UNLOCKING DATA PROTECTION BY DESIGN & BY DEFAULT: LESSONS FROM THE ENFORCEMENT OF ARTICLE 25 GDPR 79
References
164 Garante, Ordinanza ingiunzione nei confronti di La Prima S.r.l. — 16 settembre 2021 [9705632], available at
https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9705632.
165 Hungarian National Authority for Data Protection and Freedom of Information, case NAIH-924-10/2021 of
June 18, 2021, available at https://www.naih.hu/hatarozatok-vegzesek?download=405:erintetti-jogok-biztosi-
tasanak-kotelezettsege-nem-ugyfel-erintettek-reszere.
166 APD/GBA, Numéro de dossier : DOS-2019-04798, Case: 047/2021 of January 20, 2021 available at https://
www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-04-2021.pdf.
167 Garante, Ordinanza ingiunzione nei confronti di Wind Tre S.p.A. — 9 luglio 2020 [9435753], available at
https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9435753.
168 HDPA, Case 13/2021 of April 17, 2021, available at https://www.dpa.gr/sites/default/files/2021-
04/13_2021anonym.pdf.
169 HDPA, Case 20/2021 of May 12, 2021, available at https://www.dpa.gr/sites/default/files/2021-
05/20_2021anonym.pdf.
170 Garante, Ordinanza ingiunzione nei confronti di Vodafone — 12 novembre 2020 [9485681], available at
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9485681.
171 The subject-matter of the case and the Garante’s rationale are similar to the ones in Case IT16 (referenced in
Annex I of the Report).
172 ICO, note 45. In its draft guidance, the regulator explains that “PETs and anonymisation are separate but relat-
ed concepts. Not all PETs result in eective anonymisation, and you can achieve anonymisation without using
them. At the same time, PETs can play a role in anonymisation, depending on the circumstances. (...) However,
the purpose of many PETs is to enhance privacy and protect the personal data you process, rather than to an-
onymise that data.” The guidance note explains the merits of eight specific PETs under the light of the GDPR,
notably: homomorphic encryption; secure multiparty computation; private set intersection; federated learning,
trusted execution environments, zero-knowledge proofs, dierential privacy, and synthetic data.
173 Article 29 Working Party, 2014, Opinion 05/2014 on Anonymisation Technique, available at https://ec.europa.
eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.
174 Datatilsynet, May 5, 2021, available at https://www.datatilsynet.no/contentassets/27d554561ceb4e77ad22b-
54fad5bfe0e/vedtak-om-overtredelsesgebyr-til-norges-idrettsforbund.pdf.
175 Datatilsynet, note 6.
176 EDPS, Is the future of privacy synthetic?, July 14, 2021, available at https://edps.europa.eu/press-publications/
press-news/blog/future-privacy-synthetic_en.
177 O TENE and G ZANFIR-FORTUNA, Chasing the Golden Goose: What is the path to eective anonymisation?,
PinG, 2017, available at https://doi.org/10.37307/j.2196-9817.2017.04.03.
178 Recitals 26, 28, and 29, and Article 4(5) GDPR.
179 This high threshold for anonymization under the GDPR also draws from earlier guidance from EU DPAs and
the jurisprudence of the CJEU. See ARTICLE 29 DATA PROTECTION WORKING PARTY, note 50, and CJEU,
Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, October 19, 2016, ECLI:EU:C:2016:779.
180 APDCAT, note 6.
181 AEPD, Encryption and Privacy III: Homomorphic encryption, June 22, 2020, available at https://www.aepd.es/
en/prensa-y-comunicacion/blog/encryption-privacy-iii-homomorphic-encryption.
182 AEPD, Anonymisation and pseudonymisation (II): Dierential privacy, October 28, 2021, available at https://
www.aepd.es/en/prensa-y-comunicacion/blog/anonymisation-and-pseudonymisation-ii-dierential-privacy.
183 AEPD, Privacy by Design: Secure Multiparty Computation: Additive Sharing of Secrets, May 30, 2022, avail-
able at https://www.aepd.es/en/prensa-y-comunicacion/blog/privacy-by-design-secure-multi-part-computa-
tion-additive-sharing-secrets.
184 AEPD, Encryption and Privacy IV: Zero-knowledge proofs, November 4, 2020, available at https://www.aepd.
es/en/prensa-y-comunicacion/blog/encryption-privacy-iv-zero-knowledge-proofs.
185 AEPD, GDPR compliance of processings that embed Artificial Intelligence — An introduction, February 2020,
available at https://www.aepd.es/sites/default/files/2020-07/adecuacion-rgpd-ia-en.pdf, p. 37.
186 Conseil d’État, case 450163 of December 3, 2021, available at https://www.legifrance.gouv.fr/ceta/id/CETA-
TEXT000043261200
187 Belgian Administrative Court, case No 251.378, of 19 August, 2021, A. 234.221/XII-9119.
188 Dutch DPA, September 30, 2019, available at https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-stelt-geen-
onderzoek-naar-opslag-medische-gegevens-cloud
189 HDPA, Case 04/2022 of January 27, 2022, available at https://www.dpa.gr/sites/default/
files/2022-01/4_2022%20anonym%20%282%29_0.pdf.