The Article 29 Working Party has adopted an opinion on anonymisation techniques. In the context of EU data protection law, the opinion examines current anonymisation techniques and makes recommendations on using them in the light of the risk of identification of individuals. The opinion describes anonymisation as a technique applied to personal data to achieve irreversible de-identification. It discusses the anonymisation definition in the Data Protection Directive (95/46/EC) and references to it in the E-Privacy Directive (2002/58/EC).

The Working Party notes that anonymisation may be a useful means to maintain the benefits of "open data" in society, while protecting individuals by mitigating privacy risks. However, it warns of the difficulty of creating a truly anonymous dataset where much underlying information is retained, as combining an anonymised dataset with another dataset may lead to identification. The opinion states that anonymisation constitutes further processing of personal data, but also states that anonymised data do fall out of the scope of data protection legislation.

The Working Party discusses randomisation and generalisation (the main anonymisation techniques). Noise addition, permutation, differential privacy, aggregation, k-anonymity, l-diversity and t-closeness are examined. Strengths and weaknesses of techniques are highlighted along with common mistakes and failures, which should assist data controllers with designing an anonymisation process. The opinion clarifies that pseudonymisation (one attribute in a record being replaced for another) is not a method of anonymisation, but merely a useful security measure.

The opinion advises that anonymisation should be planned on a case-by-case basis, possibly using a variety of techniques and factoring in the opinion's recommendations. Data controllers are advised not to treat anonymisation as a one-off exercise. Rather, regular risk assessment should continue in the light of the residual risk of identification. For further information on data protection in the EU, see Practice note, Overview of EU data protection regime.

Source: Opinion 05/2014 on anonymisation techniques, 10 April 2014.