The EDPB 01/2025 Guidelines on Pseudonymisation: A Step in the Right Direction?

The European Knowledge Safety Board Pointers on pseudonymisation have been adopted on January 16, 2025, and are open for session till February 28, 2025. The EDPB has been engaged on this piece of steering for a number of years. Initially, they have been meant to be a part of a broader set of tips devoted to each anonymisation and pseudonymisation, within the wake of what had been executed previous to the adoption of the Normal Knowledge Safety Regulation (GDPR) with Opinion 05/2014 on anonymisation strategies. However it was then determined that two units of tips needs to be adopted within the EDPB work programme adopted on 14 February 2023: one devoted to pseudonymisation and one devoted to anonymisation (You may examine with the 2021/2022 work programme).

In its Second Report on the applying of the GDPR, the European Fee had careworn “the necessity for added tips, particularly on anonymisation and pseudonymisation” raised by stakeholders and the Council, regardless of the existence of wealthy steering produced by ENISA (e.g., in 2019, 2021, and 2022), nationwide supervisory authorities (e.g., CNIL, AEPD along with the EDPS right here and right here, the DPC), in addition to makes an attempt to synthesise approaches on the world degree. A current doc produced on the G7 degree tries to spotlight the variations in strategy amongst G7 nations.

Given the depth of current steering on pseudonymisation, the added worth of the EDPB Pointers was anticipated to lie of their interpretation of the authorized check for pseudonymisation, of which definition is present in Article 4(5) GDPR, to be learn along with Recitals 26 and 28 GDPR. This clarification was significantly eagerly awaited in gentle of the place taken by the regulator of a key sector—specifically, the European Medicines Company in its exterior steering on the implementation of the European Medicines Company coverage on the publication of medical knowledge for medicinal merchandise for human use.

The case legislation on the notion of identifiability has developed progressively. At the very least three instances would appear at first look value contemplating: Breyer, Scania, and IAB Europe. What is especially putting, nonetheless, is that there is no such thing as a point out of those instances in Pointers 01/2025. But, the primary a part of the Pointers is clearly an try and interpret the idea of pseudonymisation inside the which means of the GDPR.

The aim of this weblog submit is twofold. First, it goals to spotlight just a few inner inconsistencies that make the Pointers difficult to understand for these in search of a constant strategy to identifiability as each a technical and authorized idea. Second, it seeks to make clear the evolution of the authorized check for identifiability, to spotlight convergences between the approaches of the EDPB and that of the CJEU. However earlier than highlighting inner inconsistencies and convergences with the CJEU’s strategy, let’s summarise the strategy taken by the EDPB in its Pointers.

The EDPB’s Method

Unsurprisingly, the EDPB presents pseudonymisation as a key compliance measure. The EDPB makes it clear that, though pseudonymisation is normally carried out to fulfill the info safety objective of confidentiality, it might probably additionally serve different knowledge safety objectives reminiscent of accuracy, function limitation and equity.

Similar to anonymisation, pseudonymisation is basically a trade-off between various kinds of knowledge safety objectives, as acknowledged implicitly by the EDPB: whereas pseudonymisation could assist protect confidentiality, it might probably additionally facilitate linkability (e.g., the linkability of data included in several knowledge sources however pertaining to the identical particular person) and reuse. If the social gathering reusing the pseudonymised knowledge doesn’t have entry to the figuring out extra info, knowledge topics could have much less alternatives to intervene and train their rights, as Article 11(2) GDPR offers that if the controller is taken into account to not be able to establish the info topic, Articles 15 to twenty shall not apply besides the place the info topic offers extra info enabling his or her identification.  Of word, as Article 11(2) GDPR doesn’t foresee that the proper to object could not apply, it might be helpful to incorporate some examples illustrating how it may be preserved.

The energy of pseudonymisation when used as a compliance measure to cut back re-identification dangers is decided by introducing the idea of pseudonymisation area.

Again in 2017, the idea of area had been launched in an try and conceptualise variations between anonymisation, Article 11 de-identification and pseudonymisation.

A pseudonymisation area is outlined by the EDPB as an “setting during which the controller or processor needs to preclude [the] attribution of knowledge to particular knowledge topics.” The vary of situationally related entities in opposition to which confidentiality dangers are being mitigated by means of the info transformation course of is thus outlined by the social gathering answerable for performing the pseudonymisation. This vary is a key consideration for evaluating the robustness of the pseudonymisation course of. When exterior attackers, or extra broadly unanticipated recipients of the info, usually are not taken under consideration, the extent of residual re-identification dangers is prone to be greater than if these entities are taken under consideration to pick out such controls.

