What's the deal with rules and regulations surrounding anonymous data in the new EU GDPR? Prof Dr Christoph Bauer and Dr Frank Eickmeier (both pictured), ePrivacy GmbH explain for ExchangeWire what the GDPR states and how it can be interpreted and implemented within the online marketing industry.

The EU GDPR contains numerous provisions that have practical ramifications for online marketing companies across Europe, as well as for companies outside of the EU. Under the existing law, many business models are based on anonymous data. Therefore, a lot of companies now face the question as to whether their data is still anonymous data under the GDPR and, if yes, how it can be used.

Under current law, if there are online marketing models, which only use and process anonymous data, then these models do not fall under the data protection laws. This is the advantage of anonymous data in the online marketing industry. On the other hand, if personal data is used in online marketing models, then these models require a prior consent of users, which often does not exist.

Prof Dr Christoph Bauer, ePrivacy

From a data protection perspective, the question arises whether the processes described are allowable with respect to data protection law within the GDPR’s scope of application. Therefore, it is of utmost economic importance for the online marketing industry to answer the question: how do online identifiers like IDFA, Google Advertiser ID, cookie IDs etc, have to be evaluated regarding the data protection law? If they are anonymous – and this is currently the standpoint of a lot of companies in the online marketing industry – then these online identifiers could be used within online marketing without separate user consent. For this reason, many companies in the industry today argue that a lot of online marketing models, especially the use of online identifiers, are anonymous data as the companies cannot identify a person using these identifiers.

Now, under the new GDPR, there is the question whether this position can be sustained. It is stated quite often that, under the GDPR, there is no more anonymous data. The discussion around whether online identifiers are personal data or not should now be cleared as the legal bodies put a new definition of personal data in Art. 4 of the GDPR. This article states that online identifiers are always personal data. Is it, therefore, right that a lot of people have the opinion that there will be no more anonymous data with the GDPR? The answer to this questions is not absolutely clear: the GDPR still highlights this law must only be applied if personal data is used, but not when there is anonymous data.

Dr Frank Eickmeier, ePrivacy

Recital 26 unambiguously states: “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

In this respect, the question whether the above mentioned processing of online identifiers, as, e.g., Advertising IDs, etc, has to be classified as a processing of personal data still remains unchanged.

This is because, from an advertiser or online marketing company point of view, it is still the case – as it was before – that they cannot determine at all, or only with disproportionately high effort, which natural person is behind the online identifier in question. The new Article 4 GDPR seems to imply that online identifiers are supposed to be classified as personal data. However, several places in the recitals suggest that not every online identifier is automatically classified as personal data.

In that regard, Recital 30 states: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

However, the wording of this recital also makes it clear that an online identifier "may" leave such traces. However, it is precisely this wording, "may", which makes it clear that there may be cases in which online identifiers do not leave such traces.

Thus, the GDPR clarifies that, in the same way as before, there may still be online identifiers that actually shouldn’t be classified as personal data, but which are anonymous. Therefore, there is much to support the view that online identifiers, like IDFA and Google Advertiser ID, can be anonymous, especially looking at recital 30. Consequently, the question must be decided on a case-by-case basis and looked at separately in a detailed evaluation, whether the respective online identifier, possibly in combination with other data, can be used to re-identify a person. However, if an online identifier cannot be used to build a profile of a natural person or to identify the person, then this identifier stays anonymous. In this last case, the GDPR is not to be applied as it does not cover anonymous data.

As a consequence of this conclusion for the online marketing industry, it is expected that companies want to find ways to possibly generate and use anonymous data.