Under the GDPR and final EDPB Schrems II guidance, the term Pseudonymisation requires a new protected “state” of data, including:
Protection of direct, indirect, and quasi-identifiers, together with characteristics and behaviours;
Protection at the record and data set level versus only the field level so that the protection travels wherever the data goes, including when it is in use; and
Protection against unauthorized re-identification via the Mosaic Effect by generating high entropy (uncertainty) levels by dynamically assigning different tokens at different times for various purposes.
These protections are necessary to prevent the re-identification of data subjects without the use of additional information kept separately, as required under GDPR Article 4(5) and as further underscored by paragraph 85(4) of the final EDPB Schrems II guidance.  GDPR-compliant Pseudonymisation requires that data is “anonymous” in the strictest EU sense of the word – globally anonymous – but for the additional information held separately and made available under controlled conditions as authorised by the data controller for permitted re-identification of individual data subjects.
 Article 4(5) of the GDPR defines Pseudonymisation as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
 Paragraph 85(4) of the final EDPB Schrems II guidance requires that “the controller has established by means of a thorough analysis of the data in question – taking into account any information that the public authorities of the recipient country may be expected to possess and use – that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person even if cross-referenced with such information.”
 Footnote 2 of the Adoption by the European Commission of the Implementing Decision (EU) 2021/914 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on 4 June 2021 states that anonymisation “requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.”
The Need for Pseudonymisation:
Impact of Schrems II*
Under the final EDPB Schrems II guidance, encryption is not recognised as a lawful instrument of protection for EU data when using third country cloud services or remote access, other than for backup. Therefore, Pseudonymisation implemented as required under GDPR Article 4(5) and EDPB Lawful Use Case 2, can be considered, among state-of-the-art technical safeguards available, to be the only lawful bridge available for transfers to third-country cloud service providers or remote service providers.
One of the biggest misunderstandings under the GDPR is the lack of appreciation for how significantly the definition of Pseudonymisation was elevated and heightened, enabling the following:
No need to choose between maximum data protection and data utility as both are achievable.
100% precision relative to processing cleartext.
100% speed relative to processing cleartext.
In contrast, synthetic data must be recalibrated each time data, users or use cases are changed to reflect new data interrelationships, increasing elapsed processing time by 4X or more depending on the level of variability between data sets.
Worse, homomorphic encryption and blockchain which take days to process advanced calculations processed in seconds using cleartext or Pseudonymisation.
How to Use Pseudonymisation to Comply with Schrems II and the GDPR
The European Data Protection Board (EDPB) provided additional guidance on how organisations could implement these technical measures, including Pseudonymisation.
The EDPB set out that "Supplementary Measures" could be applied to cloud processing and data transfers to bring them into line with GDPR and Schrems II requirements. They provided a flow of how organisations need to bring themselves into compliance.
Specifically, the EDPB set out 5 Lawful Use Cases that could continue after Schrems II:
Data Storage for Backup and Other Purposes That Do Not Require Access to Data in the Clear (Protected by Encryption) - Data in Storage
Transfer of Pseudonymised Data for Analytics and Processing - Data in Use
Encrypted Data Merely Transiting Third Countries - Data in Transit
Protected Recipient (e.g. protected by Third Country law such as HIPAA)
Split or Multi-Party Processing
EDPB Recommends GDPR Pseudonymisation
Schrems II Unlawful Use Cases
USE CASE 6
Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear
USE CASE 7
Remote Access to Data for Business Purposes
Schrems II Lawful Use Cases
USE CASE 1
Data Storage For Backup And Other Purposes That Do Not Require Access To Data In The Clear
The EDPB also set out 2 Unlawful Use Cases, which unfortunately apply to most cloud processing and data transfers to overseas service providers:
Transfer to Cloud Service Providers or Other Processors Which Require Access to Data in the Clear
Remote Access to Data for Business Purposes
EDPB Schrems II Recommendations
To bring your organisation into compliance, you must take appropriate steps to implement Supplementary Measures, or you must stop your data transfers to cloud service providers.
Pseudonymisation is recognised by the EDPB as a key supplementary measure that can be used to support continued processing under Schrems II.
What Makes Good Pseudonymisation?
Pseudonymisation is newly-defined in the GDPR, and is not the same as the old form of Pseudonymisation, which was primarily simple tokenisation of direct identifiers.
The GDPR requires that the "state-of-the-art" be taken into account when applying technical and organisational measures to protect data (Article 32). What is the state-of-the-art when it comes to Pseudonymisation?
Anonos technology is the only solution that meets all 50 Best Practices.
New technology controls must protect data when in use.
To learn more about Anonos’ Schrems II solution contact us below.
*Schrems II refers to the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, commonly referred to publicly as “Schrems II.” Use of "Schrems II" in no way indicates any relationship or affiliation with, or endorsement by, Max Schrems or by the Non-Governmental Organisation, None of Your Business (NOYB), or any parties directly or indirectly associated with Max Schrems or NOYB.