The Federal Trade Commission (FTC) reiterated its long-held view that hashing or pseudonymizing identifiers does not render data anonymous, in a post to its Technology Blog on July 24, 2024....more
The Federal Trade Commission (FTC) has a long-standing habit of creating legal obligations through blog posts. Recent communications from the FTC by way of its Office of Technology Blog evidence an aggressive expectation...more
Learning Objectives: - Understand the methods for de-identification - Learn about the differences between anonymization, de-identification, and pseudonymization - Understand what “potential for re-identification”...more
In Frank Curry and FOIABuddy v. South Western School District, AP 2024-1311, a school district (“District”) received a request for records related to IT operations, contracts, staff, and IT budget from Frank Curry and...more
On January 30, 2024, the Brazilian Data Protection Authority ("ANPD") released its guide on data anonymization and pseudonymization, including a preliminary studies on the topic (the “Preliminary Study”), for public...more
As we’ve written about before, the question of anonymization can be tricky. When is something “anonymized” or merely “de-identified” or “pseudonymous” — and when does it matter? This is a particularly fraught issue under...more
For deidentification under the traditional laws like HIPAA, removal of identifiers qualifies. That was a key facet of what I discussed last week on an anonymization panel during the IAPP Europe Data Protection Congress...more
Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role. The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current...more
The UK government set out its detailed proposals for data protection reform on 18 July 2022 in the form of the Data Protection and Digital Information Bill. Compared with some of the radical ideas in the 2021 public...more
On July 8, 2022, following the Supreme Court’s decision in Dobbs, the president signed an executive order that called on a number of federal agencies to take steps to protect reproductive rights. He specifically asked the...more
What does the United Kingdom's Information Commissioner's Office's draft guidance say about governance and anonymization? Why is it important for GDPR and for the host of new US Privacy laws, including CPRA, CDPA and CPA? ...more
The UK’s Information Commissioner’s Office (ICO) has issued guidance on pseudonymisation. Here are some key points: What is it? At a basic level, pseudonymisation starts with a single input (the original data) and...more
On November 1, 2021, the Personal Information Protection Law of the People’s Republic of China (the “PRC”) (the “Personal Information Protection Law”) went into effect, two months after the Data Security Law of the PRC (the...more
This article is the second in a multi-part series covering concepts that can be applied to your company’s process for managing privacy rights requests, as required by various modern privacy laws. The first article in this...more
The United Kingdom’s Information Commissioner’s Office has released the second chapter in its anonymization guide for public comment. Here are some key points: An effective anonymization process seeks to reduce the...more
Personal data (PD) protection is becoming the main topic of the recent days, so the Russian legislation in this sphere changes rapidly. The article represents an overview of updates on personal data regulation for the 3rd...more
The Standing Committee of China’s National People’s Congress on October 21 released the draft Personal Information (PI) Protection Law (the Draft Law) for public comments through November 19. It consists of 70 articles across...more
Join the ACEDS Benelux Chapter for a unique panel discussion and networking event for everyone interested in eDiscovery. A panel of experts will discuss developments in the eDiscovery world that we can expect in 2020....more
Report on Supply Chain Compliance 3, no. 4 (February 20, 2020) - The Information Commissioner’s Office fined DSG Retail Limited (DSG) 500,00 British pounds after an investigation discovered a data breach involving the...more
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) recently announced a public consultation process regarding anonymization under the European Union General Data Protection Regulation (GDPR)...more
Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR. The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability,...more
Maybe. “Tokenization” refers to the process by which you replace one value (e.g., a credit card number) with another value that would have “reduced usefulness” for an unauthorized party (e.g., a random value used to...more
Maybe. “Salting” refers to the insertion of a random value (e.g., a number or a letter) into personal data before that data is hashed. Whether personal information that has undergone salting and hashing is still...more
The EU General Data Protection Regulation (GDPR) regulates the use of personal data collected from European data subjects, including activities of non-European companies that target or process European data subject personal...more
Anonymisation has always been (and still is) a real challenge for those carrying out clinical research. To shed some light on this matter, the Medical Research Council (MCR) – which is part of UK Research and Innovation – has...more