Why pseudonymization is not the silver bullet for GDPR.

Dr Johnny Ryan GDPR Leave a Comment

Pseudonymization will not save online advertising companies from having to seek consent to use browsing and other personal data. This note explains why.

Personally identifiable data (PII) will become toxic in May 2018 when the General Data Protection Regulation is applied, unless data subjects have given consent.[1]

Some businesses may try to rely on “pseudonymization”, a partial method of anonymization, to continue to use PII without consent. This would be a mistake, as the GDPR (and a previous opinion from the Article 29 Working Party[2]).

Pseudonymization

Pseudonymization separates PII so that identifiers that could link the data to a specific person are no longer linked to the other data, so that unless these data re relinked the person is not identifiable.[3] The Regulation mentions pseudonymization in several recitals and articles as a useful tool to reduce risks to data subjects.[4]

Access the GDPR/ePR repository

A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.

However, the GDPR also makes clear that pseudonymized PII data remain PII nonetheless, provided the controller or another party has the means to reverse the process.[5] As The Article 29 Working Party cautioned in 2014 that pseudonymization was a partial and reversible measure that “merely reduces the linkability of a dataset with the original identity of a data subject”.[6]

Consider the following example in the domain of online advertising: a DMP (data management platform) that receives pseudonymized personal data from an ad exchange could partner with a website that retains users’ login details to find data subject’s real e-mail addresses. The DMP could then not only reverse the pseudonymization, but could combine these PII with other data about the same person that it has collected from other websites, from data brokers, and other sources.

Under the GDPR companies have the flexibility to use PII for “general analysis” if they pseudonymize the data. However, to do this a company must first have had consent to process the original data.

In other words, whether or not PII are pseudonymized, the company that controls the data must have consent.

As we have noted previously, consent – and nothing short of it – is the necessary legal basis for processing personally identifiable data for behavioral advertising.

The way forward

Brands, publishers, agencies, and adtech companies are faced with two challenges. The first is to obtain consent, or find ways to target ads and operate programmatic without PII. The second is to fix data leakage.

PageFair is welcoming collaborators to its Data Protection Platform project to work on this.

See also


Sign up to PageFair Insider to get updates

NOTES

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 6, paragraph 1.

[2] Article 29 Working Party of EU Member State data protection authorities. See “Opinion 05/2014 on Anonymisation Techniques”, Article 29 Working Party, April 2014.

[3] The Regulation defines pseudonymization as: “‘pseudonymization’ separates PII from identifiers that could link the data to a specific person, so that unless these data re relinked the person is not identifiable specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 4, paragraph 5.

[4] ibid., Recital 28, Recital 29, Recital 78, Article 25, paragraph 1, Article  32, paragraph 1, (a), and pseudonymization is mentioned in Article 40, paragraph 2, (d)’s reference to codes of conduct.

[5] ibid., Recital 26; and speaks of ““unauthorised reversal of pseudonymization” in Recital 75 and 85.

[6] “Opinion 05/2014 on Anonymisation Techniques”, Article 29 Working Party, April 2014, p. 3.
The Working Party notes that “linkability will still be trivial between records using the same pseudonymized attribute to refer to the same individual. Even if different pseudonymized attributes are used for the same data subject, linkability may still be possible by means of other attributes”. “Opinion 05/2014 on Anonymisation Techniques”, Article 29 Working Party, April 2014, p. 21.