Importantly, by definition, a pseudonymisation area doesn’t embody the entities “authorised to course of extra knowledge permitting the attribution of the pseudonymised knowledge to knowledge topics.” (see definition p. 46)

Why exclude the entities authorised to entry the extra info from the pseudonymisation area? It’s because together with them would imply performing an anonymisation course of versus a pseudonymisation course of, as hinted in Recital 26 GDPR. The EDPB’s process in these Pointers is to not discover conditions during which a pseudonymisation course of may result in an anonymisation course of, though it clearly and logically states “[e]ven if all extra info retained by the pseudonymising controller has been erased, the pseudonymised knowledge may be thought of nameless provided that the situations for anonymity are met.” (para. 22) Observe that the EDPB doesn’t write that anonymisation is just achieved if the extra info retained by the pseudonymising controller is erased.

The EDPB Pointers embody in its annex a number of detailed examples of the applying of pseudonymisation. For every instance the EDPB adopts a scientific strategy, which primarily illustrates how individual-level knowledge may be remodeled into pseudonymised knowledge. It isn’t expressly acknowledged within the Pointers that pseudonymised knowledge can by no means result in anonymised knowledge. In different phrases, there is no such thing as a categorical rejection of a risk-based strategy to anonymisation. A radical analysis of the dangers ought to stay an possibility, e.g. presumably when singling out dangers persists inside the knowledge, as recalled by the EDPB itself in Opinion 28/2024 on sure knowledge safety elements associated to the processing of private knowledge within the context of AI fashions.

Lastly, the paragraphs devoted to worldwide knowledge transfers echo the outline of Use Case 2 discovered within the suggestions on supplementary measures issued in 2021. The EDPB confirms that a complete gamut of knowledge transformation strategies must be utilized, that are prone to embody generalising strategies reminiscent of k-anonymisation (a privacy-preserving methodology guaranteeing that every particular person in a dataset is indistinguishable from no less than okay−1 different people with respect to sure attributes deemed to be quasi-identifiers).

Inside Inconsistencies

The primary conceptual problem rising from the Pointers comes from the confusion that’s made between the ‘identifiability’ and the ‘referring to’ standards. As a reminder, the EDPB’s predecessor had damaged down the Knowledge Safety Directive’s definition of private knowledge right into a four-prong check in its 2007 Opinion on Private Knowledge: ‘any info’, ‘referring to’, ‘recognized or identifiable’, ‘pure individual.’ Pseudonymisation as a knowledge transformation approach that goals to pursue (no less than partly) the info safety objective of confidentiality, has no implication for the appreciation of the ‘relate to’ criterion which tries to reply the query whether or not the info describes a person or one thing else, like an occasion, or a machine, or say an animal. As such, pseudonymisation solely impacts the identifiability degree related to the person document. It’s subsequently complicated to put in writing that “to attribute knowledge to a particular (recognized) individual means to determine that the info relate to that individual.” (para. 17)

A extra exact formulation can be: ‘[a]ttributing knowledge to a particular particular person means figuring out that the person is both recognized or identifiable primarily based on the info out there inside the pseudonymisation area.”

The technical literature on de-identification normally attracts a distinction between direct and quasi (or oblique) identifiers to elucidate the distinction between direct and oblique identifiability, which appears to be on the coronary heart of Article 4(1) GDPR. Though the EDPB attracts a distinction between direct and quasi-identifiers, the terminology may seem complicated. The EDPB defines direct identifiers as primarily distinguishing references. Nevertheless, a pseudonym is by definition a novel reference and subsequently distinguishing. This could imply that pseudonymised knowledge is at all times immediately figuring out, which isn’t precisely what that EDPB is attempting to say about pseudonymised knowledge. At para. 8, the EDPB write that “it’s clear that direct identifiers should be faraway from knowledge if these knowledge are to not be attributed to people.” To make sense of what the EDPB is saying, one would wish so as to add that sure varieties of direct identifiers usually are not figuring out, which is a complicated assertion.

A greater formulation would subsequently indicate acknowledging that direct identifiers have two key traits: distinguishability (i.e., uniqueness) and availability (they’re probably out there or accessible to or by an attacker). When applicable knowledge segmentation measures have been carried out, and contemplating the pseudonymisation area solely, pseudonyms shouldn’t be thought of out there.

For the sake of readability, it could assist to incorporate two units of definitions: one for direct identifiers and one for quasi or oblique identifiers.

