Overview
“CNIL maintains a rigorous interpretation, despite the uncertainties European level.”
The CNIL recently imposed a fine on healthcare company for not properly anonymizing health data, mainly due to a lack of legal basis under the French Data Protection Act.
This decision highlights the ongoing legal uncertainties around data anonymization criteria, pending a major ruling from the Court of Justice of the European Union (CJEU). The key issue is whether isolating a unique data path constitutes re-identification, which would negate anonymization, or if authorities must concretely demonstrate reasonable means to link this path to an individual’s identity. The severity of the fine raises questions about the viability of pursuing anonymization, despite its protective benefits for individuals, and suggests a need for a more incentivizing regime for highly pseudonymized data processing.
Lorraine Maisnier-Boché comments on this decision in a recent article for Communication, Commerce Electronique (Lexis 360 Intelligence). Access the full article via paywall here.