The correct specification of the GDPRs scope continues to pose a difficult quest for stakeholders in a data-driven society. Anonymisation approaches, such as k-anonymity or differential privacy, are supposed to offer a way for safe and legally sound data processing. However, as long as the concept of personal data is not sufficiently clarified, it is impossible to reliably answer the question of the right anonymisation measure (not to mention the right k or ε) - at least not from a legal perspective. This panel tries to reconnect the question of anonymisation with what it was supposed to protect all along: personal data and thus the fundamental rights of the data subjects (see Art. 1 sect. 2 GDPR). Can a closer look on the fundamental rights offer a scale that is even able to determine the required k and ε?
• What is the current state of anonymisation in practice?
• Using a sledgehammer to crack a nut - are anonymisation techniques being used ineffectively?
• How can anonymisation be improved in terms of legal certainty?
• What is the view of data protection authorities on this?
