Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU General Data Protection Regulation

In order to carry out the so-called “Big Data analysis”, the collection of personal data seems to be inevitable. The opportunities arising from the analysis of such information need to be balanced with the risks for the data protection of individuals. In this sense, the anonymization technique might be a solution, but it seems to be inappropriate in certain circumstances, among which Big Data processing can be included. In fact, anonymization has a high degree of uncontrollability of the impacts of profiling directed to individual targets whose data has been anonymized. In this sense, pseudonymization can be used both to reduce the risks of reidentification and help data controllers and processors to respect their personal data protection obligations by keeping control over their activities. On the one hand, pseudonymization ensures the capability to reconstruct the processes of identity masking, by allowing re-identification. On the other hand the accountability of the data controller and data processor is guaranteed, thanks to the fact that there will always be a person who can re-identify subjects included in a cluster, acting as a “data keeper”.