Flights and Rights: Anonymisation, Data-Matching and Privacy

March 1, 2004

One of the challenges posed by terrorism is how to catch terrorists without sacrificing democratic values. A promising tool is the use of data processing to correlate the large amounts of information collected by private industry, to help identify terrorists before they attack. But the use of such capabilities raises concerns about privacy and the possible misuse of the capabilities for illegitimate purposes.

The current debate between the United States and the European Union over the sharing of passenger information possessed by airlines and the adoption of the US Computer Assisted Passenger Pre-Screening (“CAPPS II”) system provides a good case study for anonymisation, because it implicates the EU Directive on data protection, arguably the most rigorous and broadly applicable standard for the protection of personal data in the world today.

I. Anonymous Data-Matching – A Possible Solution for Transfer of PNR Data?

The US and the EU over the last two years have engaged in difficult negotiations concerning the transfer of airline Passenger Name Record (PNR) data from EU airlines to the US government. The underlying problem is that the US would like to be able to search a large volume of PNR data for terrorism and other criminal suspects whom it has identified from a variety of intelligence sources. While specific information about individual suspects can be transferred to the US pursuant to an exception to the EU data protection laws, the US government would not want to reveal its list of terrorism suspects to the airlines but would prefer to compare its list against a list of all airline passengers. However, to do this, the US government would need access to all the PNR data, including data about ordinary passengers in whom the US has no law enforcement or national security interest. This creates a conflict between the legitimate needs of public safety and security, and the privacy rights of the EU citizens whose personal data may be disclosed.

A compromise allowing transfer of PNR data was reached between the US and EU in December 2003. However, the deal has generated extreme controversy in the European Parliament, and may yet be subject to withdrawal or modification.

Anonymisation of PNR data and anonymous data matching may present a more durable solution to the PNR problem, by permitting a list of passengers to be checked against a list of US government terrorism suspects without the airlines seeing the US list or the government seeing the airlines’ list. Anonymisation can be accomplished by cryptographic “hashing” that makes it computationally infeasible to tie particular PNR data to the individual to which the data relates (the “data subject”). To ensure that the data matching is truly “blind”, the anonymised data could be provided by each party to a trusted intermediary with no access to the original data. Only if there was a match would any personal data be provided to the US government. A properly designed anonymisation system would thus limit disclosures of personal data to the US to information about passengers who appear or are closely associated with individuals on the US list of suspects.

II. Key Restrictions on the Flow of Data from the European Union

The European Union’s Data Protection Directive 95/46/EC establishes rules regarding the protection of the “personal data” of EU citizens. The principal restrictions affecting the sharing of PNR data are the restrictions on the transfer of such data outside the EU and requirements on the collection and processing of personal data.

A. Transfers of Personal Data

Articles 25 and 26 of the Directive prescribe restrictions on the transfer of personal data to countries outside the EU. Data transfers to non-EU countries that do not offer an “adequate level of protection”[1] are permitted only on the basis of consent, a legal exemption (eg, on important public interest grounds), a binding contract protecting the exported data, or a similar binding arrangement, such as the EU-US Safe Harbor. However, the Safe Harbor is not broad enough to cover the PNR transfers.

B. Collection and Processing of Personal Data

Article 10 of the Directive requires the data controller to notify the data subject of certain information when collecting personal data, including the identity of the data controller, the purposes of the data processing, and categories of recipients of data. The Directive provides that any processing of personal data by data controllers (eg, airlines) must be lawful and fair to data subjects. Any data processing must be carried out with the “unambiguous consent” of the data subject or must be “necessary” on certain specific grounds (eg, performance of a binding contract, protection of the public interest, or the vital interests of the data subject) (Article 7). More stringent rules apply to the processing of “sensitive data” (eg, data revealing racial or ethnic origin, health, political opinions, religious or philosophical beliefs). Such data can only be processed with the data subject’s “explicit” consent or in specific circumstances, such as where the processing of data is mandated by employment law, or where it may be necessary to protect the vital interests of the data subject (Article 8).

III. Analysis

The usefulness of anonymisation and anonymous data matching as a technique for sharing PNR data while complying with the Directive depends on whether the Directive constrains the transfer or processing of anonymised data. In turn, this depends on whether anonymised data is still considered “personal data” under the Directive.

A. Scope of “Personal Data”

Anonymised data under the Directive. Article 2(a) of the Directive defines “personal data” as “any information relating to an identified or identifiable natural person.” An identifiable person is one “who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” In other words, data that cannot be used to identify a particular individual is not “personal data.” Accordingly, once PNR data have been anonymised (ie stripped of all personal identifiers such that the data can no longer be used to identify the data subject), they are no longer “personal data” and thus are no longer subject to EU data protection restrictions.

This reasoning is confirmed by Recital 26 of the Directive, which states that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable”. Likewise, for example, the Spanish Data Protection Act does not restrict the processing of anonymised (or depersonalized) data.[2] A Legal Guidance document issued by the UK data protection authority provides that “whether or not data which have been stripped of all personal identifiers are personal data in the hands of a person to whom they are disclosed, will depend upon that person being in possession of, or likely to come into possession of, other information, which would enable that person to identify a living individual.” What matters to the UK authority, in other words, is the data controller’s ability to identify the data subject, not its intent to do so. The German Data Protection Act does not require elaborate technological guarantees against matching data with names. Nor does it take the strict view adopted by the UK authority that what matters is a controller’s ability to recombine the anonymised data. It provides that data may be freely processed where “the characteristics enabling information concerning personal or material circumstances to be attributed to an identified or identifiable individual” are “stored separately.”[3]

When are data “anonymised”? The difficult issue is whether and when data has been sufficiently “anonymised” to protect individual identities. While German and UK law places an emphasis on the separate storage of information capable together of identifying individuals, other EU Member laws make reference to whether a person in possession of anonymised data can with “reasonable efforts” identify a person. And the Directive states that “account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person” (Recital 26).

