European guidance on ‘pseudonymisation’: Some practical tips for Australian organisations

Done properly, pseudonymisation supports useful data processing – including the use of data for analytics, research and training of AI models. But it can be challenging to get it right. 

Understanding the concept of pseudonymisation and why pseudonymising data matters is essential. Especially since privacy regulations (like the GDPR) and UK data laws increasingly emphasise the need to balance data utility with robust protections for individuals.  

This blog post covers some recent developments in the EU and the UK which clarify what we mean by pseudonymisation, why that is important and what to do if you want to pseudonymise data.  It should be of interest to any Australian organisation dealing with issues around usability of their data holdings and how pseudonymisation might support that.

EDPB adopts guidelines for pseudonymisation

Earlier this year, the European Data Protection Board (EDPB) adopted new guidelines for pseudonymization The new guidelines provide two main clarifications:

1. It confirmed something most privacy practitioners already know: Pseudonymised data, which could be attributed to an individual by the use of additional information, remains information related to an identifiable natural person and is therefore still personal data. In particular, if the data can be linked back to an individual by the data controller or someone else, it remains personal data.
2. More helpfully it suggested that pseudonymisation can reduce risks and make it easier to use legitimate interests as a legal basis, as long as all other GDPR requirements are met. Likewise, pseudonymisation can aid in securing compatibility with the original purpose.  This is a very helpful avenue for organisations looking for a basis for processing data for purposes such as analytics.

Technical Measures and Safeguards for Pseudonymisation

Importantly, the EDPB Guidelines provide practical recommendations and detailed criteria for effectively implementing pseudonymisation in line with the GDPR (See Chapter 3 Technical Measures and Safeguards for Psuedonymisation). 

They emphasise that pseudonymisation requires the separation of identifying information from the dataset, with technical and organisational measures in place to ensure the identifiers cannot be attributed to a specific individual without the use of additional information held separately. 

Direct identifiers

At a high level, pseudonymisation requires:

• Removal or transformation of direct identifiers (referred to as ‘pseudonymising transformation’) – commonly done by use of cryptographic algorithms and lookup tables; and
• Separation of ‘pseudonymisation secrets’ e.g. cryptographic keys used for the transformation.  This information must be kept secret and protected from unauthorised access.

Quasi identifiers

Quasi identifiers should also be removed or modified by generalisation and randomisation.

Technical and Organisational Measures preventing unauthorised attribution of pseudonymised data to individuals

In order to prevent the unauthorised attribution of pseudonymised data, measures should be taken in three directions:  

1. The pseudonymising transformation should be protected against reversal by choosing a suitable design and ensuring an appropriate level of security for the pseudonymisation secrets.
2. Quasi-identifiers should be appropriately handled,
3. Data controllers should ensure that their assumptions about the scope of the pseudonymisation domain, about the use of pseudonymised data and about the accessibility of relevant information sources within it are met.  (See Chapter 3.2  of the Guidelines for more information.)

Supporting the use of Legitimate Interests as basis for processing

As mentioned above, the Guidelines outline scenarios where pseudonymisation can support the use of legitimate interests as a lawful basis for processing, provided that suitable safeguards are maintained and data subjects’ rights are protected. These may include relying on legitimate interests for data analytics, research, or system testing where the data has been pseudonymised in accordance with the EDPB’s recommendations.

Finally, the Guidelines also reiterate the importance of complying with the other processing requirements of GDPR – including controller’s transparency obligations and the need to facilitate the exercise of data subject rights. More here.

CJEU clarifies personal data definition in context of pseudonymization

Following the release of the new EDPB Guidelines, the Court of Justice of the European Union (CJEU) issued a decision providing further clarification of  the definition of personal data when it is pseudonymized. 

Background to the CJEU ruling

The ruling was delivered in response to an appeal of a European General Court decision that annulled a 2020 European Data Protection Supervisor (EDPS) action on the transfer of pseudonymized data to a third party.  

In June 2017, the EU Single Resolution Board (SRB) made a preliminary decision on compensation for Banco Popular Español’s creditors and shareholders without their input. Later, stakeholders could submit comments, which were sent in pseudonymized form to Deloitte for valuation.

In 2020, the EDPS found that sharing these comments with Deloitte violated GDPR because stakeholders were not informed.

Then, in 2023, the General Court overturned this decision, ruling that the data sent to Deloitte was sufficiently deidentified and did not qualify as personal information under GDPR. 

It its appeal to the CJEU, the EDPS raised the following questions:

• whether a person’s pseudonymized opinions constitute personal data,
• the circumstances when pseudonymized data is considered personal data, and 
• the data controllers’ notification obligations for reidentification risk during processing.

CJEU Ruling

The CJEU agreed with the EDPS that individuals’ opinions qualify as personal data and that reidentification risks must be assessed individually at the time of data collection, finding errors in the General Court’s approach.

However, it sided with the SRB regarding pseudonymized data, stating that such data is not always personal under the GDPR if circumstances prevent identification by anyone other than the data controller.

Specifically, the CJEU found that:

 “pseudonymized data must not be regarded as constituting, in all cases and for every person, personal data for the purposes of the application (of the GDPR) in so far as pseudonymization may, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.”

You can read more about this court ruling from IAPP here.

UK ICO publishes guidance on anonymisation and pseudonymisation

On a more practical note: the UK Information Commissioner’s Office issued guidance on anonymisation and pseudonymisation practices. 

The guide is intended to help individuals and organizations better understand the strengths and weaknesses of different anonymisation techniques, covering how to ensure effectiveness through accountability and governance requirements. 

Situations identified as where the Guidance may be useful include if you:

• are required by law to publish anonymous information (e.g. some health service bodies); 
• are looking to use data in new and innovative ways (ego to improve services or design new products or collect large volumes of data to train AI models); 
• need to comply with a request for information under FOI, and it includes personal data; 
• want to become more transparent and accountable to people; or 
• want to provide anonymous information for research purposes, or to enable wider societal benefits.

The guide is in 5 sections with potentially different audiences:

1. The first section introduces the key concepts of anonymisation and pseudonymisation, places them in the context of the UK legal framework, and explains the role they play. 
2. The second section covers the concept of identifiability, including approaches such as the ‘spectrum of identifiability’ and how these can apply in data sharing scenarios. This section also looks at how you can manage identification risk, and covers established concepts like the ‘reasonably likely’ and ‘motivated intruder’ tests. 
3. The third section looks at how pseudonymisation can help you achieve data protection compliance and which technologies can provide effective pseudonymisation.
4. The fourth section considers accountability and governance requirements in the context of anonymisation, including data protection by design, data protection impact assessments (DPIAs) and the use of trusted third parties.  
5. The fifth and final section includes case studies providing practical examples of effective anonymisation. 

In reviewing the types of pseudonymisation techniques available, the Guidelines cover the three (3) most common types which are:

• hashing;
• encryption; and
• tokenisation

It contains practical and easy to understand guidance on these techniques, which can you find here.

Conclusion

Many organisations are struggling with privacy issues relating to the way they can use the data they hold, particularly where that may involve a secondary purpose  

The resources covered in this post provide some valuable insights into thinking in the EU and the UK around the use of anonymisation and pseudonymisation techniques and offer some very practical guidance for Australian organisations on some of the techniques that could  be implemented to support these outcomes.  All are definitely worth a read!

Oops! We could not locate your form.