Telefónica is fully committed to protecting the privacy and personal data of the customers and consider that all privacy issues should be carefully assessed when launching new data-centric products. Contrary to what appears to be the prevailing opinion in some quarters, we also believe that there is not a contradiction between the protection of customers’ privacy and the development of new products and services. This should be the real aspiration of any data protection legislation in a Digital Europe: to create a set of norms that protects the real concerns of European citizens without precluding the same citizens from benefiting from the innovation that will inevitably characterize our data-centric digital future.
That is why Telefónica is so concerned about some of the issues that are currently being debated in relation to the proposed EU Regulation. Most of these proposals do not really add any substantial value to our customers’ privacy. They rely on misunderstood concepts and impose over-prescriptive obligations that do not address the real issues surrounding customer trust and confidence.
Trust is the key in which we need to build a Digital Europe. This is the real challenge for any industry seeking to develop data-centric services, and for any legislator that is assessing the regulation of this nascent industry.
However, trust does not necessarily imply imposing a set of complicated and strict rules; it is a matter of meaningful transparency and letting the industry and users build confidence upon a clear, simple and reasonable norm.
Telefónica proposals are aimed at one simple goal: to protect what really needs to be protected in the field of our customers’ privacy. To this end, we have chosen one of the most critical issue that is currently steering the debate away from the central issue of trust into a risky and unreasonable regime resulting in the slowing down of innovation. In particular, we are referring to the definitions of personal and anonymous data and most notably, the new propose definitions on “pseudonymous data”.
Telefónica firmly believes that the whole debate around “pseudonyms” is highly misleading.
Extending the concept of personal data to data that cannot be used to ultimately identify an individual but which allows the singling-out of an individual should not be sufficient to qualify that information as “personal data” if it is impossible (using reasonable means) to provide a real identity (i.e. a name and a surname) to the singled out individual.
Including a new definition of psedonymous data will have two main negative outcomes:
- First, it will reduce the ability of our society to create, and therefore benefit from new digital products and services.
- Secondly, and most critically, expanding the scope of the regulation to this data would automatically result in significant confusion for citizens. How can someone understand the “true” level of protection that should be attributed to their privacy if all their information is treated as personal (and therefore subject to the regulation)? If we adopt this approach, customers will be routinely asked to i.e. provide their consent for the treatment of data that is of no real significance to them (as they are not personal data) and whose treatment does not pose any harm to their privacy (like pseudonymous data). In that case, the routine ticking of dozens of boxes will result in customers being unable to properly assess the importance of their choice. This confusion will ultimately lead to a loss of confidence and trust in the services that are critical in our journey to create a Digital Europe.
Telefónica therefore believe that there is no need to create a new category of “pseudonymous data” as it will only create more confusion for the citizens’ and more legal uncertainty for the industry and the authorities.
Taking into account the current state of discussion in Brussels, we would accept a compromised proposal based on one side on the categorical exclusion of a definition of pseudonymous data from the legal text but at the same time to include an intermediate approach regarding pseudoanymisation in the following sense: To contemplate in the regulatory text itself the pseudoanymisation as a process that could generate two different results:
- Anonymous data when there is no link with the personal substrate. That means when pseudoanonymisation generates anonymous data. This is the obvious one and therefore it is undoubtedly excluded from the scope of the future Regulation.
- And when the result of the pseudoanonymisation processes would result in retraceably pseudonymised data which are suitable to be re-identified by indirect means. In this case technical de-identification measures, administrative and legal safeguards should be put in place that make re-identification unlikely ( i.e. data security policies, access limits, data segregation guidelines, penalties for contractual breaches, auditing for ensuring compliance, etc).
In other words, pseudonymisation is a process that can generate pseudonymous data or anonymous data, depending on a number of factors, such as access to the encryption key or other data sources available. For example, when a third party does not have access to the hash process, the data should be considered anonymous although using pseudonymisation.
Antonio Muñoz Marcos, Digital Regulation Counsel. Business Affairs. Telefónica Digital.