A Quantitative Approach to the GDPR’s Anonymization and Pseudonymization Tests

Nils Holzenberger () and Winston Maxwell ()
Additional contact information
Nils Holzenberger: DIG - Data, Intelligence and Graphs - LTCI - Laboratoire Traitement et Communication de l'Information - IMT - Institut Mines-Télécom [Paris] - Télécom Paris - IMT - Institut Mines-Télécom [Paris] - IP Paris - Institut Polytechnique de Paris, INFRES - Département Informatique et Réseaux - Télécom ParisTech
Winston Maxwell: NOS - Numérique, Organisation et Société - I3 SES - Institut interdisciplinaire de l’innovation de Telecom Paris - Télécom Paris - IMT - Institut Mines-Télécom [Paris] - IP Paris - Institut Polytechnique de Paris - I3 - Institut interdisciplinaire de l’innovation - CNRS - Centre National de la Recherche Scientifique, SES - Département Sciences Economiques et Sociales - Télécom Paris - IMT - Institut Mines-Télécom [Paris] - IP Paris - Institut Polytechnique de Paris

Working Papers from HAL

Abstract: This article examines two tests from the European General Data Protection Regulation (GDPR): (1) the test for full anonymisation (the "anonymisation test"), and (2) the test for applying "appropriate technical measures" to protect personal data when full anonymisation is not achieved (the "pseudonymisation test"). Both tests depend on vague legal standards and have given rise to legal disputes and differing interpretations among data protection authorities and courts, including in the context of machine learning. Under the anonymisation test, data are sufficiently anonymised when they are immune from re-identification by an attacker using "all means reasonably likely to be used". Under the pseudonymisation test, technical measures to protect personal data that are not anonymised must be "appropriate" with regard to the risks of data loss. Here, we use methods from law and economics to transform these qualitative tests into quantitative tests: we take a risk-management approach and put forward a mathematical formalization of the GDPR's criteria, to supplement existing qualitative approaches. We chart different attack efforts and re-identification probabilities, and propose this as a methodology to help stakeholders discuss whether data are sufficiently anonymised to satisfy the GDPR anonymisation test, or alternatively, whether pseudonymisation efforts are "appropriate" under the GDPR. The resulting graphs can help stakeholders decide whether the anonymisation test is fulfilled, and discuss the use of Privacy-Enhancing Technologies necessary to pass the pseudonymisation test. We apply our proposed framework to several scenarios, applying the anonymisation test to a Large Language Model, and the pseudonymisation test to a database protected with differential privacy.

Keywords: Differential Privacy; European General Data Protection Regulation; Privacy-Enhancing Technology; Anonymisation; Pseudonymisation; Personal data; Machine learning (search for similar items in EconPapers)
Date: 2025-06-16
References: Add references at CitEc
Citations:

There are no downloads for this item, see the EconPapers FAQ for hints about obtaining it.

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:hal:wpaper:hal-05114619

DOI: 10.2139/ssrn.5162461

Access Statistics for this paper

More papers in Working Papers from HAL
Bibliographic data for series maintained by CCSD ().