Aircloak approved for GDPR-level anonymity for all data types and use cases by French data protection authority
At Aircloak we’re fully aware that the selection of solutions that impact how a customer manages regulatory compliance, such as around GDPR with its stringent requirements and potentially very high fines, involves a lot of trust. Trust that is typically built over time as we collaborate with our customers.
Another source of trust can come from 3rd parties, such as existing reference customers, or in the case of GDPR, from independent (e.g regulatory) organizations that evaluate a technology solution and make statements about its suitability for a specific purpose or within the context of a regulation. Aircloak continuously works with such organizations to assess how our technology solutions can help meet existing and new regulatory requirements.
Building Trust through Regulatory Evaluation and Validation
The Commission Nationale de l’Informatique et des Libertés (National Commission on Informatics and Liberty — the French data protection authority) is an independent French regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.
The CNIL evaluated Aircloak’s Diffix framework and determined that it satisfies the three criteria of the opinion 05/2014 of the WP29 on Anonymization Techniques for all use cases.
Concretely, Diffix was found to be robust with respect to preventing the
- Possibility to single out an individual,
- Possibility to link records relating to an individual, and
- Inference of information concerning an individual.
Moreover, these conclusions apply to any data and any use case. To get approval for any data and any use case is remarkable, and to our knowledge a first. Normally CNIL deals with very specific anonymization scenarios (e.g. specific type of data meant for a specific type of analysis).
German TÜVIT Certification
Clearly, we’re excited about CNIL’s conclusions. It is a fantastic acknowledgement of the Aircloak Insights product and the underlying research. It also adds to the certification by TÜViT in Germany obtained earlier. TÜViT concluded that (a previous version of) Aircloak Insights fulfilled all requirements for data collection and anonymized reporting per the TÜViT Trusted Process (TPCS). TÜViT is the leading independent provider of security tests and certifications for IT products.
As we will continue to work with regulators to create the levels of trust our customers need, we will also seek validation from another external source. As is good practice in the security industry especially, being able to demonstrate that a solution is able to withstand public scrutiny is probably the ultimate test. And this is exactly what we are planning to do with the Aircloak Challenge!
Not unlike a Bug Bounty program, we plan to release an instance of Aircloak Insights protecting a database containing personal/sensitive information and invite those who are interested to evaluate Aircloak Insights and attempt to extract personal information from this database, ultimately opening this up to the general public.