Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL issues guidance on anonymisation of personal data

The French data protection authority ('CNIL') issued, on 19 May 2020, guidance ('the Guidance') on the anonymisation of personal data. In particular, the Guidance outlines different anonymisation techniques and distinguishes between pseudonymisation and anonymisation. Moreover, the Guidance highlights that to build an anonymisation process, it is advisable to identify the information to be kept according to its relevance, to remove the elements of direct identification as well as the data ​​which could allow an easy re-identification of the persons, to distinguish important information from secondary or useless information which can be deleted, and to define the ideal and acceptable granularity of each piece of data stored.

Furthermore, the Guidance outlines that individualisation, correlation, and inference are the criteria by which a data set can be assessed as being truly anonymous. In this regard, the Guidance notes that individualisation requires that an individual cannot be isolated within a data set, correlation requires that it is impossible to link separate sets of data concerning the same individual, and inference requires that it is impossible to infer new information about an individual. The Guidance further highlights that if these three criteria are not fully met, the data controller who wishes to anonymise a data set must demonstrate, via an in-depth assessment of the identification risks, that the risk of re-identification with reasonable means is zero. 

Finally, the Guidance remarks that if a dataset published online as 'anonymous' actually contains personal data, and none of the exceptions mentioned in Article L.312-1-2 of the Decree No. 2018-1117 of 10 December 2018 relating to the categories of administrative documents that can be made public without being the subject of an anonymisation process is not applicable, then such publication will be considered a data breach.

You can read the Guidance, only available in French, here.