Introduction – In Part II, it was described how, despite an upcoming postprivacy movement, the European Union opted for a robust data protection framework. Inherently the choice for a robust, overarching and technologyneutral General Data Protection Regulation, held the choice for limitations on the use of personal data, even when measures to avoid identification or re-identification are taken. Data protection law establishes boundaries for personal data processing based on a set of fundamental ‘back-bone’ principles. The data minimisation principle is one of those back-bone principles.

The principle includes the obligation for data controllers to limit the processing of personal data to data that are “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The data minimisation principle includes the obligation for data controllers to refrain from the processing of personal data when there is no need for identification of the data subject, and to anonymise data when identification is no longer needed. In combination with the other fundamental principles, such as the purpose limitation principle (discussed in the next chapter), and the lawfulness principle (discussed in the previous chapter), the data minimisation principle aims to balance individual, societal and economic interests. While the previous chapter focussed on empowerment through choice, data minimisation and purpose limitation create patient empowerment through obligations for others.

Anonymisation techniques – Several methods are being used to impede the joining of different datasets. Fundamentally, these methods make a distinction between identifying, quasi-identifying and non-identifying attributes. Data that enable the direct identification of individuals are ‘identifying attributes’ (such as name and social security number). ‘Quasi-identifying attributes’ are data which are in itself not directly identifying, but which allow to single out individuals when unique in their combination (such as postal code, date of birth, gender, and other demographics). It should be noted that the application of anonymisation techniques would qualify, in itself, as a processing operation, since it implies the collection of personal data by a data controller or another party.