|
|
|
|
|
|
by waffleiron
847 days ago
|
|
|
Recital 26 of the GDPR has a quite good definition >To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Which of course relies on threat modelling as technology doesn’t stand still. However it’s quite clear that if you can link the data in any way to an individual, it’s not anonymous. I work in privacy and I’d even argue that collecting anonymous data is likely not possible unless using something like differential privacy. It’s more likely they are collecting personal data (because even your IP would link this data to you) and then anonymise it afterwards (i.e. store it without your IP address). |
|
|
I think this is undeniably true.
Aside from differential privacy (which is pretty weak sauce itself), the only way there can be "anonymous data" about people is if that data is aggregated and only the aggregation is kept. The collected raw data must be deleted.
The problem with that is that there's no way to know if a company is actually doing that. All we have to go by is what they say, and I think a strong argument can be made that we shouldn't believe what companies say just because they say it. Especially if those companies are the likes of Facebook.
So, as things currently stand, "anonymous data collection" is a misnomer and any time I see a company asserting they're doing such a thing, I think that company is lying. Or, maybe worse, deluding themselves.