A Right to Anonymity in the Digital Age
A Discussion of the Opportunities, Risks and Limitations
Although digital anonymity is associated with a wide range of opportunities and is important for natural persons, it also harbors risks and can stand in the way of successful criminal prosecution – digital anonymity should therefore be granted within limits.
The right to respect of private and family life (Art. 7 of the Charter of Fundamental Rights of the European Union (CFR)), as well as the right to protection of personal data (Art. 8 CFR) are of fundamental importance for natural persons. This is not only a subjective perception but is also reflected in an empirical study the Fraunhofer Institute for Secure Information Technology conducted (available from December 2024). This empirical study shows not only the importance for the participants to decide for themselves (to the greatest possible extent) which pieces of personal information they disclose to whom, but also the importance of anonymity to natural persons. However, since life is increasingly taking place online, (supposed) anonymity can also be exploited to spread hate, discriminatory content, and fake news. Thus, in the digital age, anonymity also harbors risks. Considering these risks, the European Court of Justice (ECJ), has (contrary to its previous case law) opened the door to data retention in Europe and thereby restricted digital anonymity with the decision in focus here. This contribution therefore discusses whether and to what extent individuals should be granted a right to anonymity in the digital age.
Anonymity in the digital age
Recital 26 of the General Data Protection Regulation (GDPR) states that anonymous data is “information which does not [or no longer] relate to an identified or identifiable natural person”. Hence, according to the GDPR anonymous data is the opposite of personal data and anonymity is given if no natural person can be identified based on the processed information. Taking into account the wording of recital 26 GDPR as well as the case law of the ECJ a factual and (mostly) relative understanding of the term anonymity must be assumed. Whether data is anonymous or not thus depends on whether the identification of natural persons is de facto impossible, in particular due to excessive effort required for identification. Since only the knowledge of those parties who have lawful access to the (supposedly anonymous) data is likely to be used in the sense of recital 26 GDPR – provided an unlawful access to the data is made sufficiently unlikely by technical and organizational protective measures –, their knowledge is the decisive factor for whether the data can be considered anonymous from a data protection point of view.
However, even if data are not considered generally anonymous from a data protection point of view, they can still be anonymous relatively to certain persons. On the internet, for instance, natural persons can usually be identified by their IP address (even if they do not actively disclose any personal information). Therefore, on the internet, general anonymity does not exist from the perspective of data protection law. However, identification by an IP address is subject to certain legal requirements (e.g. suspicion of a criminal offense committed in or with help of the internet), so that identification by an IP address is neither always possible nor possible for everyone. Hence, anonymity on the internet still exists relatively to certain persons. For example, a social media user who only uses a pseudonym as well as non-identifying images and information may be anonymous in relation to other internet users, while simultaneously, in the event of a criminal offense, can be identified by law enforcement authorities. In Germany, for example, in the event of a criminal offense, law enforcement authorities can use the IP address (including time stamp) to request information from the telecommunications provider as to whom the relevant IP address was assigned to at the time in question (§ 100j (2) of the German Code of Criminal Procedure).
Opportunities of anonymity in the digital age
Even though anonymity on the internet usually only exists relatively to certain persons, such relative (and subjectively perceived) anonymity is important to natural persons. This is shown by an empirical study the Fraunhofer Institute for Secure Information Technology conducted with 100 individuals from Germany (available from December 2024). In this study, 83% of the participants stated that they would (whenever possible) prefer the use of anonymized data originally concerning them to the use of their personal data. Reasons for this include, among others, the fact that anonymity makes some of the participants feel less observed (stated by 77% of the participants with at least “tend to agree”) and safer (stated by 71% of participants with at least “tend to agree”).
On the internet, anonymity enables the construction and exploration of (online-)identities and creates a space for expression and (self-)representation. Therefore, it bears the potential for internet users to exercise their rights and freedoms without restrictions. This is particularly important for vulnerable groups, such as children or minorities, who are particularly affected by hate speech, discrimination, and other offenses. Because of the anonymity they enjoy online, they are less likely to experience hate, discrimination or other abuse when expressing (political) opinions and views. Furthermore, anonymity can create an added value for society since it enables the discussion of social taboo topics (e.g. sexuality, violence and abuse as well as issues of minorities), which can lead to better education and interpersonal understanding.
Risks of anonymity in the digital age – the other side of the coin
On the other hand, due to the online disinhibition effect, anonymity on the internet can lead to persons losing accountability for their own actions and adhering less to social norms and rules or even to laws. In consequence, this can result in persons using their (supposed) digital anonymity to say or do things they would not say or do in the analogous world, in view of (features of) their civil identity. These things can possibly include a wide range of offenses, from hate speech to the dissemination of discriminatory content and false information to stalking. Furthermore, it can lead to serious crimes such as drug-, human- or arms-trafficking. Thus, (supposed) anonymity can, on the negative side, affect other persons and their rights and freedoms.
