{"id":4624,"date":"2023-12-21T16:32:35","date_gmt":"2023-12-21T14:32:35","guid":{"rendered":"https:\/\/aiternalex.com\/?p=4624"},"modified":"2023-12-21T16:36:09","modified_gmt":"2023-12-21T14:36:09","slug":"pseudonymisation-and-anonymisation-the-blurred-line-between-personal-and-non-personal-data","status":"publish","type":"post","link":"https:\/\/aiternalex.com\/en\/data-protection-en\/pseudonymisation-and-anonymisation-the-blurred-line-between-personal-and-non-personal-data\/","title":{"rendered":"Pseudonymisation and anonymisation: the blurred line between personal and non-personal data"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"4624\" class=\"elementor elementor-4624 elementor-4614\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4817103f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4817103f\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-447414cd\" data-id=\"447414cd\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5e3c21ad elementor-widget elementor-widget-text-editor\" data-id=\"5e3c21ad\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.9.2 - 21-12-2022 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#818a91;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#818a91;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<p><span style=\"font-weight: 400;\">In the context of the General Data Protection Regulation (GDPR), Article 4(5) defines pseudonymisation as the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information. It is essential to note that this additional information must be stored separately and subject to technical and organizational measures to ensure that such personal data is not attributed to an identified or identifiable natural person.<\/span><\/p><p><span style=\"font-weight: 400;\">Contrary to a common perception, pseudonymisation should not be regarded solely as a technological aspect, but rather as an operational and organizational strategy. In fact, the GDPR, in recital 29, recognises the possibility of pseudonymisation measures with the capacity for general analysis within the same controller, provided that the necessary technical and organizational measures are taken and that the additional information for attributing personal data to a specific data subject is stored separately.<\/span><\/p><p><b>Conceptual and Legal Foundations of Pseudonymisation and Anonymisation<\/b><\/p><p><span style=\"font-weight: 400;\">The conceptual elaboration reveals that pseudonymisation is not an isolated concept, but rather an integral part of an orchestral complex of measures aimed, on the one hand, at protecting the data of the data subject and, on the other hand, at facilitating the circulation of data by safeguarding compliance with data protection obligations by data controllers.<\/span><\/p><p><span style=\"font-weight: 400;\">In this context, discerning between pseudonymisation and anonymisation is of crucial importance. In short, while pseudonymisation allows the information to be reconstructed, anonymisation renders the data unconstructable.\u00a0 This principle is clearly stated in Recital 26, which excludes the application of data protection principles to anonymous information, i.e. information that does not relate to an identified or identifiable natural person or to personal data rendered sufficiently anonymous to prevent or no longer allow the identification of the data subject.<\/span><\/p><p><span style=\"font-weight: 400;\">But how do we determine whether a piece of data is pseudonymous or anonymous? Here again, we are helped by recital 26 of the GDPR, which states that to establish the identifiability of a person, account should be taken of all the means, such as identification, which the controller or a third party may reasonably use to identify that natural person directly or indirectly.\u00a0<\/span><\/p><p><b>Judgment T-557-20 of the European Court of First Instance on Pseudonymisation and Anonymisation of Data<\/b><\/p><p><span style=\"font-weight: 400;\">The recent judgment delivered by the European General Court on 26 April 2023, in the context of Case T-557-20, represents a significant milestone in the legal understanding of anonymisation and pseudonymisation practices. Moving away from the previous orientation of the Article 29 Working Party (now replaced by the European Data Protection Board), which postulated a more restrictive approach, the General Court adopted a more nuanced and relativist perspective.<\/span><\/p><p><span style=\"font-weight: 400;\">The Court&#8217;s decision emphasized the need to carefully consider the specific circumstances when assessing the identifiability of data. In the present case, concerning the transmission of shareholder and creditor comments by the Single Resolution Committee (CRU) to third parties, the General Court rejected the idea that the possibility of automatic re-identification qualifies the data as personal. In particular, the General Court concluded that, despite the fact that the CRU had access to additional data for identification purposes, the transmitted comments and alphanumeric codes had to be qualified as anonymous data by consistently applying a principle that is contained in Recital 26 of the GDPR and Recital 16 of Regulation 1725\/18 such that if personal data have been rendered sufficiently anonymous that the data subject cannot or can no longer be identified, data protection principles do not apply.<\/span><\/p><p><span style=\"font-weight: 400;\">This change of course represents a significant departure from previous restrictive interpretations, emphasising the need to carefully assess the actual identifiability of data in specific contexts. The European Court&#8217;s ruling has significantly influenced the legal landscape with regard to anonymisation and pseudonymisation techniques, raising crucial questions about the practical application of these concepts in the current regulatory context.<\/span><\/p><p><b>Conclusions and Key Role of Pseudonymisation and Anonymisation Techniques<\/b><\/p><p><span style=\"font-weight: 400;\">In conclusion, the proper implementation of pseudonymisation and anonymisation techniques is imperative to ensure user privacy, especially in sensitive sectors such as health and finance. The technologies used must comply with legal principles, and the choice between pseudonymisation and anonymisation should be guided by specific needs and the required reversibility. A thorough understanding of these concepts and their accurate implementation are crucial to address the legal and regulatory challenges related to the protection of personal data.<\/span><\/p><p><span style=\"font-weight: 400;\">In this context, the ruling of the European Court of First Instance not only provides a crucial clarification of the distinction between anonymous and pseudonymous data, but also raises important reflections on the future of data protection practices. The decision emphasizes the importance of taking a contextual and circumstantial approach when assessing the anonymisation and pseudonymisation of data. It defines that, in order to determine whether information constitutes personal data, it is necessary to put oneself from the perspective of the recipient, assessing whether the possibility of combining the information transmitted with any additional information held by the third party is a reasonably feasible means of identifying data subjects.<\/span><\/p><p><span style=\"font-weight: 400;\">This new orientation of the Luxembourg courts may influence the way organizations implement data protection measures. A careful analysis of the specific circumstances therefore becomes crucial to determine whether data can indeed be considered anonymous, even when they are associated with alphanumeric codes or other identifiers.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>In the context of the General Data Protection Regulation (GDPR), Article 4(5) defines pseudonymisation as the processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information.<\/p>\n","protected":false},"author":4,"featured_media":4619,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[66],"tags":[],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aiternalex.com\/wp-content\/uploads\/2023\/12\/Aiternalex_Pseudonymisation.jpeg","_links":{"self":[{"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/posts\/4624"}],"collection":[{"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/comments?post=4624"}],"version-history":[{"count":5,"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/posts\/4624\/revisions"}],"predecessor-version":[{"id":4634,"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/posts\/4624\/revisions\/4634"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/media\/4619"}],"wp:attachment":[{"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/media?parent=4624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/categories?post=4624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aiternalex.com\/en\/wp-json\/wp\/v2\/tags?post=4624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}