Effective security nowadays often relies on large scale collection and analysis of data, in order to proactively detect anomalous behaviour that could be indicative of malicious activity. At the same time, that collection and analysis can be challenging from a privacy and data protection perspective, especially in the EU market where citizens benefit from a relatively demanding legal framework for data protection.
Anonymisation and pseudonymization are two potential techniques that can mitigate data protection risks, but they can be notoriously hard to do correctly. A recent ruling from the EU General Court however potentially sheds some light on these concepts, and may open up some new avenues to deploy innovative data analytics in energy data spaces.
In order to detect risks and possible attacks on the basis of data analytics, access is needed to a sufficiently large dataset, that can be monitored and evaluated over time. This is true for virtually any industry, and the European energy sector is no exception. From a privacy and data protection perspective however, this can be challenging. European legislation contains specific safeguards towards the collection and use of so-called personal data – data that can be linked to an individual. Energy data, especially at the household level, can fall within this category, since it is often collected and analysed by a company that can link the original data to a customer or subscriber.
While this is not a dealbreaker for effective analytics, it does imply additional compliance work, especially when using a third party service provider to analyse the data. If that data qualifies as personal data, a data processing agreement should be concluded with the analyst that complies with EU data protection law, security requirements must be contractually defined, and other formalities may be needed, such as the completion of a data protection impact assessment and the oversight of a data protection officer.
Anonymisation and pseudonymization can be used to mitigate or eliminate this challenge. Anonymisation implies that the data is modified in such a way that it cannot reasonably be linked back to an individual person – thus ensuring that there no longer is a reasonable data protection risk. EU data protection law does not apply to anonymous data. When data is modified in such a way that it can only be linked with the assistance of a third party (e.g. by replacing directly identifiable data such as names and customer IDs with meaningless numbers), it is considered pseudonymized instead, and while the risk is lower, data protection law continues to apply.
Anonymisation is clearly the preferred option – but it is also notoriously hard to do correctly without destroying much of the value of the data. Quite often, seemingly anonymous data can still be linked back to an individual, e.g. when the current holder of the data set obtains the cooperation of the holder of the original (non-anonymous) data set. If that cooperation is reasonably likely, the data set is not anonymous, and EU data protection law applies.
In a recent decision issued on 26 April 2023, the European General Court issued a new ruling that’s been widely seen as an enabler to effective anonymisation. The case related to a situation where an EU body shared an anonymised data set with a consultant for further analysis. A complaint was filed, noting that this violated EU data protection law, because the EU body could still easily identify the individual persons in the data set, and therefore that the data set was not anonymous. The Court ruled however that, to determine whether the dataset was anonymous, account should be taken of the reasonable ability of the recipient (i.e. the consultant) to identify individual persons in the dataset. The ability of the EU body to do so was not decisive. Since the consultant had no reasonable way to link the data to specific people, the dataset should be considered as anonymous, and EU data protection law did not apply.
While each case is of course unique, the decision does clarify that effective anonymisation under EU law is realistically feasible in more cases than originally anticipated. For energy data too, the ruling is a potential enabler, particularly in situations where a data flow can be organised that makes it effectively impossible for a security service provider to link data back to individual households. That’s a development that can only benefit the maturity and availability for security analytics, both in CyberSEAS and outside of it.