A Quantitative Approach to the GDPR’s Anonymization and Pseudonymization Tests

This article examines two tests from the European General Data Protection Regulation (GDPR): (1) the test for full anonymisation (the "anonymisation test"), and (2) the test for applying "appropriate technical measures" to protect personal data when full anonymisation is not achieved (the "pseudonymisation test"). Both tests depend on vague legal standards and have given rise to legal disputes and differing interpretations among data protection authorities and courts, including in the context of machine learning. Under the anonymisation test, data are sufficiently anonymised when they are immune from re-identification by an attacker using "all means reasonably likely to be used". Under the pseudonymisation test, technical measures to protect personal data that are not anonymised must be "appropriate" with regard to the risks of data loss. Here, we use methods from law and economics to transform these qualitative tests into quantitative tests: we take a risk-management approach and put forward a mathematical formalization of the GDPR's criteria, to supplement existing qualitative approaches. We chart different attack efforts and re-identification probabilities, and propose this as a methodology to help stakeholders discuss whether data are sufficiently anonymised to satisfy the GDPR anonymisation test, or alternatively, whether pseudonymisation efforts are "appropriate" under the GDPR. The resulting graphs can help stakeholders decide whether the anonymisation test is fulfilled, and discuss the use of Privacy-Enhancing Technologies necessary to pass the pseudonymisation test. We apply our proposed framework to several scenarios, applying the anonymisation test to a Large Language Model, and the pseudonymisation test to a database protected with differential privacy.