In such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information;
With such additional information kept separately; and
Additional information must be subject to technical and organisational measures to ensure that the personal data can not be attributed to an identified or identifiable natural person.
For more detailed information on the legal and technical aspects of Pseudonymisation this Legal Solutions Guidebook provides additional information
The Need for Pseudonymisation:
Impact of Schrems II*
Prior to Schrems II, the GDPR included Pseudonymisation (for protection of data in use) and Encryption (for protection of data in transit and at rest) as key technical measures for protecting the fundamental privacy rights of EU data subjects. Data Protection by Design and by Default under the GDPR includes the application of these state-of-the-art technical measures for protecting data as per regulatory requirements. At the time of the Schrems II decision, many organisations within the EU had not yet implemented these measures as required in the GDPR
The Schrems II decision did not change the law under the GDPR, rather, it:
Reiterated that Supplementary Measures (of a technical nature) must be applied to protect data in non-EU/EEA or countries without an equivalency decision;
Did not include any grace period (meaning that compliance is required immediately); and
Resulted in Supervisory Authorities having an affirmative obligation to suspend data transfers if an organisation was non-compliant. This has increased potential compliance burdens on organisations significantly.
The goal is to ensure the same protections that should apply to data in the EU, would also apply elsewhere.
How to Use Pseudonymisation to Comply with Schrems II and the GDPR
The European Data Protection Board (EDPB) provided additional guidance on how organisations could implement these technical measures, including Pseudonymisation.
The EDPB set out that "Supplementary Measures" could be applied to cloud processing and data transfers to bring them into line with GDPR and Schrems II requirements. They provided a flow of how organisations need to bring themselves into compliance.
Specifically, the EDPB set out 5 Lawful Use Cases that could continue after Schrems II:
Data Storage for Backup and Other Purposes That Do Not Require Access to Data in the Clear (Protected by Encryption) - Data in Storage
Transfer of Pseudonymised Data for Analytics and Processing - Data in Use
Encrypted Data Merely Transiting Third Countries - Data in Transit
Protected Recipient (e.g. protected by Third Country law such as HIPAA)
Split or Multi-Party Processing
EDPB Recommends GDPR Pseudonymisation
Schrems II Unlawful Use Cases
USE CASE 6
Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear
USE CASE 7
Remote Access to Data for Business Purposes
Schrems II Lawful Use Cases
USE CASE 1
Data Storage For Backup And Other Purposes That Do Not Require Access To Data In The Clear
The EDPB also set out 2 Unlawful Use Cases, which unfortunately apply to most cloud processing and data transfers to overseas service providers:
Transfer to Cloud Service Providers or Other Processors Which Require Access to Data in the Clear
Remote Access to Data for Business Purposes
EDPB Schrems II Recommendations
To bring your organisation into compliance, you must take appropriate steps to implement Supplementary Measures, or you must stop your data transfers to cloud service providers.
Pseudonymisation is recognised by the EDPB as a key supplementary measure that can be used to support continued processing under Schrems II.
What Makes Good Pseudonymisation?
Pseudonymisation is newly-defined in the GDPR, and is not the same as the old form of Pseudonymisation, which was primarily simple tokenisation of direct identifiers.
The GDPR requires that the "state-of-the-art" be taken into account when applying technical and organisational measures to protect data (Article 32). What is the state-of-the-art when it comes to Pseudonymisation?
Anonos technology is the only solution that meets all 50 Best Practices.
New technology controls must protect data when in use.
To learn more about Anonos’ Schrems II solution contact us below.
*Schrems II refers to the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, commonly referred to publicly as “Schrems II.” Use of "Schrems II" in no way indicates any relationship or affiliation with, or endorsement by, Max Schrems or by the Non-Governmental Organisation, None of Your Business (NOYB), or any parties directly or indirectly associated with Max Schrems or NOYB.