Vorteile und Risiken von Pseudonymisierung und Anonymisierung

Anonymization in data protection – opportunity or risk borderline? Part 2

Part 2: What procedures, advantages and risks do pseudonymization and anonymization entail in data protection?

What are the procedures for pseudonymization?

In the case of pseudonymization, the person responsible can use a rights and roles concept to ensure that the pseudonymized data record is not merged with the identifiers. One option, for example, is to encrypt the identifiers and manage the key securely so that only authorized persons can decrypt the data record.

What are the advantages of pseudonymization?

Pseudonymization can serve as a technical and organizational measure within the meaning of Art. 32(1)(a) GDPR to establish an adequate level of protection for data processing. Under special circumstances, it could also serve as a suitable additional measure when legitimizing exports of the pseudonymized data set to unsafe third countries. However, this only works if it is ensured that there is no access to the identifiers in the insecure third country.

What are the procedures for anonymization?

There are various methods for achieving anonymization. What is important in terms of data protection law is that each individual data record that makes a person identifiable due to its specificity is eliminated. If even one person remains identifiable from the data set, the GDPR also remains applicable.

Anonymization can occur, for example, by “diluting” the data. For example, instead of the age, only the year of birth (e.g. 1986) or a period (January to March 1986) is specified. It is important to consider the purposes for which the data set is to be further processed and whether the “watering down” makes the data processing unusable for the intended purpose. Thus, which procedures are suitable for anonymization depends not only on the existing data, but also on the further purposes for which the anonymized data are still to be used.

There are also discussions in the specialist literature about using legal agreements to exclude de-anonymization. Contractual clauses are being considered that prohibit the contractual partner from carrying out certain measures (e.g., publication of the data, merging with other data sets) that could enable de-anonymization.

Is there a need for a legal basis for anonymization in data protection?

The question of whether a legal basis is required for the anonymization process is also disputed. There are arguments that a legal basis is no longer required because the result of anonymization is anonymized data to which the GDPR no longer applies. Especially in view of the risk of de-anonymization, controllers should always base anonymization on a legal basis. Data controllers should also fulfill their data protection obligations for the anonymization process. In case of doubt, this also includes conducting a data protection impact assessment pursuant to Article 35 GDPR, should the risk assessment reveal that there is a high risk to the rights and freedoms of the data subjects.

Data controllers must also inform data subjects that their data will be anonymized in accordance with Art. 13, 14 DSGVO. As a result, this means: As long as data is not anonymized, the requirements of data protection law must be complied with. Therefore, until anonymization has been successfully carried out, all obligations incumbent on data controllers under the GDPR must continue to be met.

What are the advantages of anonymization?

Anonymization could be used to legitimize third-country exports. Since the GDPR does not apply to anonymized data, data protection requirements no longer prevent the transfer to a third country without an adequate level of data protection. However, this only applies if de-anonymization can be ruled out in the third country. High hurdles apply to the selected procedure for this.

In addition, anonymization can enable further data processing. If data that was originally personally identifiable is anonymized, it can be used without further consideration of the purpose limitation. This is particularly relevant in marketing or research for analyses and evaluations.

What are the privacy risks of anonymization?

Anonymization is risky in that future developments can never be assessed conclusively. For example, it can never be ruled out that technology will not develop in such a way that de-anonymization can take place. The degree of probability at which it can be assumed that anonymization will be successful has not been bindingly decided either by the authorities or by the courts.  Moreover, in many cases it is impossible to say whether other data sources with additional information will be found in the future that would allow de-anonymization. The consequences of de-anonymization are that data controllers must again comply with data protection regulations and, in particular, require a legal basis for processing the data.

Responsible companies should be aware of the risks that (failed) anonymization entails. If personal, and not anonymous, data is further involved, data protection requirements must be complied with. De-anonymization of data can lead to the inadmissibility of data processing in the absence of a legal basis. The risks of fines for this are high. Careful, risk-based preparation of anonymization can mitigate these risks.

Part 1 of our blog article series on anonymization in data protection can be found here.

If you have any questions about anonymization and pseudonymization of data, please feel free to contact us. We will be happy to advise you with solutions that are individually suitable for you!

This post is also available in: German