The strictest view, as taken by the UK Legal Guidance, suggests that, if a person possesses both the anonymised data and the original data, all of the data (even the anonymised data) remains personal data. Where this strict view prevails, it might be further argued that the transfer even of anonymised data by an entity that also holds the original data set is still subject to the EU cross-border data transfer restrictions. However, this is an unduly strict reading of the data transfer restrictions. In ordinary usage, the “transfer” of personal data connotes the combined acts of sending and receiving data. So, even if anonymised data remains “personal data” in the hands of the person that sends the data, there is no “transfer” of that data if no personal data are received by the entity at the other end of the line.

In short, even in jurisdictions that treat anonymised data as personal data while in the possession of entities that have the ability to “de-anonymise” the data, it is unlikely that those entities are “transferring” personal data when they convey the data to a party that cannot de-anonymize the data. Finally, even if this were viewed as a transfer of personal data, the anonymisation process could easily be tailored to eliminate any doubt, simply by using a trusted intermediate party. Thus the airlines could retain the original data set while giving anonymised data to an intermediary in the EU. Provided that the intermediary cannot access the original data set, the export of the anonymised data by the intermediary would not then be subject to the cross-border data transfer restrictions in the EU data protection laws.

B. Transferring Anonymised PNR

Because anonymised data in the hands of an intermediary are not “personal data,” anonymised data are not subject to the EU restrictions on transfers of such data to non-EU countries that do not provide adequate data protection. However, where the intermediary finds a “match” between data tied to a terrorism suspect, the US government may thus learn that a particular passenger has an important characteristic in common with someone on its terrorism suspect list. Whether this constitutes de-anonymisation is open to question, and one might well consider that the personal data of persons associated with terrorism suspects (and only terrorism suspects) has been transferred to the US government, at least if the transfer occurs directly.

That said, even extreme advocates of data protection would not argue that a nation could not be alerted by the airlines when a terrorism suspect gets on a plane bound for that nation. In such a case, personal data would ordinarily be transferable under the Directive pursuant to the “necessary . . . on important public interest grounds” exception to the restriction on transfers. Because only the US government has the ability to identify the terrorism suspects whose data has been matched, transfers to intermediaries do not transfer the personal data even of the terrorism suspects. Such transfers would thus seem to comply fully with EU law.

C. Anonymisation as Data “Processing”

Article 2(b) of the Directive defines data “processing” as “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” This broad definition suggests that anonymisation, because it involves “alteration” or “erasure or destruction” of data may be data “processing” under the Directive. If the process of anonymisation is itself data “processing” under the Directive, then anonymisation is permissible only with the data subject’s “unambiguous consent” or where it is “necessary” in the ways described in Section II above. However, it seems odd to impose the notice and consent requirements on anonymisation – a measure designed to increase the protection offered to personal data. Indeed, the UK Court of Appeal has expressed a view that the Directive should be construed purposively so that “anonymisation” is not considered “processing” under the Data Protection Act. [4]

Even if anonymisation constituted “processing of personal data,” there is an argument that no additional notice or consent is required before such processing can take place, because anonymisation enhances protection of the data subject’s personal data, and helps to comply with the obligation not to transfer personal data to non-EU countries without adequate safeguards. Data processing for security involves many steps that could be described separately, but there is no reason to think that the company must obtain a separate consent for each step in the electronic process. This is particularly true in the case of measures, such as encryption or anonymisation, designed to protect the passenger’s personal data.

In addition, anonymisation is arguably within the exception under Article 7 of the Directive for processing “necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed.” Here, the legitimate interests are the security of the data as well as the security and law enforcement interests of the US and EU governments, the airlines, and the passengers themselves.

Finally, sensitive data (such as information about a person’s religion, ethnicity or health) are not routinely gathered in PNR data, it might be argued that such data could be inferred from a passenger’s dietary preferences or wheelchair requests. However, it is reasonable to conclude that the very act of requesting a particular type of meal or a wheelchair includes an explicit consent to the use of that information on an electronic network.

IV. Conclusion

Modern data processing technology is a promising tool for combating terrorism while protecting the privacy of ordinary citizens. By securely anonymizing personal data before it is matched by an intermediary, relevant data about suspected terrorists can be shared while fully complying with the EU’s strict privacy protections. This technique may also provide a means for privacy-compliant data transfers and processing in a variety of other contexts.

Stewart Baker, Maury Shenk and Kees Kuilwijk are partners, and Winnie Chang and Daniel Mah are associates, in the Washington, DC (Baker and Mah) and Brussels (Kuilwijk) offices of law firm Steptoe & Johnson LLP and its UK affiliate Steptoe & Johnson (Shenk and Chang).

[1] The European Commission has so far recognized Switzerland, Hungary, Canada and Argentina as providing adequate data protection.

[2] See Spanish Data Protection Act, Arts. 3 and 11.

[3] German Data Protection Act, Sec. 30(1).

[4] See R. v. Department of Health, ex parte Source Informatics Ltd.[2001] Q.B. 424.

Stewart Baker

Maury Shenk

Kees Kuilwijk

Winnie Chang

Daniel Mah