New draft guidelines on pseudonymization of personal data were presented at the plenary meeting of the European Data Protection Board (EDPB) on Jan. 16, 2025. These guidelines provide both legal and technical guidance and highlight pseudonymization as an effective measure for protecting personal data. The guidelines are open for consultation until Feb. 28, 2025. Organizations and experts are encouraged to provide feedback.
The draft guidelines have potentially significant implications for how parties process (or have processed) personal data for primary and secondary purposes. Indeed, until now there seemed to be consensus on the fact that pseudonymous data for one party can be anonymous data for a third party when it is not reasonably possible (in terms of time, cost, manpower) for the latter party to identify natural persons (see also recital 26 AVG). Although separate guidelines on the anonymization of personal data are also expected, the current draft guidelines on pseudonymization may be a possible harbinger of a (too) restrictive approach to anonymization.
Pseudonymization is a technique in which identifying elements of personal data are replaced by unique codes. This makes it more difficult to trace the data back to a specific person without additional information. Although pseudonymization does not guarantee complete anonymity, it does reduce the impact of a data breach, for example, and strengthens the security of data processing.
The new guidelines emphasize that pseudonymization is not only a security measure, but can also be a tool to strengthen the "legitimate interest" basis. Companies that apply pseudonymization can demonstrate that they take additional measures to protect the privacy of data subjects. The guidelines make it clear that pseudonymization is a processing of personal data and therefore subject to the AVG. This means that organizations must properly secure pseudonymized data and take appropriate technical and organizational measures. Examples include encryption and access restrictions for the additional information needed to link to the original data.
The distinction between pseudonymization and anonymization is named in the guidelines. With pseudonymization, the possibility of tracing back to an individual remains, whereas with anonymization, all identification possibilities are completely removed. This difference is essential, as only anonymous data falls outside the scope of the AVG.
The guidelines address technical measures to prevent unwanted data linkages, such as the use of cryptography, hashing and strict access control. Hashing, for example, is mentioned as a method that converts data into unique hash values that are difficult to trace back to the original data. However, the EDPB emphasizes that hashed data, depending on the context, is often still considered personal data. Risks such as brute-force attacks or the availability of additional information must be carefully mitigated.
The guidelines also include an annex with ten practical examples. These examples focus, among other things, on the use of pseudonymization in medical data for scientific research, customer data analysis in marketing without profiling, and securing data in clinical trials. This makes the guidelines relevant to a variety of industries.
When it comes to the concept of "personal data," however, the EDPB's approach seems more restrictive than that of the Court of Justice of the European Union (CJEU). Many experts hope the Court will take a position in the SRB case that provides more clarity on the status of pseudonymized data and how it is treated when transferred to third parties. Moreover, the timing of the guidelines is noteworthy as the CJEU is about to rule on this important case, which also involves its sister organization EDPS.
The SRB case revolves around when data ceases to be considered personal data under the AVG. In 2023, the General Court of the European Union adjudicated a dispute in which the Single Resolution Board (SRB) engaged Deloitte for a consultation process with creditors and shareholders of Banco Popular. During this process, the SRB shared pseudonymized data with Deloitte that could not be traced back to specific individuals. So are these data in Deloitte's hands still personal data when Deloitte could not reasonably identify natural persons?
The Court ruled that for data to be considered anonymous, it must be legally and practically impossible to trace it back to individuals, even when pseudonymized. This judgment is important for the interpretation of pseudonymization, especially in cases where data is shared with third parties. The case thus highlights the tension between pseudonymization and anonymity, and the Court must now determine whether this interpretation holds up and continues the line in Breyer and subsequent rulings.
A key point in the guidelines is that, depending on the context, pseudonymized data is still considered personal data under the AVG. This differs from the approach in the United Kingdom, where pseudonymized data can be considered anonymous under certain conditions, as outlined in the Common Services Agency v. Scottish Information Commissioner case. This case held that when it is impossible for the recipient of pseudonymized data to identify individuals, the information is not considered "personal data. This is in line with the ICO guidelines, which are shorter and more accessible than those of the EDPB. According to the ICO, such data can be anonymous to the receiving party, depending on their ability to trace the data back to individuals. This is also known as "effective anonymity."
The new EDPB guidelines offer valuable insights for organizations looking to use pseudonymization to better protect personal data and ensure compliance with the AVG. The question is whether the new guidelines are in line with established CJEU case law. The guidelines are open for consultation until Feb. 28, 2025. Organizations and experts are encouraged to provide feedback.
