Anonymization is used to mean different things in different communities (e.g. legal and technical) and in different jurisdictions (e.g. EU and US). In the EU, ‘anonymous information’ is defined in Recital 26 of the GDPR and is out of the remit of data protection law.

To be considered anonymous, it must not be possible to identify an individual using any means reasonably likely to be used. This is assessed in terms of linkability, singling out, and inference. As such, within the EU, evaluating whether or not data is anonymous is a risk based evaluation, with anonymization being defined as a risk threshold (unlike elsewhere). Different countries within the EU use both different ways of evaluating the threshold and different thresholds, and so there can be disagreement about what is or is not anonymous. In the US, ‘anonymous’ does not have the same legal significance, and is often used in the same way the term pseudonymous is used in the EU. Outside of the EU and US other definitions are also used.

Return to glossary

Share this post

Previous post

Aggregate Data

Next post

Big Data