TOP TEN TRUTHS ABOUT GDPR PSEUDONYMISATION

My name is Steffen Weiss. I'm the Legal Counsel for the German Association for Data Protection and Data Security (GDD). We are dealing with Pseudonymisation in our Code of Conduct on Pseudonymisation and trying to get the approval for our Code of Conduct to enable controllers and processors to successfully pseudonymise personal data under the GDPR.

My name is Gary LaFever. I'm the CEO and General Counsel at Anonos where we have spent the last 8 years and invested tens of thousands of hours in developing, deploying, and improving technology that separates identity from information value, sometimes referred to as Functional Separation. Functional Separation is embodied within the GDPR in the definition of Pseudonymisation. I look forward to this conversation with Steffen.

The reason we got together to provide to you these 10 Truths of Pseudonymisation is as we read the AEPD-EDPS Top 10 Misunderstandings of Anonymisation, we realise that further clarity on Pseudonymisation could be helpful to the industry. TRUTH #1: PSEUDONYMISATION IS NOT THE SAME AS ANONYMISATION

So, is there a difference between anonymisation and Pseudonymisation? In the first place, Pseudonymisation has a legal definition under the GDPR. Anonymisation does not have a legal definition. And if you look closer to this system of transformation of personal data looking at anonymisation, if you have an anonymised data, this data can no longer be attributed to the individual. So, there's no chance that people or individuals are identified using this information.

It's interesting, Steffen. I've actually heard some regulators say that the only way to truly have anonymous data is if the data controller themselves deletes the source data, and the AEPD-EDPS opinion on Pseudonymisation and hash marks actually mentions that from their perspective in order for data to be truly anonymised this would have to be the case that even the data controller themselves could not re-link. Any thoughts on that?

It sounds reasonable because anonymisation requires that even at the same controller, there's no way of identifying a natural person. So, in Germany, I might be able to add this to the problem itself - the German Regulators and the German Supervisory Authorities are asking you if you want to anonymise personal data, they are even asking for a legal basis for doing this. So, you have to look at the GDPR Article 6 and find a legal basis for anonymising personal data, which makes it even more complicated to try to deal with anonymised information and try to anonymise personal information.

Since the AEPD-EDPS Top 10 Misunderstandings of Anonymisation were one of the reasons that we decided to record these top 10 Truths of Pseudonymisation, we want to point out that the first truth of Pseudonymisation that Pseudonymisation is not the same as anonymisation is the very same one that the AEPD and the EDPS noted. TRUTH #2: GDPR PSEUDONYMISATION IS A HIGHER STANDARD THAN PRE-GDPR PSEUDONYMISATION

Back in 2014, Pseudonymisation dealt primarily with just replacing direct identifiers with tokens. Under the GDPR, it's a much higher standard than that. You must be able to show that the only way to re-link is with the additional information that's kept separately by the data controller.

In Germany, we had a definition of Pseudonymisation before GDPR times, before the GDPR became applicable, and it was all about replacing the person's name and the person's identity with a label in order to say, “Okay, this data is now being pseudonymised.” The German legislator was ignoring two problems looking at this. The first thing is, what about the quasi identifiers do not direct identifiers to the data subject but all information on this individual, on this natural person, which needs to be put in the assessment concerning the question: Is this data pseudonymised data or not? Secondly, the German legislator did not tell us how to actually transform the data to the pseudonymised data. It was stating that you should replace the person's identity or other identifiable information without telling us or keeping us informed about direct identifiers or indirect identifiers, which looking at the GDPR definition now would not be a suitable Pseudonymisation technique taking this approach from the former German approach of Pseudonymisation concerning personal data. TRUTH #3: PSEUDONYMISATION IS NOT FAILED ANONYMISATION

The third truth is the question: Is Pseudonymisation failed anonymisation or not? Truth be told, there's a difference between Pseudonymisation and anonymisation. We talked about this before looking at the legal definitions of the two terms. And then, we have to stress that even though you might not be able to successfully anonymise data, this might not result in a successful Pseudonymisation transformation process because the requirements on Pseudonymisation are high in the GDPR. I would even say that there's a stage during the processing where the data, which has been pseudonymised, is de facto anonymised because you have successfully separated additional information from the content data, the pseudonymised data.

