Technical Controls Prevent Data Misuse: The Need for Statutory Pseudonymization

Access controls and governance policies do not prevent data from being misused, even when use is restricted internally. Furthermore, when data is shared outside an organization, it is usually protected using encryption, data masking, and other methods to ensure security while in transit and during storage. However, when data is unencrypted for processing, it is left vulnerable. The article’s authors explain that technical controls must be used to protect data at all points along the chain - particularly when the data is in use. Statutory pseudonymization is a state-of-the-art and legally supported method for protecting data during use to minimize or prevent negative impacts from data misuse, breach and ransomware attacks. Statutory pseudonymization allows organizations to continue using the data for analytics, research or other purposes, while ensuring that the sensitive data of any particular identifiable natural person is protected.

As explained in the full article, statutory pseudonymization allows data use by organizations for two of their primary goals:

• Economies of scale: Being able to make use of economies of scale provided by cloud-based infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) offerings; and
• Data sharing and secondary processing: Artificial intelligence (AI), machine learning (ML), advanced analytics, and other capabilities by leveraging services offered by third parties as cloud-based software-as-a-service (SaaS) offerings.

Regulatory bodies and other groups increasingly recognize the importance of using technical controls to protect data from misuse and breach. For example, these groups are increasingly aware of the importance of technical controls to safeguard data when in use:

• EU and U.S. governments: Numerous struggles between the U.S. and EU governments regarding the correct way to reconcile cross-border differences in data protection laws have led to several EU-U.S. privacy treaties being struck down. It has become increasingly clear to both that technical controls are necessary, and that legal agreements and treaties are insufficient for this task.
• Courts: Fundamental differences between the U.S. and EU courts cannot be ignored. Technical controls allow these differences to be bridged and accommodated while permitting data transfers and cross-border personal data processing.
• Enforcement agencies: While EU regulators were slow to enforce GDPR requirements in Europe, enforcement agencies are increasingly taking enforcement actions against companies of all sizes and nationalities. Similarly, U.S. enforcement agencies, particularly states, are carrying out enforcement under new, more stringent privacy laws. These actions show the importance of technologically enforced controls to protect organizations from penalties, injunctions, and loss of reputation.
• Non-governmental organizations (NGOs): These groups have increasingly greater visibility and impact, such as Max Schrems’ organization NOYB and its court case that resulted in the EU-U.S. Privacy Shield and its predecessor, the Safe Harbor treaty, being struck down. These activities highlight the role of technical controls in data protection and data security efforts.

The authors note there are four aspects of high-quality and high-defensibility data processing that statutory pseudonymization enables, helping organizations meet their data innovation and use goals without regulatory and compliance issues or enforcement actions. Statutory pseudonymization allows:

• Surveillance-proof processing: One of the significant global conflicts has been the possibility of surveillance of EU data by non-EU countries, particularly the U.S. Some countries, such as South Korea, have adopted strong requirements for statutory pseudonymization that enabled them to achieve an adequacy decision. Schrems II (the case that struck down the Privacy Shield) requirements set out by the Court of Justice of the European Union (CJEU) and the European Data Protection Board (EDPB) note that technical controls can be used as supplementary measures to prevent surveillance by third-country governments. Measures such as statutory pseudonymization can enable lawful international data transfers and processing that still protects the identity of EU data subjects, even when data is processed in “untrusted” environments such as those of a sub-processor, cloud processor, or other organizations and companies.
• Lawful processing: Another critical issue the article raises is securing legal grounds for processing personal data under the GDPR. Statutory pseudonymization plays a unique role in the GDPR. It allows pseudonymized data to be processed when organizations cannot secure consent or contractual means to process data by enabling Legitimate Interests processing as an alternate legal basis. This requires organizations to have (a) a legitimate purpose for processing; (b) the necessity of processing personal data to achieve that purpose; and ( c ) determine that the interest of the data controller is balanced against the interests or fundamental rights and freedoms of the data subject. The European Commission has noted that the use of technical and other measures, such as statutory pseudonymization, can help satisfy part ( c ) of this test through appropriate safeguards. In addition, the use of appropriate safeguards (such as pseudonymization) can allow further data processing to be lawful, as per European Commission guidance. Finally, using privacy-enhancing technologies such as pseudonymization can ensure that data controllers meet the data protection by design and default requirements, which require that data protection be applied as far “upstream” in processing as possible.
• Breach-resistant processing: Statutory pseudonymization can reduce the risk of data breach and misuse by obscuring identifying elements while making the protected form of data available for high utility processing. Pseudonymized data can only be controllably re-linked with additional information held separately by the data controller. This allows organizations to protect sensitive data without making it unusable while reducing the burden and costs of data breach or misuse. In the EU and the U.S., various laws and regulations require organizations to apply reasonable security measures to protect personal data. In many cases, this exempts organizations from data subject notification requirements if they can show no reasonable likelihood of harm to the data subject.
• Data supply chain defensibility: Joint and several liability is enforced under the GDPR, meaning that data controllers along the chain of data use are potentially open to penalties in the case of misuse or breach. Using technical supplementary measures such as pseudonymization can ensure that parties up and down data supply chains reduce their risk and exposure from improper processing.

Statutory pseudonymization requires five key elements, as noted by the EDPB Final Schrems II Guidance:

• Protecting all data elements: EU GDPR pseudonymization status must be evaluated for a data set as a whole, not just particular fields. This requires assessing the degree of protection for all personally identifiable information in a data set, including more than direct identifiers, and extending to indirect identifiers and attributes.
• Protecting against singling out attacks: The EDPB Final Schrems II Guidance requires protection against "singling out" of a data subject in a larger group, effectively making the use of either k-anonymity or aggregation mandatory.
• Dynamism: Statutory pseudonymization must protect against the use of information from different datasets to re-identify data subjects, which necessitates using different replacement tokens for different purposes at different times (i.e., dynamism) to prevent re-identification by leveraging correlations among data sets.
• Non-algorithmic look-up tables: Data controllers must consider the vulnerability of cryptographic techniques (particularly over time) to brute force attacks and quantum computing risk, which necessitates the use of non-algorithmic derived look-up tables; and
• Controlled re-linkability: The EDPB Final Schrems II Guidance notes that, along with other requirements, the standard of EU GDPR pseudonymization can be met only if “a data exporter transfers personal data processed in such a manner that the personal data can no longer be attributed to a specific data subject, nor be used to single out the data subject in a larger group, without the use of additional information.”

Global data processing increases the risks of data breach and misuse. Statutory pseudonymization, adopted under an increasing number of international and U.S. state privacy laws, helps to prevent privacy violations before they occur. In addition, it provides numerous legal and business continuity benefits, protection against breach, and reduced breach notification obligations. However, companies, governments, non-governmental organizations (NGOs), and other entities should carefully evaluate the application of technical controls that can satisfy the heightened requirements for statutory pseudonymization defined in the GDPR.

DOWNLOAD HERE