The Regulatory Future of Synthetic Data - Data synthesis as a resource for scientific research, innovation, and public policy in the European legal landscape

The evolution of data processing technologies and their increasing incidence in everyday life have posed new and complex challenges for data protection. In this context, the debate on synthetic data, an emerging technology that offers new perspectives for data management, comes into play. In this respect, it is essential to consider synthetic data not only as a technique to guarantee privacy and data security, but also as a means to promote innovation and technological progress, without neglecting the necessary guarantees for the protection of rights and freedoms of individuals. Therefore, the aim of this paper is to analyse the role of synthetic data as an anonymisation tool, exploring the implications from both a technical and a legal point of view.

The first chapter of this paper provides a legal/technical overview of the notion of synthetic data, analysing the difference between anonymisation and pseudonymisation on the basis of the requirements of data protection legislation and the provisions and guidelines of the various authorities that have intervened in this matter. In addition, the various synthesisation techniques have been analysed according to the state of the art, with a focus on synthesisation as an anonymisation technique.

The second chapter analyses the current as well as the “future regulatory framework”. This analysis includes the interpretation of existing regulations and the prediction of future trends in data protection, paying particular attention to the role of synthetic data in the context of privacy and data security. In particular, have been examined the provisions contained in Regulation (EU) 2016/679 (hereinafter also referred to as “GDPR”)[1], in the Data Governance Act[2], and in the Data Act[3], assessing how synthesisation may be applied or interpreted according to the guidance contained in these regulations. In addition, future perspectives have been explored, such as the inclusion of synthetic data in the AI Act[4] and the impact of the European Health Data Space[5], as well as the prospect of using synthesis in digital health with respect to the Italian landscape.

The last chapter of this paper focuses on the growing importance of synthesising data in contexts other than scientific research, highlighting the need for regulatory updates and evolutionary interpretations to support technological innovation while respecting the rights and freedoms of individuals. Furthermore, it was pointed out that Opinion 05/2014 on anonymisation techniques (WP 216)[6] needs a renewed approach by European authorities on the topic, considering synthesisation as part of anonymisation techniques, if properly generated[7].