Yes, it's interesting. I've sometimes heard data controllers say: “Well, if I failed in my anonymisation, I will at least have pseudonymised my data.” But as Steffen pointed out, that is not the case. And in fact, one would argue or could argue that Pseudonymisation other than the additional controls with which re-identification is possible. But when it's pseudonymised and those additional controls are not present, one could argue it's actually a higher standard than anonymisation because in Recital 26 when it speaks to anonymisation, it has a concept of reasonableness. Is it reasonably likely that this data could be re-identified? Whereas with Pseudonymisation, the test is that the data cannot be re-identified but for the additional information that's held separately by the data controller. So, again, failed anonymisation is very unlikely to result in compliant Pseudonymisation under the GDPR.

And then, the difference between Pseudonymisation and anonymisation would be that if you pseudonymise data, the re-identification of a person or of the data subject is envisaged or even planned. Whereas in anonymisation, there is no chance at all to identify a person or a data subject. But if you want a successful pseudonymised personal data, you need certain processes, which do have a potential or envisaged re-identification of the data subject meaning that you need to make up your mind about the lawfulness of re-identification, and the technical organisational measures of how to re-identify this person.

A good Pseudonymisation solution would actually provide an audit trail so you can show the difference between those situations where the additional information was provided and those where it was withheld to show that the means and possibility of re-identification is introduced and enforced in compliance with the lawfulness of the processing. TRUTH # 4: GDPR PSEUDONYMISATION REQUIRES PROTECTION OF MORE THAN DIRECT IDENTIFIERS"

The European Cybersecurity Agency, ENISA, had an interesting way of putting this. In their 2018 study on Pseudonymisation, they said that Pseudonymisation has to go beyond protecting real-world personal identities. And what they meant by that is that just as you said you have to protect both the indirect identifiers, the quasi identifiers, attributes, characteristics, behavior and other content because those indirect identifiers and attributes and content data, as you say, can be used to identify notwithstanding the fact that the direct identifiers, names, country code, etc., have been masked.

Yeah, Gary. So all in all, it's an overall assessment. You have to go through checking if it's enough to really pseudonymise the identifiers, which most likely is not the case. To start there, you also need to check the other data available on the data subject and the direct identifiers to be able to complete the picture if you have a successful Pseudonymisation process or not. TRUTH #5: GDPR PSEUDONYMISATION REQUIRES (A) MORE SOPHISTICATED CONTROLS SO THAT REIDENTIFICATION IS NOT POSSIBLE WITHOUT “ADDITIONAL INFORMATION” HELD SEPARATELY BY THE DATA CONTROLLER

Oftentimes, a Privacy Counsel will advise a data controller that the most conservative approach is to anonymise their data so as to get it outside of the jurisdiction of the GDPR. However, while that's true, two things happen. First, it's not just a legal concept. It has to be technologically unlikely, if not impossible, to re-identify the data. So, a mere attempt at anonymisation does not take data outside of the GDPR. It's whether or not the technical means of anonymising the data were effective. And secondly, truly anonymous data since it can never be re-linked to identity has reduced value. And so, while it might be true that it would take it outside of the scope of the GDPR, the question is whether or not that's truly what the data controller wants. The fact that pseudonymised data remains personal data is not a negative. It's actually a positive. Because if you have the additional controls in place, you actually have more valuable data to use. It's not by accident that Pseudonymisation is mentioned 15 times within the GDPR. Whereas, encryption is mentioned only three times and anonymisation is mentioned only twice. Pseudonymisation is a purposely intended means of controlling processing, access, and use of data to maximise the value to the data controller, society, and data subjects themselves while having the controls to protect and enforce fundamental rights.

True, Gary, and I can add that the pseudonymised data itself can, of course, be comprehensible. It must be comprehensible. Look at the clinical trials. They are using pseudonymised data in order to assess blood samples, for example. If the pseudonymised data would not be comprehensible, it would be unable to identify the person in case there's an anomaly in the blood sample. So, of course, Pseudonymisation means that the pseudonymised data is comprehensible and open to analysis.

That's a great point, Steffen. Pseudonymised data is not just about controls to prevent re-identification. It's also about sophisticated controls that enable the data to still have high value and fidelity to be processed for its intended purpose to provide accurate results. And then, where appropriate and lawful, to be re-linked to individuals. This would enable both longitudinal studies as well as contacting subjects and clinical trials if they needed to know of certain outcomes related to the study. TRUTH #6: GDPR PSEUDONYMISATION REQUIRES DYNAMISM – MULTI-LEVEL PSEUDONYMISING ASSIGNING DIFFERENT TOKENS AT DIFFERENT TIMES FOR DIFFERENT PURPOSES"

In order to be GDPR-compliant Pseudonymisation, you have to use dynamism. And what this means is assigning different tokens at different times for different purposes. Also, you can have multiple levels of Pseudonymisation so that identifiers sent to one party for one purpose may be different than the same identifier sent to the same party for a different purpose or between different parties. What you're doing here is you're fighting the unauthorised re-identification via the mosaic effect. And so, again dynamism the use of different tokens at different times for different purposes to replace both direct and indirect identifiers, attributes, characteristics, and content data - all of this must be present to ensure that absent the additional information, it is not possible to re-link or re-identify, and then only for those purposes supported by lawful bases are the additional information allowed to be assigned and associated to make the re-identification and re-linking possible?

