Webinar FAQ 5: Explain how the GDPR heightened standard for Pseudonymisation is not the same as the "casual" understanding of the technique.

The GDPR definition of Pseudonymisation is very different from the pre-GDPR "casual" understanding of the term – you must now satisfy dramatically heightened requirements.

Before the GDPR, the term “pseudonymisation” was not defined in EU-level statutes. The following definition provided by the Article 29 Working Party is representative of what the term was generally understood to mean:


Replacing one attribute (typically a unique attribute) in a record by another. The natural person is therefore still likely to be identified indirectly; accordingly, pseudonymisation when used alone will not result in an anonymous dataset.1


The Article 29 Working Party also highlighted the weakness of pseudonymisation under the pre-GDPR definition of the term due to its susceptibility to singling-out, linkability, and inference attacks that “allow an individual data subject to be singled out and linkable across different data sets.” 2


Requirements for Pseudonymisation Were Significantly Redefined Under the GDPR


This is what Anna Buchta, Head of Policy & Consultation at the EDPS, was referring to when she said that the GDPR-heightened standard for Pseudonymisation is not the same as the "casual" understanding of the term.


The requirements necessary to satisfy the GDPR definition of Pseudonymisation are very different from the pre-GDPR "casual" understanding of the term – you must now satisfy dramatically heightened requirements. Only a very small subset of what might previously have been considered “pseudonymised” data would satisfy the new definitional standards under Article 4(5).3 The new definition now requires that:


The processing of personal data must be accomplished in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information;

  • Such additional information must be kept separately; and

  • Technical and organisational measures must ensure that the personal data cannot be attributed to identifiable persons without requiring access to the separately and securely stored “additional information.”

It is critical to note that the new heightened level of Pseudonymisation under the GDPR is, as a consequence of the breadth of scope of personal data, now defined as an outcome for a dataset and not just a technique applied to individual fields.


By elevating Pseudonymisation to an outcome, GDPR-compliant Pseudonymisation requires protection of not only direct identifiers but also indirect identifiers, and potentially attribute fields as well. In addition, instead of being applied only to individual fields, GDPR-defined Pseudonymisation, in combination with the GDPR definition for Personal Data, now requires that the outcome must apply to a data set as a whole (the entire collection of direct identifiers, indirect identifiers and other attributes). This means that consideration must be given to the degree of protection applied to all attributes in a data set. Finally, the foregoing must be accomplished while still preserving the data’s utility for its intended use, which under Schrems II would include international data transfer.


As a result, pre-GDPR “casual” approaches (using a static token on a direct identifier, which unfortunately is still widely and incorrectly referred to as “pseudonymisation”) will rarely, if ever, meet the heightened GDPR requirements of Pseudonymisation.4 This also means that old or “casual” approaches fail to achieve the new statutory requirements for the term and therefore will not satisfy the requirements for supplementary measures to enable lawful international data transfers under Schrems II.



The above graphic was used during the webinar to highlight that data properly satisfying the strict definitional requirements of GDPR Article 4(5) - in this graphic represented by the vertical separation of the “Who” data held exclusively by the EU Exporter and “What” data provided to the Non-EU Importer - enables protected data use wherever the data is processed. This approach uniquely helps to satisfy the requirements for “supplementary measures” and “additional safeguards'' highlighted over twenty times in the Schrems II decision.5


Note: The answer to FAQ 6 - Please provide a Data Pseudonymisation 101 Overview for Big Data Analysis Risks – will provide additional details on how to achieve GDPR-compliant Pseudonymisation as well as some of the resulting statutory benefits.

CLICK TO VIEW CURRENT NEWS

Footnotes:

[1] See Opinion 05/2014 on Anonymisation Techniques at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf at page 20.

[2] See Opinion 05/2014 on Anonymisation Techniques at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf at page 21.

[3] Article 4(5) defines Pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

[4] Additional information on GDPR compliant pseudonymisation is available at www.Pseudonymisation.com

[5] See Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18), “Schrems II”) http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9745404 at paragraphs 8, 14, 15, 19, 91, 92, 95, 103, 105, 128, 131, 202, and 203.