One final level on worldwide knowledge transfers. As defined right here, the outline of what pseudonymisation processes ought to appear to be within the context of worldwide knowledge transfers appears to counsel that no thorough analysis of the dangers is ever potential on this context. As well as, it’s not clear whether or not the EDPB assumes that third-party public authorities needs to be thought of as having some type of prior data or not. If that’s the case a extra detailed rationalization as to why that is the case can be helpful, as talked about right here.

Compatibility with CJEU Case Regulation

Many have criticised the EDPB Pointers stating that it depends upon a false impression of the authorized check for identifiability.

Whereas it’s true that the EDPB doesn’t carry out an evaluation of the CJEU case legislation, the EDPB’s strategy and that of the CJEU because it stands at present don’t appear to be misaligned. Really, the CJEU remains to be within the technique of refining the identifiability check beneath the GDPR, as an attraction judgment on this matter remains to be anticipated within the SRB case. Trying on the CJEU case legislation on identifiability although, there appears to be a solution to make sense of each the CJEU case legislation and the EDPB strategy to pseudonymisation and arguably anonymisation as properly. This may be executed by referring to the ideas of distinguishability and availability launched earlier. Let’s clarify. For an in depth overview of the CJEU case legislation by means of the lenses of those two ideas see my current paper out there right here.

In Opinion 01/2025, the EDPB is actually saying (assuming it manages to streamline its definitions) that inside the pseudonymisation area, pseudonyms are distinguishing however not out there. As a matter of precept, this doesn’t exclude that if a radical analysis of the dangers is carried out, remodeled knowledge inside an anticipated recipient’s managed setting may by no means be thought of anonymised. Nevertheless, till such an illustration is made—taking into consideration that the burden of proof lies with the social gathering claiming the anonymised standing—the info needs to be considered pseudonymised. What’s extra, suggestions loops, i.e., whether or not it’s anticipated that the pseudonymised knowledge will enrich the unique knowledge sooner or later in time, are additionally related for the evaluation. Every time a suggestions loop is maintained between the unique knowledge and the pseudonymised knowledge, there are good causes to undertake a holistic strategy for the authorized evaluation and to not artificially separate the pseudonymising entity’s fingers from the info recipient’s fingers.

Of word, in SRB there is no such thing as a demonstration {that a} thorough evaluation of dangers has been carried out and there’s a suggestions loop that’s maintained between the unique knowledge and the remodeled knowledge.

 In Breyer and Scania, the CJEU considers the standing of two varieties of knowledge factors: dynamic IP addresses and Car Identification Numbers (VINs). Importantly, IP addresses and VINs usually are not pseudonyms because the EDPB views them. What’s extra, in Breyer, dynamic IP addresses are thought of to be each distinguishable (singling out takes place) and out there (the info holder, i.e., an internet service supplier, has the authorized means to entry extra figuring out info). In Scania, VINs are thought of oblique private knowledge within the fingers of car producers, which is actually implying that they’re distinguishing and probably out there to anticipated recipients, i.e., impartial operators.

In IAB Europe, the CJEU provides an important nuance, which means that the idea of private knowledge is rightly purposeful, as acknowledged right here. When the anticipated processing implies or permits the profiling of knowledge topics, the one criterion that issues is distinguishability. What this suggests is {that a} thorough analysis of the dangers is on this case irrelevant, which aligns with a excessive degree of knowledge safety.

And in Bindl, though the Normal Courtroom’s reasoning lacks nuances, the outline of the final disputed knowledge switch appears to indicate that the IP deal with at stake is each distinguishable and out there.

To conclude, whereas just a few key definitions nonetheless should be refined, Pointers 01/2025 signify a step in the proper path. Their significance is about to develop with the approaching entry into power of the European Well being Knowledge Area Regulation, as Article 66 EHSD offers that entry to digital well being knowledge for secondary use will occur both in an anonymised format or in a pseudonymised format. One last level that might require clarification is the methodology for conducting a radical threat analysis, which can be fiercely debated, as illustrated by the exchanges having going down within the Skinny Database case determined by the Italian DPA.

Sophie Stalla-Bourdillon is co-Director of the Privateness Hub. She can also be a visiting professor on the College of Southampton Regulation Faculty of legislation, the place she held the chair in IT legislation and Knowledge Governance till 2022. She was Principal Authorized Engineer at Immuta Analysis for six years. Sophie is the writer and co-author of a number of authorized articles, chapters and books on knowledge safety and privateness. She is Editor-in-chief of the Pc Regulation and Safety Assessment, a number one worldwide journal of expertise legislation, and has additionally served as a authorized and knowledge privateness knowledgeable for the European Fee, the Council of Europe, the Organisation for the Cooperation and Safety in Europe, and for the Organisation for Financial Cooperation and Growth.