The GDPR
According to Article 11 of the Regulation, where the processing purposes do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
At first glance, this new provision may seem superfluous. However, Article 11 should be read by keeping in mind the definition of personal data that constitutes personal data to be: “any information concerning an identified or identifiable natural person (“data subject”) is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (see Art. 4 (1)).
According to recital 26 of the Regulation, to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used or to which the controller or any other person may have access (such as the costs of identification and the time required for it, the available technologies and their development).
In doing so, the processing is likely to fall within the Regulation scope when the controller is able to or has access to means to identify a person, on the basis of the processed data.
If the purpose does not justify the use of such means anymore - and therefore, if it seems that the controller no longer resorts in compliance with the principle of purpose, the Regulation emphasizes that the controller must not hold, acquire or process any additional information about persons for the sole purpose of complying with the Regulation, unless the purpose(s) of processing so impose(s).
In that case, and provided that the controller is able to demonstrate that he or she is not (no longer ) in position to identify the persons, the controller must inform the data subjects, if possible. In this case, Articles 15 (on the right to access by the data subject), 16 (on the right to rectification), 17 (on the right to erasure and to be forgotten), 18 (on the right to restriction of processing), 19 (on the notification obligation regarding rectification or erasure of personal data or restriction of processing) and 20 (on the right to data portability) are not applicable to processing that does not allow identification.
The data subject concerned by these types of processing may, however, refer to the above provisions in order to exercise their rights under these articles, insofar as he or she provides the controller additional information that can identify him or her. The controller can not therefore refuse the additional information provided by the data subject in order to facilitate the exercise of such rights (see recital 57).
The Directive
Neither the Directive nor the Belgian or French laws provide for this type of provision.
Potential issues
The conditions for application of the provision are not clear. The logic suggests that the controller no longer needs to resort to any means of identification in accordance with the principle of purpose that no longer requires him or her to identify the data subjects at the moment when compliance with the Regulation arises.
The obligation to notify about such a situation will also pose difficulties. Not only is it illogical to provide for an obligation to inform people that one is [no longer] able to identify but since the controller must provide evidence of impossible identification (negative proof), disputes can arise a posteriori on this matter.