Anonymisation, pseudonymisation and reidentification

European Courts have provided some clarification around anonymisation, pseudonymisation and reidentification.

Is anonymised data caught by data protection legislation?

No, data protection law stops once data has been anonymised.  Once it can no longer be attributed to an identifiable individual that data stops being personal data, and the shackles applied by the GDPR and other data protection rules are off.

Great! I’ll remove the names and other identifiers from my data sets then I can do what I want and forget about the GDPR and Data Protection Act.

Hold your horses for just one minute, cowboy.  Its not that simple.  True anonymisation which retains a useful data set is extremely difficult to achieve.  What you are most likely to end up with is pseudonymised data.

What’s that then?

You have pseudonymised data if it is possible – however hard – to track back and identify an individual data subject.  Pseudonymised data remains personal data and so you remain a data controller for the purposes of data protection legislation.  However, a recent CJEU judgement might help.

CJEU?  What’s that?

The EU’s Court of Justice, which interprets EU law and decides whether it has been breached.

But we’re no longer in the EU

True.  We now have the UK GDPR which stands outside of the EU’s GDPR, but it remains identical to it.  Whilst it is possible that the UK courts could take a different approach it is unlikely that they would do so.  Also if you have EU operations, or if you process an EU citizen’s personal data then you are still subject to the EU GDPR.  So this is a case worth looking at.

I’m all ears!

The case is European Data Protection Supervisor v Single Resolution Board (Case C-413/23), and the CJEU has held that in certain circumstances pseudonymised data may fall outside of the meaning of personal data.

Keep going…I’m still with you

The Single Resolution Board (SRB) disclosed personal data that it had collected and processed to Deloitte.  This data consisted of certain comments made by the data subjects.  Neither the individuals’ names or any other identifier were disclosed to Deloitte, and there was no way that Deloitte could independently identify which comment had been made by a particular data subject or otherwise identify a data subject. 

That sounds like anonymised data to me

No, it’s pseudonymised data because the SRB had retained an alphanumeric code which enabled them to match up the data transferred to Deloitte to each individual data subject.  However it had not shared this code with Deloitte.

So to all intents and purposes it was anonymous data from Deloitte’s perspective?

Exactly, and the question for the CJEU was whether this meant that Deloitte had data protection obligations in respect of this data even though it could not identify the individual data subjects.

The CJEU decided that whilst the data remained pseudonymised (NOT anonymised) it ceased to be personal data in Deloitte’s hands.  It held that where the party to whom the data had been transferred had no meaningful way of being able to establish the identity of the individual data subjects it did not have obligations as data controller. 

So we’re off the hook.  If we receive pseudonymised data we’re home and dry with no data protections obligations?

Perhaps.  It all depends upon whether you as the third party can, using reasonable means, re-identify that data. 

How could we do this?

You might have the key.  If SRB had been prepared to share the alphanumeric code (or ‘key’) with Deloitte, or of Deloitte could have easily reconstructed that key then the data would have remained as personal data.  Also there are both legitimate and illegitimate ways of re-identifying personal data.

For example, automated tools are available that can guess or compute possible pseudonym values, particularly where the initial pseudonymisation method is weak.  Crypanalysis tools can be used to exploit weak algorithms or poorly managed keys.

It may be possible to recreate the mapping between the pseudonym and the initial identifiers, particularly if the data set is vulnerable to correlation or triangulation with other available data sets, or if the data sets used are vulnerable to data mining software.

Essentially the CJEU said that whether the third party can be absolved of liability depends upon whether re-identification is possible taking into account ‘all means reasonably likely’.

What does that mean?

You need to look at it on a case by case basis, and focus on all objective factors such as cost, the resources available to the third party, the amount of time required, the available technology etc. etc. which would help determine whether re-identification is reasonably practicable.

So re-identification doesn’t need to be impossible, it just needs to be very difficult/impractical in the circumstances.

Bang on.

What happened to the SRB?

The CJEU made it clear that the SRB retained all of the obligations of a data controller, including  the obligation to confirm to the data subjects to whom it would be transferring that data, even though it was being transferred in a pseudonymised form.

What does this mean in practice for me?

It depends.  Data controllers routinely pseudonymise data where it is being transferred to a third party.  The transferor of that data remains the data controller and their position is not greatly affected by the CJEU’s judgement.  Transferors should remember that proper pseudonymisation is a highly effective method of complying with various of the principles under GDPR and should always be considered when data is being transferred.

The real difference comes if you’re the third party recipient of the pseudonymised data, in that you may now not a data controller of the data transferred to you.

I want examples!

OK ok.  Imagine that you are a research partner of a university.  That university pseudonymises a set of medical study records before these are sent to you.  You don’t have the key necessary to link the data back to individuals.  In this case, provided that you do not have reasonable means for reidentification, you would not need to treat the data as personal data.

Or imagine you are a pay and benefits consultancy.  Your client transfers pseudonymised data to you.  Again, you do not have reasonable means to re-identify the data.  You want to send it to your US-based subsidiary for further statistical analysis.  You can now do so without jumping through the hoops required when transferring data to a third country.

Great, that could be really helpful for me

Yes, it is likely to be useful for many organisations that routinely receive and process data, but do your homework in each case.  Remember the GDPR is big on accountability, which means documenting your decisions and the reasons for them.

What do you suggest? 

Whenever you are in receipt of a pseudonymised data set ask yourself the following questions, and record your decisions:

• What is the nature of the data – would re-identification be possible by using external/readily available data sets?
• Understand the methodology used for pseudonymisation; ask yourself whether you could (not whether you will) reidentify that data?
• If you cannot realistically de-pseudonymise that data then data protection obligations will not apply.
• If you can realistically de-pseudonymise that date then this is personal data and full data protection obligations will apply.

Contact Us

For help on any of the matters raised in this article, please contact Matthew Cole.