SOODONNIMEYESAYSHN

Pseudonymisation

What is Pseudonymisation?
Under the GDPR and final EDPB Schrems II guidance, the term Pseudonymisation requires a new protected “state” of data, including:
  • Protection of direct, indirect, and quasi-identifiers, together with characteristics and behaviours;
  • Protection at the record and data set level versus only the field level so that the protection travels wherever the data goes, including when it is in use; and
  • Protection against unauthorized re-identification via the Mosaic Effect by generating high entropy (uncertainty) levels by dynamically assigning different tokens at different times for various purposes.
These protections are necessary to prevent the re-identification of data subjects without the use of additional information kept separately, as required under GDPR Article 4(5)[1] and as further underscored by paragraph 85(4) of the final EDPB Schrems II guidance. [2] GDPR-compliant Pseudonymisation requires that data is “anonymous” in the strictest EU sense of the word – globally anonymous[3] – but for the additional information held separately and made available under controlled conditions as authorised by the data controller for permitted re-identification of individual data subjects.

[1] Article 4(5) of the GDPR defines Pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

[2] Paragraph 85(4) of the final EDPB Schrems II guidance requires that “the controller has established by means of a thorough analysis of the data in question – taking into account any information that the public authorities of the recipient country may be expected to possess and use – that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person even if cross-referenced with such information.”

[3] Footnote 2 of the Adoption by the European Commission of the Implementing Decision (EU) 2021/914 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on 4 June 2021 states that anonymisation “requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.”
The Need for Pseudonymisation:
Impact of Schrems II*
Under the final EDPB Schrems II guidance, encryption is not recognised as a lawful instrument of protection for EU data when using third country cloud services or remote access, other than for backup. Therefore, Pseudonymisation implemented as required under GDPR Article 4(5) and EDPB Lawful Use Case 2, can be considered, among state-of-the-art technical safeguards available, to be the only lawful bridge available for transfers to third-country cloud service providers or remote service providers.

One of the biggest misunderstandings under the GDPR is the lack of appreciation for how significantly the definition of Pseudonymisation was elevated and heightened, enabling the following:

  • No need to choose between maximum data protection and data utility as both are achievable.
  • 100% precision relative to processing cleartext.
  • 100% speed relative to processing cleartext.
    • In contrast, synthetic data must be recalibrated each time data, users or use cases are changed to reflect new data interrelationships, increasing elapsed processing time by 4X or more depending on the level of variability between data sets.
    • Worse, homomorphic encryption and blockchain which take days to process advanced calculations processed in seconds using cleartext or Pseudonymisation.
How to Use Pseudonymisation to Comply with Schrems II and the GDPR
The European Data Protection Board (EDPB) provided additional guidance on how organisations could implement these technical measures, including Pseudonymisation.
The EDPB set out that "Supplementary Measures" could be applied to cloud processing and data transfers to bring them into line with GDPR and Schrems II requirements. They provided a flow of how organisations need to bring themselves into compliance.

Specifically, the EDPB set out 5 Lawful Use Cases that could continue after Schrems II:
  • Data Storage for Backup and Other Purposes That Do Not Require Access to Data in the Clear (Protected by Encryption) - Data in Storage
  • Transfer of Pseudonymised Data for Analytics and Processing - Data in Use
  • Encrypted Data Merely Transiting Third Countries - Data in Transit
  • Protected Recipient (e.g. protected by Third Country law such as HIPAA)
  • Split or Multi-Party Processing
EDPB Recommends GDPR Pseudonymisation
Schrems II Unlawful Use Cases
USE CASE 6
Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear
USE CASE 7
Remote Access to Data for Business Purposes
Schrems II Lawful Use Cases
USE CASE 1
Data Storage For Backup And Other Purposes That Do Not Require Access To Data In The Clear
USE CASE 2
Transfer Of Pseudonymised Data
USE CASE 3
Encrypted Data Merely Transiting Third Countries
USE CASE 4
Protected Recipient
USE CASE 5
Split or Multi-Party Processing
The EDPB also set out 2 Unlawful Use Cases, which unfortunately apply to most cloud processing and data transfers to overseas service providers:
  1. Transfer to Cloud Service Providers or Other Processors Which Require Access to Data in the Clear
  2. Remote Access to Data for Business Purposes
EDPB Schrems II Recommendations
To bring your organisation into compliance, you must take appropriate steps to implement Supplementary Measures, or you must stop your data transfers to cloud service providers.
Pseudonymisation is recognised by the EDPB as a key supplementary measure that can be used to support continued processing under Schrems II.
What Makes Good Pseudonymisation?
Pseudonymisation is newly-defined in the GDPR, and is not the same as the old form of Pseudonymisation, which was primarily simple tokenisation of direct identifiers.

The GDPR requires that the "state-of-the-art" be taken into account when applying technical and organisational measures to protect data (Article 32). What is the state-of-the-art when it comes to Pseudonymisation?
Anonos technology is the only solution that meets all 50 Best Practices.
You can view a comparison of Anonos technology with the Best Practices here View 50 BEST PRACTICES Anonos was granted European Patent 3,063,691 in 2020 for state-of-the-art technology that balances data protection and utility.

Anonos guarantees that it achieves the highest level of Schrems II and GDPR compliance while also enabling high data value and utility for global lawful borderless data.

REFERENCES TO EDPB DO NOT INDICATE ANY RELATIONSHIP, SPONSORSHIP, OR ENDORSEMENT BY EDPB. ALL REFERENCES TO EDPB CONSTITUTE NOMINATIVE FAIR USE UNDER APPLICABLE TRADEMARK LAWS.
Eight years and tens of thousands of hours of legal and technology R&D focusing on reconciling data protection and utility from the edge to the cloud
Anonos International Patent Portfolio
EU
3,063,691
(2020)
US
10,572,684
(2020)
CA
2,929,269
(2019)
US
10,043,035
(2018)
US
9,619,669
(2017)
US
9,361,481
(2016)
US
9,129,133
(2015)
US
9,087,216
(2015)
US
9,087,215
(2015)