As anonymisation of data appears to the main method for escaping the restrictive regime of the General Data Protection Regulation, it’s worthwhile for data processers to be aware of the risks they may be exposed to if this is not done properly or the data can be traced back to specific people. Should firms applying artificial intelligence to anonymised data expect to be held liable when it turns out that the data they are using have not been permanently anonymised but only been given a pseudonym—a reversible operation?
Although the GDPR does not expressly address this situation, it does provide certain general rules of liability that can be applied to identify risks connected with improper anonymisation of data. First, the regulation establishes civil liability, which in practice will mean paying damages to persons who have suffered an injury because their data were not properly anonymised. Alongside this liability, the GDPR provides for administrative fines, with high potential monetary sanctions.
This is a different protective model than in the case of confidential information. In the case of trade secrets revealed through reverse engineering, under Polish law the undertaking that was in possession of the information but failed to prevent disclosure bears only a business risk, and legal liability (for commission of an act of unfair competition) is imposed on the person who disclosed the data (although this view is not universally accepted). However, in the case of personal data, liability for disclosure through “reverse identification” can be imposed on the person making the disclosure as well as the person who was in possession of the data.
Art. 4(1) GDPR defines personal data as “information relating to an identified or identifiable natural person.” Thus, proper anonymisation of data, resulting in removal of the data from the scope of the GDPR regime, requires that the data no longer identify the data subject or enable identification of the data subject. This raises the question whether it is sufficient that the data subject cannot be identified by the data controller or the person to whom the data have been transferred (narrow interpretation), or it is necessary that no one could identify the data subject (broad interpretation).
Although the text of the GDPR does not answer this question, point 26 of the preamble supports a broad interpretation by referring to means used “either by the controller or by another person to identify the natural person directly or indirectly.” This interpretation is also supported by the fact that anonymised data cease to be protected by the GDPR not only with respect to data controllers, but anyone at all. Because no one is required to comply with the GDPR rules when processing anonymous data, it is essential that no one could trace the data back to specific individuals.
This approach means in practice that a firm using anonymised data should first assess not only whether the firm itself is capable of using the data to identify the data subjects, but also whether anyone else would be capable of doing so. This recital refers to “all the means reasonably likely to be used,” and thus the cost, time and technology required for the use of any particular means of identifying data subjects must be considered.
Consequently, even if solutions theoretically existed enabling identification of data subjects, but they would be excessively costly or time-consuming to apply, the anonymisation should be regarded as effective. But attempted anonymisation will give rise to a risk of liability when the anonymisation can be evaded through widely available technology. This suggests that the protection of specific data should be reassessed over time. This is also indicated by the reference in recital 26 of the GDPR to “technological developments.” It may turn out that means of reverse engineering that were unavailable or excessively difficult at the time the data were anonymised become “reasonably likely to be used” as technology progresses, and thus with time the anonymisation can cease to be effective and expose the controller of the data to potential fines and claims for damages.
Art. 79 GDPR provides data subjects a right to an effective judicial remedy against a controller or processor but does not mention third parties unlawfully exploiting data from a controller or processor. There are no legal grounds at the EU level for civil liability for unlawful processing of data “recovered” after failed anonymisation. Art. 78 of the Polish bill supplementing the GDPR provides however that not only a data controller, but any person who violates rights arising under data protection regulations, must face claims to cease and desist an infringement and to “perform actions necessary to remove the consequences of the infringement.” The bill does not expressly refer to damages, but it should not be ruled out that persons whose data have been incorrectly anonymised may demand payment of money to cure the effects of the infringement.
It may be assumed that in connection with the need to prove the damage actually suffered (or the consequences of the infringement which are to be removed), the threat of damages will not arise so much from the incorrect anonymisation as such, but only when this enables re-identification of the data subject and actually results in such identification. With respect to the total damages that could be obtained, that depends on the initiative of the parties. Any person whose rights under the GDPR are violated will be entitled to seek a remedy in court.
Clearly, no claim for damages may be commenced at the court’s own initiative, but it cannot be ruled out that such claims might be initiated by prosecutors or county (municipal) consumer ombudsmen. Class actions could also be used, although under the current state of the law there are no special advantages for pursuing claims under this procedure for infringement of the GDPR. The class of plaintiffs seeking damages would have to demonstrate a contractual basis for their claims, or lacking that would have to prove the infringer’s culpability (i.e. tort liability).
The amount of specific awards of damages will depend on the scale of the detriment actually suffered by the individual plaintiff. The multimillion-dollar awards familiar from Hollywood movies can be safely excluded so long as Polish law rejects the notion of punitive damages, i.e. damages exceeding what is required to compensate for the plaintiff’s actual loss but also intended to punish the tortfeasor.
Nonetheless, the risk of significant damages cannot be ruled out, insofar as plaintiffs can claim damages not only for material loss, in the form of a detriment to specific assets or loss of future earnings, but also for non-material (personal) injury. The latter is by its nature hard to value precisely, leaving greater leeway to the court. This discretion is not limited by the GDPR itself. Recital 146 calls for courts considering claims for compensation to interpret the concept of “damage” broadly, fully reflecting the objectives of the regulation.
The authorities of the member states supervising enforcement of the GDPR will also enjoy expanded discretion. The GDPR provides for penalties as high as 4% of the total worldwide annual turnover of an undertaking violating the regulation (or up to EUR 20 million in the case of infringers other than undertakings). But when calculating the amount of the sanction within this broad range, the supervisory authority must consider a list of grounds that is more expansive than in the case of fines imposed under Poland’s Administrative Procedure Code.
Aggravating factors justifying higher fines will include for example a large number of injured parties suffering significant damage, as well as previous data protection infringements. Mitigating factors could include lack of culpability in the infringement, measures taken to limit the damage caused by the infringement, and voluntary notification of the supervisory authority. There is no exhaustive list of factors, making it difficult to prepare a preventive strategy for minimising the potential fine.
Apart from fines, the supervisory authority will also have a range of corrective powers at its disposal, in particular orders to bring processing operations into compliance with the regulation, to notify data subjects of an infringement, and to impose a temporary or definitive limitation including a ban on processing of data. In the event of non-compliance with these measures, the maximum fines may be imposed.
Such fines should be expected to be imposed primarily on data controllers, although sanctions for certain infringements may be imposed on anyone. Recital 74 indicates that one of the aims for adopting the regulation was to establish the responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf. Meanwhile, Art. 83 GDPR, which is the basis for imposing administrative fines, expressly indicates which fines apply to controllers and processors, which to certification bodies, and which to monitoring bodies.
But the GDPR does not provide any subjective limitations with respect to infringements of the rights of data subjects and basic principles for processing of personal data. These principles would be involved not only in a ban on transfers of personal data, which would occur if a controller provided data to a third party enabling re-identification of the data subjects, but also in the very process of reverse identification as well as any subsequent processing of such data.
The list of infringements which the data controller can be responsible for is thus broader than those for which a third party can be responsible. But if the data are susceptible to reverse identification, they regain the character of personal data, and a third party obtaining them from the controller automatically becomes an unlawful processor of the data. Thus even if the third party is not held responsible for incorrect anonymisation of the data, it will be exposed to fines at the same level as the data controller for processing the data.