Netherlands: Interesting DPA action over processing of pseudonymized data

Below bits via Google translate from Press release below:
“The Dutch Data Protection Authority (AP) has reprimanded the Alliance for Quality in Mental Healthcare (Akwa GGZ) for processing personal health data. According to the privacy law, this is prohibited because health data provide sensitive information about a person. Processing is only allowed in exceptional cases. Akwa GGZ has taken over a set of insufficiently anonymized health data from the Benchmark GGZ (SBG) foundation since the beginning of 2019. Akwa GGZ has thus processed health data, while this processing cannot be based on an exception to the prohibition.

SBG and Akwa GGZ conduct quality research in mental health care. At the request of the care institution, patients complete a questionnaire so that mental healthcare providers can be benchmarked on treatment effect and customer satisfaction. This so-called Routine Outcome Monitoring (ROM) data went to SBG via Zorg TTP after pseudonymisation. After an enforcement request, the AP investigated the SBG’s working methods and tested them against relevant laws and regulations.”

“The AVG defines personal data as all information that can be traced to the person. The AP has analyzed all steps from the delivery of data by the patient to the processing of that data by SBG. This shows that SBG did not use randomization techniques when SBG received the data. The key for pseudonymisation also remains the same.

The AP finds that SBG has taken insufficient technical guarantees on the data set to eliminate the risks of traceability. The ROM data is therefore not anonymous and can be traced back to the person. At the start of 2019, Akwa GGZ took over the dataset from SBG. SBG and Akwa GGZ thus processed personal data about patients’ health.”

Report: Privacy in the EU and US: Consumer experiences across three global platforms (Pat Walshe, PrivacyMatters)

Key findings (condensed from executive summary):

  • Users cannot avoid being tracked.
  • Third parties track users.
  • Privacy policies and other related policies are generally hard to read.
  • Companies fail to provide proper transparency. (specific purpose, legal basis, retention time of date)
  • Amazon treats US users differently in terms of rights to access.

Best of DPC19: Global GDPR Challenges, the case of Russia

Great slide deck that shows how GDPR concepts (e.g. on consent) cannot be applied to Russia – and how GDPR-shaped assumptions can collide with non-EU legal systems.