the CDT claims that data should be protected that makes indirect links to an individual or an individual’s device, as device-level information such as IP addresses can be easily linked today to a real name identity. IP addresses in particular require new and strong protection, the CDT paper explains, because currently companies process and obtain IP addresses simply when a user downloads content from a webpage. The key to unified privacy regulation like GDPR would be a system where “a data controller cannot readily tie the data to an individual . . .it should not be sufficient that a party has the ability to link but does not intend to.” The CDT argues that regulations and incentives for companies to follow them will encourage Internet companies to collect data more often in pseudonymous rather than directly personal form, and will give pseudonymous data the protection level it needs.
Online privacy advocates argue that this regulation is explicitly required because business interests will continue to work toward collecting and eventually selling their user data. As Fredrik Soderblom, owner of the Swedish company Storesafe.com, told the EU Observer: “if you have properly anonymized data it wouldn’t be commercially interesting to buy it because you want it to be able to pinpoint the individual so you can direct the advertising [at them].” Adopting strict privacy regulation with obligation to protect on the part of industry would curb such misuse of personal and traceable data, advocates hope.
Other privacy provisions that may end up as law under the GDPR include mandatory notification of individual data breaches, required consent for user data collection and a clear statement of the purpose of the collection, and the Right to Be Forgotten, which would require an organization to delete personal data once that consent has been revoked by the user. European Commission negotiations will continue until 2014, and they will ultimately determine if pseudonymous data fits under the protective umbrella of the GDPR.