Last updated: 
2 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Pseudonymous Identifiers and the DP Regulation

Wednesday, July 18, 2012 - 17:37

Statewatch have published what appears to be a document from the Council of (European) Ministers containing comments on the proposed Data Protection Regulation. It’s interesting to see that there seems at last to be a recognition that the current legal treatment of indirectly linked identifiers is unsatisfactory. At the moment European law has been interpreted as saying that identifiers such as IP addresses are either personal data or not, and once their status is set it can never changed no matter who holds them. A comment attributed to the President of the Council highlights why this isn’t right:

To the original data controller, identification will most likely never be disproportionate, but this may be the case for third parties that e.g. only see an id number or some other “abstract identifier”, which they cannot use to identify the data subject

In other words it may well be reasonable to impose all the duties of data protection law on parties (such as the ISP that assigns the IP address to a user) that know the link between the identifier and individual, but not on other parties who have only the identifier and no way to make the link. There are even promising suggestions that such identifiers should be distinguished by having a different name – “pseudonymous identifiers”. This would both create an incentive to use these privacy protecting identifiers, and make systems that use them (for example federated access management) a lot easier to use.

However there doesn’t seem to be any agreement on the right way to treat pseudonymous identifiers. The original draft Regulation says (without giving any clue why or when) that “identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances”. The Council’s views seem to diverge widely, with some proposing to revert to the current position and others suggesting tests involving how much effort would be involved in making the link or whether the link is actually made (current UK law considers the likelihood of linking). My own preference, which would depend on the risk of harm (i.e. how likely is it that the link will be made and how much would that damage privacy) doesn’t seem to have been suggested. But at least the problem seems to have been recognised and discussion of solutions started.