Hi Vincent,
Thanks for this thoughtful definition.
So I understand it, a couple of questions.
Does the definition allow a data set containing a single record to be classed as de-identified? So a subsequent transaction can be linked to a previous transaction, but as soon as the dataset contains more than one record it is no longer de-identified, and DNT:1 applies etc.?
By “record” I assume this means one instance of “tracking data” derived from an HTTP transaction e.g. [UID, Source IP, Url,…]
If so then what happens if only one record is ever retained (just updated with a derived web activity score perhaps), in this case can web activity based profiling continue irrespective of DNT?
Mike
From: TOUBIANA Vincent [mailto:vtoubiana@cnil.fr]
Sent: 16 July 2014 17:19
To: public-tracking@w3.org
Subject: RE: Deidentification (ISSUE-188)
I’d like to propose a definition of de-identification which is closer to the concept of anonymization defined in the Article 29 Opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf).
A data-set is de-identified when it is no longer possible to:
- isolate some or all records which correspond to a device in the dataset,
- link, at least, two records concerning the same device,
- deduce, with significant probability, the value of an attribute from the values of a set of other attributes.
The third criteria may -- in some cases -- go beyond de-identification but the first two are, in my opinion, required to limit re-identification risks.
Best regards,
Vincent Toubiana
De : Justin Brookman [mailto:jbrookman@cdt.org]
Envoyé : mercredi 16 juillet 2014 04:47
À : public-tracking@w3.org (public-tracking@w3.org)
Objet : Deidentification (ISSUE-188)
All, I have updated the wiki (https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Deidentification) to reflect what I *think* are the active change proposals on data minimization. If I incorrectly culled yours --- or you wish to propose different language --- please let us know!