zlacker

>>zoobab+(OP)
If they can pick out individuals from the data, then the data is not anonymized. Sure they may have unassociated data spread across unassociated records, but if an algorithm can pick it out, then so could a human (though way more effort). That for me is not anonymized data.

>>Zenst+Jb
> That for me is not anonymized data.

What matters is that this is what most online companies (and their terms of service) would call anonymized data.

>>Alexan+Ic
If they operate in Europe then I am pretty sure that the GDPR legislation is pretty straight forward here. If you can de-anonymize the data then it is by definition not anonymized.

>>q-base+qe
That seems correct.

From an article on the subject:

>Recital 26 of the GDPR defines anonymized data as “data rendered anonymous in such a way that the data subject is not or no longer identifiable.” Although circular, this definition emphasizes that anonymized data must be stripped of any identifiable information, making it impossible to derive insights on a discreet individual, even by the party that is responsible for the anonymization.

>>Shaani+Jg
it is not clear to me if this covers re-identifying.

>>shusso+ii
I'd say that is pretty clear-cut with "making it impossible to derive insights on a discreet individual"

If it is possible, it's not anonymous per GDPR's definition and that is what counts.

>>Zenst+Am
> "making it impossible to derive insights on a discreet individual"

doesn't clarify how much information you already have about the individual. There is a distinction between being able to identify someone without any prior knowledge about them vs re-identifying them. I don't think the GDPR is clear about that.

>>shusso+bs
Interesting - would an example of what you outline be say a digital voice recording. Which, unless you know who is in the recording, you have no way to associate that digital data with an individual.

Would that example fall within the remit you outline and as such - skirt the whole GDPR aspect?