|
Legally Anonymizing Location Data Under the GDPR
Cameron D. Bale(a),(*), Jordan L Fischer(b), Matthew J. Schneider(a), Steven Weber(c), Suzanne Chang(b)
Transactions on Data Privacy 17:1 (2024) 1 - 30
Abstract, PDF
(a) Lebow College of Business, Drexel University, Philadelphia, PA 19104, USA.
(b) Thomas R. Kline School of Law, Drexel University, Philadelphia, PA 19104, USA.
(c) Electrical and Computer Engineering, Drexel University, Philadelphia, PA 19104, USA.
e-mail:cdb327 @drexel.edu; jordan @jordanfischer.me; mjs624 @drexel.edu; spw26 @drexel.edu; sc3887 @drexel.edu
|
|
Abstract
In the last decade, different countries adopted data protection legislation to govern the collection and processing of personal data. Most of these legislative frameworks recognize that data can either be personal or non-personal. However, there is a lack of definitive criteria for when personal data has become non-personal data, as well as an understanding of the consequences of applying such criteria to the usefulness of personal data. This uncertainty creates confusion as to whether organizations can comply with privacy laws while retaining the usefulness of personal data. To address this problem, we use the existing data privacy literature to provide reasonable interpretations of legal anonymization criteria for location data under the GDPR. We apply these criteria to two reasonable anonymization solutions that produce protected person-level data. Using location data of COVID-19 patients in South Korea, we find that these solutions can produce legally anonymous location data or useful data, but not both. Further, we highlight examples of developing more sophisticated data protection solutions to better balance the tradeoff between privacy and usefulness for contextual data sets.
|
