[m0nster]

In my experience, this is a question of interpretation (see e.g. Recital 26 and the question of what is "reasonably likely"). You can ask ten different experts, and you will get ten different opinions.

Unfortunately, many aspects of the GDPR are interpreted very heterogeneously, both in individual countries and by different supervisory authorities within the countries themselves.

For this reason, it is essential that more specific guidelines and certifications are developed for the use of different technologies, including anonymization.

[privacylawthrow]

> In my experience, this is a question of interpretation (see e.g. Recital 26 and the question of what is "reasonably likely").

This is absolutely true. The hard part is that was it "reasonably likely" changes as technology changes. It's entirely possible that a data set that qualifies as anonymous today will not be anonymous in 5 years. Organizations are responsible for the data they publish. If data loses its anonymity in the future due to release of other data sets and/or improved technology, the organization releasing the data will be responsible for the release of personal data, even if it wasn't personal data at the time of release.

[m0nster]

True. For this reason, even anonymous data can usually not be shared as open data. You have to control the environment in which the data is used to control what is "reasonably likely" (see also comment by La1n above).

[La1n]

Also this interpretation would completely block any sharing within the pharmaceutical field, where the original data is required by law to be kept for a minimum of 25 years. I personally like the definitions from UKAN, which talk about anonymous data as relating to data environments.

edit: https://msrbcel.files.wordpress.com/2020/11/adf-2nd-edition-...

[m0nster]

Absolutely. They're doing a great job at UKAN!