Browsing by Author "Oikarinen, Pauliina"

People, devices, and networks are generating data incessantly. The rapid growth in personal information processing and the new developments in technology have led to the situation in which private actors, such as the network operators in the telecommunications (telecom) industry, process and transform remarkable volumes of data. The Internet of Things makes it possible for any devices or components of machines to be connected to the Internet and to exchange sensitive data with each other and network services. Interaction between objects, and between objects and individuals are generating data flows which are difficult to control. Data controllers and processors are responsible for ensuring that the data is protected adequately by implementing appropriate technical and organizational measures in order to protect the rights of the data subjects. Also, regulatory requirements on privacy, data protection, and security auditing are increasing the need for different approaches to managing security and privacy compliance. A new legislative act, the General Data Protection Regulation (GDPR), recognizes the importance of applying techniques which mitigate the risk for identification of individuals. One such technique is a newly codified concept in the European Union (EU) legislation: pseudonymization. It is a data de-identification procedure in which the pieces of personal data that identify a person are replaced by artificial identifiers, pseudonyms. As a result, the individual cannot be identified without the use of additional information. The function of pseudonymization is to reduce the possibility to link information with the original identity of a data subject. Pseudonymization could be often applied to personal data in the telecom industry, for instance, in troubleshooting cases when a copy of the identifying information will be provided on demand to a third party, who is responsible for performing the troubleshooting. The troubleshooters may not have the need to know the actual identifying information but can perform a troubleshooting of a software product based on the pseudonymized data. The GDPR refers to pseudonymization multiple times and encourages data controllers and processors to apply it to personal data. However, at the time of writing, no further guidelines on pseudonymization under the GDPR have been provided. Pseudonymized data qualifies as personal data and the data protection requirements of the GDPR fully apply to it. Data controllers and processors may feel that they do not have enough incentives to apply pseudonymization to personal data, since the GDPR does not seem to provide clear legal advantages with regards to pseudonymization, like limitation of liability or similar. On the other hand, pseudonymization can be a useful technique to enhance the level of data protection in general compared with a situation where personal data would be processed in a “raw” form, allowing direct identification of the data subjects. This study focuses on the meaning and usability of pseudonymization of personal data with respect to the GDPR, with its primary focus on the telecom industry perspective. The study aims to provide answers to the following questions: What qualifies as pseudonymization of personal data, and do different degrees of identifiability exist as pseudonymization according to the General Data Protection Regulation? What are the advantages for the data subject and for the data controller or processor when personal data is processed in a pseudonymous form? The study intends to interpret the concept of pseudonymization according to the GDPR and analyze its current status in the EU data protection regime in the context of the telecom industry.