Last November, the European Commission published the Digital Omnibus, a set of proposals that threaten to undermine a range of important digital rights. In this article, we take a closer look at what the proposed legislative changes entail.
The European Commission proposes that pseudonymized data should no longer be considered personal data. This would mean that the General Data Protection Regulation (GDPR) would no longer apply. This is already the case for anonymized personal data, but the difference is that anonymized data does not contain a key that can be used to trace the data back to the individual. With pseudonymized personal data, that key does exist. Anyone who has this key can use pseudonymized encrypted personal data to identify the person in question. That is why data protection is important.
In recent years, large-scale data collection and technological developments have made it increasingly easy to link data. By combining different data sources, it is possible to trace anonymized data back to a specific person. Take travel data, for example. Someone who always takes the same route from home to work can be traced fairly easily. High standards are therefore set for anonymization, taking into account the possibility that someone may still be traceable. The European Commission is now completely ignoring this by wanting to exclude pseudonymization from the GDPR. This has major consequences for citizens, because encrypted data is processed on a large scale. However, safeguards must now be put in place to protect the data, taking into account the possibility that data can still be traced back to an individual. With this proposal, all safeguards disappear.
