For deidentification under the traditional laws like HIPAA, removal of identifiers qualifies.
That was a key facet of what I discussed last week on an anonymization panel during the IAPP Europe Data Protection Congress 2022 in Brussels. Katharina Koerner, Frank Pallas and Christian Zimmermann joined me on the panel.
Here are some of the key points:
Under the new US laws (CPRA, CPA, VCDPA, CTDPA, UCPA and ADPPA) Deidentification is GDPR anonymization+.You need to get the information to be such that it “cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer.”But also, you must:Take reasonable measures to ensure that the information cannot be associated with a consumer or household.Publicly commit to maintain and use the information in deidentified form and not attempt to reidentify the information.Contractually obligate any recipients of the information to comply with all provisions of this subdivision. Like under GDPR, if information is deidentified, it is no longer personal information and out of scope for the laws.Like under GDPR, you are not required to collect more data than you need just in order to be able to respond to consumer requests. Indeed, if you can’t identify the person, you don’t need to respond (similar to Art 11 GDPR).Per European Data Protection Board guidance and the UK ICO’s new guide on anonymization, anonymization is a data processing and thus subject to all the requirements like: legal basis, fair and lawful, transparency and accountability.Transparency should be real. You must explain:Why