Yeah, Gary. You have to keep in mind that when we are talking about the purpose of data processing, the same purpose might apply to different recipients of data. But you should keep in mind that you should even change the key or token of the pseudonymised data when transferring the data to a different recipient of data even though this recipient might have the same purpose of processing the data. It makes total sense to either change the key or token when you're passing it over to other organisations or other third parties for their processing purposes. And the CNIL in France by the way, they are also stressing the fact that especially when it comes to clinical trials, they are looking for these multi-level Pseudonymisation processes and they are talking about this double Pseudonymisation. So, in the end, the identifiers which are transformed into the pseudonym of the pseudonymised data are never the same when going through different hands of different organisations. TRUTH #7: GDPR PSEUDONYMISATION ENABLES ARTICLE 11(2) AND 12(2) CONTROLLED PROCESSING TO HELP SATISFY SCHREMS II REQUIREMENTS FOR TECHNICAL SUPPLEMENTARY MEASURES

GDPR Pseudonymisation, when implemented correctly, can actually support Article 11(2) and 12(2) type secured processing. What this means is that a co-controller or processor is not in possession of the additional information necessary to re-link to identity. And this is what Schrems II is really talking about when it talks about supplementary technical measures, so that the data is intercepted and surveilled, the identities of EU data subjects cannot be identified. And so, again, it's the very nature. The contractual and the statutory requirement that Pseudonymisation require that information value be separated from identity and only with additional information can it be re-linked that would enable you to process data whether it be in the public cloud or remotely and get the value of that data processing without revealing and exposing the identities of data subjects included in the data to someone who might intercept and surveil the data. You in the EU as the data controller would be the sole party in possession of the additional information necessary to re-link to identity, so you have not lost the ability to re-link to identity, the ability to re-identify, the ability to do longitudinal studies, or to reach out to people in a clinical trial or other process. But you have segregated the ability of parties to do that.

It’s very crucial, Gary. Looking at this additional information is the key, which enables you to re-identify the data subject. This is very crucial that it's under your control. If you're an EU data exporter, it's really crucial for our supervisory authorities to have your hands on this key and you're the sole organisation being able to re-identify the individual based on this additional information.

Gary, for my perspective, Pseudonymisation has been hidden in the law for too long. We need use cases for Pseudonymisation, and Schrems II is the first big use case realising or making companies realise that Pseudonymisation is a possible technical measure to make cross border transfers happen. Before, we had to find the benefits within the law. Before, we were using Pseudonymisation as a technical measure to protect personal data but there's more to this. And Schrems II is the first use case for making this method of processing personal data more transparent and more publicly available and accessible. And this is something the GDD is also working on with our Code of Conduct. We want to enable Pseudonymisation for many, many other more use cases. But as a first step, you need a comprehensive approach on how to tackle the legal requirements of Pseudonymisation. This is what our code is all about. And then using this technique, using the mentioned processes, using the software that's being available on the market, then we have to work on the use cases. And this is something which will happen in the next 6 to 12 months. The use cases, they will rise. We will have more use cases for Pseudonymisation and not just Schrems II. Companies will realise that there's more to this. That there is more to analytics and to AI use of pseudonymised data. And then, we will have a success story looking at Pseudonymisation, which by now has just suffered being hidden in the GDPR but has so many more capabilities of applying in the usual business processes. TRUTH #8: GDPR PSEUDONYMISATION CAN ENABLE EU-BASED REDRESS FOR FAILURE TO PROPERLY PSEUDONYMISE DATA

GDPR Pseudonymisation can enable EU-based redress for failure to properly pseudonymise data. This is an important thing because Pseudonymisation has a legal definition in the GDPR. And if you're looking at the risks concerning liability or other mechanisms of redress under the GDPR if you're not properly pseudonymising data or personal data, there's a chance that the data subject is lodging a complaint at the Supervisory Authority or even trying to get compensation for damages suffered because you're not properly pseudonymising personal data. Whatever purposes you have for Pseudonymisation, it can be for cross border data exports, it can be for longitudes, it can be for clinical trials. Regardless of the purpose of Pseudonymisation, you have to keep in mind that you have to comply with the legal definition and the technical organisational challenges related to Pseudonymisation.

