A principled approach to defining anonymization as applied to EU data protection law

Abstract

The concept of anonymization plays a central role in data protection law, defining a broad category of information that falls outside the scope of regulation, and thereby enabling companies, government agencies, and researchers to carry out a wide range of data processing activities. Yet, despite the significance of the concept, it is undertheorized and poorly articulated in regulatory guidance. This article puts forth principles for the regulation of anonymization, and for data protection regulation more broadly. It also provides model language as a starting point for explicitly incorporating these principles into data protection guidance. These principles are grounded in the past 20+ years of research in data privacy. These principles are not intended as absolutes, but better anonymization techniques and regulations will generally satisfy more of these principles - or are the principles intended to be exhaustive.