August 2, 2022
Written by
Magali Feys
10 Truths of Statutory Pseudonymisation LinkedIn Logo

10 Truths of Statutory Pseudonymisation

Click here to access the third episode of the Pseudonymisation Podcast about 10 Truths of Statutory Pseudonymisation. This podcast features:

Steffen Weiss, board member in charge of international affairs at the German Association for Data Protection and Data Security (GDD). Highlighted comment:

  • When discussing the benefits of statutory pseudonymisation, you need to look beyond the GDPR and consider the benefits under E.U. member state laws. For example, Germany has provisions allowing personal data processing when appropriate safeguards are in place. This is where statutory pseudonymisation comes into play. If you have implemented pseudonymisation properly, according to heightened GDPR, you can use member state law provisions to process personal data. So please do not just talk about GDPR. Do not forget member state laws, which should be considered for a holistic view of pseudonymisation.

Magali (Maggie) Feys, founder and partner at AContrario.Law, a boutique law firm specialising in data protection, data security and IP. Highlighted comment:

  • I see definite momentum around the globe in realising the heightened requirements for, and the increased data innovation benefits from, statutory pseudonymisation. We must be careful about the terminology we use. Pseudonymisation is not an effort to get outside of the law via “anonymisation,” which is frowned upon by supervisory authorities. Statutory pseudonymisation, as defined under the GDPR – and increasingly under other jurisdictions’ statutes – enables you to work within the law to improve and facilitate data utility whilst simultaneously balancing that increased utility against the protection of the data subjects and their rights, which involves more than data protection.

Gary LaFever, CEO and general counsel at Anonos. Highlighted comment:

  • The 10 truths of statutory pseudonymisation “tick and tie” to supervisory authority recommendations and court rulings, providing confidence in the predictability of operations and secure data processing in global supply chains. This includes trans-Atlantic data transfers, U.S.-operated cloud processing, data sharing, and distribution.

 The podcast covers the following 10 truths of statutory pseudonymisation:

  • Statutory pseudonymisation, as defined under Article 4(5) of the GDPR, is MORE than a privacy-enhancing technique (PET).
  • Under the GDPR, the requirements of Article 4(5) fundamentally redefine pseudonymisation.
  • Statutory pseudonymisation, as defined under GDPR Article 4(5), contains two halves that must be read and construed together; they cannot be interpreted separately from one another.
  • Statutory pseudonymisation, as defined under Article 4(5) of the GDPR, is picking up momentum around the globe.
  • *Statutory pseudonymisation requires protection of all data elements.
  • *Statutory pseudonymisation requires protection against singling-out attacks.
  • *Statutory pseudonymisation requires dynamism.
  • *Statutory pseudonymisation requires use of non-algorithmic lookup tables.
  • *Statutory pseudonymisation requires controlled re-linkability.
  • GDPR-compliant pseudonymisation produces statutory benefits.

*Additional information about truths 5 through 9, as enumerated by the European Data Protection Board in their final Schrems II Recommendations, is available in Processing Cleartext - A Clear and Present Danger - Statutory Pseudonymisation Enables Protected Processing

The podcast also includes information on an initiative by the GDD, working with Bitkom in Germany, to develop a Pseudonymisation Code of Conduct under the GDPR for international use.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.