In this blog post, we demystify the concepts of pseudonymisation and anonymisation under data protection law. We’ll explore the practical differences between the two and shed light on the recent judgment of the General Court of the EU, which has significant implications for data handling practices. Getting this differentiation right is key when planning your data processing structure.
In general, if re-identification is feasible, it constitutes pseudonymisation and requires compliance with data protection laws. If personal data is truly anonymised and re-identification is not possible, it does not fall into the regime of data protection law anymore and can be therefore used without any data protection boundaries. However, the question is whether data that someone else (but not the company processing the data) can re-identify is considered pseudonymous or anonymous. In a recent decision, the General Court of the EU confirmed the view that data that a company cannot re-identify with the means reasonably available to it is considered anonymous for the purposes of that company. This decision has been appealed, and the European Court of Justice will need to find a final answer to this practical relevant question soon.
Definitions of pseudonymisation and anonymisation
Legal definition under the GDPR and the FADP
In the EU the GDPR offers definitions for pseudonymisation and anonymisation.
According to the GDPR:
- Pseudonymisation involves processing personal data in a way that it can’t be linked to a specific subject without separate additional information under strict security measures.
- Anonymisation depends on the data subject’s identifiability. If they can’t be identified, the data is anonymised. Identifiability is determined by all the means likely to be used to identify the person directly or indirectly.
- The Swiss Federal Act on Data Protection (FADP) doesn’t give explicit definitions but treats anonymisation akin to deletion, implying the data subject can no longer be identified. Pseudonymisation, on the other hand, makes identification more difficult but not impossible.
Given the vagueness of the terms used and the blurred lines between them, both supervisory authorities and legal experts have provided their input in order to provide a clearer understanding of both concepts and to guide companies in a more data protection compliant path.
Pseudonymisation and anonymisation in practice
Pseudonymisation thus generally is a technique that involves substituting identifiable characteristics in data with alternate identifiers. This process makes it challenging, though not impossible, to trace back the origin of the data subject. This is particularly important for companies as it allows for a certain level of analysis while safeguarding individual identities.
Replacing identifiable information of employees, patients or customers (e.g. names) with unique identifiers that are accessible to authorised personnel only ensures that data can be used for research or analysis without compromising individual privacy. Hashing, encryption and tokenisation are useful techniques to ensure pseudonymisation. However, it’s worth noting that pseudonymised data is still considered personal data. Therefore, companies must implement robust technical and organisational measures to safeguard against the reversibility of pseudonymised data and need to fully comply with privacy laws applicable, including purpose limitation and defining a legal basis for the processing.
Anonymisation, on the other hand, involves altering personal data in such a way that identifying the individual becomes practically impossible without a disproportional effort, rendering the data out of the scope of data protection frameworks, such as the GDPR and the FADP. Anonymisation is also a tool to avoid deleting data and instead use it for further e.g. statistical and training purposes. This process provides a high level of protection of individualās personal data, ensuring that individual identities remain hidden in a non-reversible way. Examples for anonymisation techniques are randomization, aggregation and generalization, often combined in several layers to ensure the reidentification becomes impossible.
Achieving true anonymisation often requires complex technical adjustments, ensuring no combination of data points can lead to individual identification.
Case T-557/20 of the General Court of the EU
While this has been the status quo, recently the General Court of the EU has provided further input on what both concepts entail and how companies can make a distinction between them.
The case revolves around the sharing of information between the Single Resolution Board (a regulatory body) (SRB) and a consulting firm. The SRB argued that the information they provided to the consulting firm, which included comments from shareholders and creditors, didn’t reveal specific individuals as it was anonymised. They believed the data was anonymous because it was accompanied by a code that didn’t allow identification by the consulting firm. However, the European Data Protection Supervisor (EDPS) disagreed. He argued that even with this code, the information could still be linked to individuals based on its content and purpose. The Court ultimately sided with the SRB, highlighting that the EDPS didn’t properly consider the consulting firmās ability to identify individuals using the provided information.
The case at hand underscores the significance of considering the position and powers of parties involved when distinguishing between these processes. In simple terms, companies can take two key takeaways from this case:
- Data may still be considered personal data if it can be linked to a specific individual through content, purpose, or effect: The Court emphasized that to determine if information relates to an ‘identifiable natural person’, one must consider all reasonable means of identification. This includes assessing factors like singling out and the effort required for identification. If the personal data is simply pseudonymised, then companies still need to comply with their obligations under data protection law.
- Identifiability depends on the reasonable means available to the company to identify a person, either directly or indirectly: Given the previous point, the Court ultimately highlighted the importance of considering the company’s position when evaluating identifiability and the means available to it. If that entity is able, through the means available to it, to re-identify the data subject, then we are facing a pseudonymisation process. If, instead, the company is unable, with the means it has available and without disproportionate effort, to re-identify the data subject, then we are facing an anonymisation process.
Currently, this decision was appealed to the Court of Justice of the EU (ECJ), that will have to decide whether the conclusions reached by the General Court are sound, or if it disagrees and provides a final interpretation of the two concepts. However, the ECJ missed the opportunity to take a clear stand on this question in a recent similar case on vehicle identification numbers (C-319/22) and did not provide an answer yet, which perspective is relevant in this case.
This judgment carries substantial implications for companies and their data processing activities. It emphasizes that data may constitute personal information for one party (pseudonymised data), while it may not hold the same status for another party lacking the means to re-identify it (anonymised data).
Companies must be diligent in assessing the capabilities of parties involved in data processing, including their ability to comply with a data processing agreement, in order to determine the appropriate level of protection required for anonymised data.
Conclusion: Key Takeaways for Companies
Implementing pseudonymisation or anonymisation techniques is no easy task but necessary to ensure a high level of data protection throughout the data processing activities made by companies. The recent judgment of the General Court of the EU highlights the importance of clearly distinguishing between pseudonymisation and anonymisation in data processing practices and the different legal consequences they have.
- If personal data is truly anonymised, it does not fall into the regime of data protection law anymore. Anonymisation is therefore also a tool to avoid deleting data and instead use it for further e.g. statistical and training purposes. Examples for anonymisation techniques are randomization, aggregation and generalization, often combined in several layers.
- Companies must carefully assess whether, with the means available to them, they can re-identify a data subject from the processed data. If re-identification is feasible with the means reasonably available to them, it constitutes pseudonymisation and requires compliance with data protection laws. Pseudonymisation, for example via hashing, encryption and tokenisation however is a useful security measure and ensures that data can be used for research or analysis without compromising individual privacy.
Please don’t hesitate to book a free call with our experts to learn more about our data protection services!