This is important because particularly under the Schrems II analysis, a lot of the focus is on whether or not an EU data subject has appropriate and effective redress in the third country. But again, properly GDPR-pseudonymised data would allow the data to be processed in a third country or in a public cloud in such a way that even if it's intercepted and surveilled, it does not expose the EU data subject’s identity. And if it's done improperly so that it were to reveal the identity, the data controller in the EU could be subject to redress in the form of potential claims, damages, or even infringement. And so, in essence, by relying on GDPR Pseudonymisation, if it's done improperly in-country, meaning within the EU, redress would exist for the EU data subjects within the EU without having to rely on redress being available in the third country.

Pseudonymisation needs to be robust enough to successfully tackle the challenges under the GDPR regardless of cross border transfers or complying with data subject rights or complying with the purpose of data processing. So, it has so many dimensions of Pseudonymisation, which needs to be covered. That's why it's crucial to have a process in place for Pseudonymisation that is in line with the GDPR. TRUTH #9: GDPR PSEUDONYMISATION IS AN EXAMPLE OF DISTRIBUTED TRUST CONTROLS TO ENABLE TRUSTED DATA FLOWS

The Fourth Industrial Revolution is a concept where the different borders between different vertical industries are being broken down, and the data is being shared cross industry whether it be, you know, biological and IoT or whatever it happens to be, and that's happening from data sharing. And so, in order to have that data sharing occur lawfully, privacy respectful, and in a means that still provides for accurate data, you need more advanced data protection techniques such as Pseudonymisation.

In my opinion Pseudonymisation is already a technique, which enables you to actually do the data sharing with third parties and enabling you to do the longitude studies. And looking at the regulator in the EU and looking at Brussels, we have a proposal for a Data Governance Act, which in one section is all about data sharing. It is all about stipulating requirements for data intermediaries. And the question is: How do these data intermediaries act? Which techniques are they using? And Pseudonymisation can be a successful technique to enable the data sharing between different stakeholders and having one data committee in the middle spreading the data to the recipient who should have access to that data. TRUTH #10: GDPR PSEUDONYMISATION ENABLES MANY GDPR STATUTORY BENEFITS

i. Tips the balance in favor of Legitimate Interests processing (GDPR Articles 5(1)(a) and 6(1)(f) and WP 217)
ii. More flexible change of purpose (GDPR Article 5(1)(b) and WP 203)
iii. More expansive data minimisation (GDPR Articles 5(1)(c) and 89(1))
iv. More flexible storage limitation (GDPR Articles 5(1)(e) and 89(1))
v. Enhanced security (GDPR Articles 5(1)(f) and 32)
vi. More expansive further processing (GDPR Article 6(4) and WP 217)
vii. More flexible profiling (WP 251 rev.01 - Annex 1 and GDPR Recital 71 and Article 22
viii. Ability to lawfully share and combine data (GDPR Recitals 42 and 43, Articles 11(2) and 12(2), and EDPB Guidelines 05/2020

GDPR Pseudonymisation helps enable GDPR statutory benefits. Pseudonymisation being a very useful technical measure to protect personal data from unauthorised access, this is one side of the story. But the more important one is looking at the data controllers is the enabling function of Pseudonymisation. And looking at the lawfulness of processing, Pseudonymisation can really help to share data with third parties because the data is successfully pseudonymised. And then, you have a lawful basis for transferring data to a third party because the data is pseudonymised. This enabling function has been ignored until now, from my perspective, from the Supervisory Authorities and the data controllers and this is very crucial because, as we said before, you have to make your mind up concerning the lawfulness of processing. And this includes transferring data to a third party and this is where Pseudonymisation can jump in and really, really help organisations to comply with GDPR and sharing personal data.

Steffen, it sounds as if Pseudonymisation is about much more than just compliance. It's about enablement of the data, that with the appropriate technical and organisational measures as required to satisfy the definition of requirements under Article 4(5), a data controller, co-controllers, and processors can make greater use of the data. So, therefore, it's an enablement capability. It's not just about compliance.

Exactly, Gary. It's about enabling organisations to share personal data, which has been successfully pseudonymised. And this is something which has been ignored until now, from my perspective, this enabling function. And organisations have to take a closer look at the lawfulness of processing, and this is something where I think Pseudonymisation can really help.