I'm building an application that may involve the storage of certain information pertaining to potentially millions users of a popular social media platform for analytics purposes, making the obtaining of consent almost impractical (if not impossible). What can I do to make sure the information I collect cannot (for the purposes of data protection regulations) be used to identify the user whose data is being collected?
Asked
Active
Viewed 66 times
1
-
Also, anonymize and combine data, and hope nobody can identify individuals by examining data closely. One survey program I saw would not give detailed data for groupings of less than 3-5 people. – user10489 Mar 15 '22 at 22:00
-
@schroeder: While that would be the legally safest thing to do, it may also be impractical due to the nature of the application. Thus the question about anonymization/pseudonymization - as far as I know, data that is sufficiently pseudonymized falls out of the scope of data protection regulations. For example, "Thor Odinson purchased $20 in hair care products" is data that falls under the GDPR, but "Customer #123456 purchased $20 in hair care" does not fall under GDPR, as long as "Customer #123456" cannot be linked to "Thor Odinson" without significant effort. – moonman239 Mar 16 '22 at 17:32
-
You have significantly altered the question. You have a new problem. The users must consent to you to process their data in the first place. Else, the removal of the PII must happen with the processor that is giving you the data. – schroeder Mar 16 '22 at 18:47
-
2You might ask this over at law exchange... or maybe check this thread: https://law.stackexchange.com/questions/56107/gdpr-pii-and-uuids – pcalkins Mar 16 '22 at 19:53
-
Could you point out, what "certain information" means? At the end your question seems to ask whether a given set of information falls under PII. – Marcel Mar 17 '22 at 07:04