The right to digital anonymity: a right within limits
In view of the aforementioned opportunities and risks of digital anonymity – the opportunity to protect rights and freedoms on the one hand, and the risk of affecting rights and freedoms of others, on the other, – a right to digital anonymity should (as every right) be granted within limits.
Nevertheless, it is questionable whether a right to digital anonymity exists at all in the current legal situation and, if so, to what extent there are limits to this. A right to anonymity is not directly provided for – neither in German law nor in European or international law. However, it can be derived from other (fundamental) rights and freedoms. In German law, for example, a right to anonymity can be derived from the right to informational self-determination in terms of Art. 2 (1) in conjunction with Art. 1 (1) of the German Constitution. Also, it is related to other fundamental rights, in particular the fundamental right to freedom of expression, arts and sciences (Art. 5 German Constitution) as well as the right to privacy of correspondence, posts and telecommunications (Art. 10 German Constitution). Similarly, at European level, a right to anonymity can be derived from the Charter of Fundamental Rights of the European Union, in particular from the rights to respect for private and family life (Art. 7 CFR), the right to protection of personal data (Art. 8 CFR) as well as the right to freedom of expression and information (Art. 11 CFR). At the global level, a right to anonymity can be derived from international conventions on human rights, among others, from the European Convention on Human Rights (ECHR) and the International Covenant on Civil and Political Rights (ICCPR). These conventions include a right to respect for private and family life (see Art. 8 ECHR, Art. 17 ICCPR) as well as a right to freedom of opinion and expression (see Art. 10 ECHR, Art. 19 ICCPR), both of which – like the aforementioned German and European fundamental rights and freedoms – are closely linked to (digital) anonymity and thus constitute the basis for a (derived) right to anonymity.
However, none of the aforementioned rights and freedoms are absolute. Rather, they can be restricted at the national, European and global level respectively, especially when this is necessary to protect the rights of others (see e.g. Art. 5 (2) German Constitution, Art. 10 (2) German Constitution, Art. 52 (1) CFR, Art. 8 (2) ECHR, Art. 10 (2) ECHR, Art. 19 (2) ICCPR). Consequently, like other fundamental rights and freedoms, the right to anonymity is not an absolute right but a right within limits. This is, as the presentation of the opportunities and risks of anonymity in the digital age has shown, necessary to make use of the opportunities offered by the right to (digital) anonymity while at the same time countering the risks that arise from anonymity in the digital age.
The future of the right to digital anonymity
On 30th April 2024 the ECJ ruled that the general and indiscriminate retention of data does not necessarily constitute a serious interference with guaranteed rights (para. 79) but can be justified by the objective of combating criminal offenses. However, this is only the case if it is genuinely ruled out that the retention could give rise to serious interferences with the private life of the person concerned (para. 82). To rule out such a serious interference, several conditions must be met. Amongst them, it must be ensured that each category of data, including data relating to civil identities and IP addresses, is stored under technical modalities in such a way that no precise conclusion about the persons private life can be drawn. In particular, each category of data must be completely separate from the other categories of data retained (para. 86-87). As a result of the ruling, the ECJ partially lowers the requirements for linking IP addresses to identities, thereby shifting the limits of the right to digital anonymity. This, however, does not undermine the rights of those who merely take advantage of the opportunities of the right to digital anonymity. Rather, it protects the victims of those who exploit digital anonymity for offenses and serious crimes, thus affecting the rights of others. Since criminal offenses are increasingly shifting to the digital space and, in consequence, the threat situation is evolving, appropriate countermeasures are needed to enable criminal prosecution and protect victims. This – and not the general restriction of the right to digital anonymity – is what the recent decision of the ECJ is about. Hence, the right to digital anonymity remains untouched for those who act lawful. Those who exploit anonymity for unlawful activities, on the other hand, can be prosecuted more easily based on the ECJ’s decision.
Conclusion
Digital anonymity is associated with a wide range of opportunities for individuals and society, but it also harbors risks for other persons. Like any (fundamental) right, the right to digital anonymity must therefore always be balanced against the rights and freedoms of others. As criminal offenses are increasingly shifting to the digital space, the threat situation is changing and countermeasures to enable successful prosecution in the digital age are required. This is made possible by the recent ECJs decision. However, it remains to be seen whether and to what extent the ruling of the ECJ will affect the legal developments in Germany and other EU member states.
This research work has been funded by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE. This article reflects the personal opinion of the author.