undefined | Better HN

0 pointsdahart4y ago0 comments

Of course you can’t prove that some data cannot be de-anonymized unless there are duplicate entries. However, GDPR explicitly encourages anonymization, or “pseudonymization”, which therefore suggests that reasonable attempts to keep data generic are considered legal by this particular law. People have already pointed out that GDPR’s language here is too vague and makes bad assumptions about how identifying multiple quasi-identifiers can be.

0 comments

lmkg4y ago

GDPR encourages pseudonymization as a best practice, but also draws a sharp distinction between anonymous and pseudonymous data. Pseudonymous data is still personal data and subject to all other obligations under GDPR. Any data that's pseudonymous would still be subject to the deletion order.

dahartOP4y ago

I shouldn’t have mentioned pseudonymization, that wasn’t my point. It doesn’t change the fact that the law is vague and to some degree contradicts itself, suggesting that data can be anonymous. There is a real and actual overlap between anonymized data and personally identifiable data. The way the GDPR is written, it would be extremely difficult to prosecute someone for breach of data they had taken best practice steps to anonymize. The law wasn’t written to handle ML based de-anonymization. It also doesn’t help here that if you Google PII, the hundreds and hundreds of examples are things like name and address, nothing remotely close to anonymous yet identifiable.

j / k navigate · click thread line to collapse

0 pointsdahart4y ago0 comments

0 comments

lmkg4y ago

dahartOP4y ago

j / k navigate · click thread line to collapse