Decoding the EDPB Guidelines on Pseudonymisation: A Balanced Approach to Data Protection

The European Data Protection Board’s (EDPB) Guidelines 01/2025, adopted on January 16, 2025, provide a comprehensive understanding of pseudonymisation as a technical and organizational measure under the General Data Protection Regulation (GDPR). By leveraging pseudonymisation effectively, data controllers and processors can strike a balance between utilizing personal data for legitimate purposes and safeguarding individual privacy. Below, we delve into the key aspects of these guidelines.

Understanding Pseudonymisation and its Legal Framework

Pseudonymisation is defined in Article 4(5) of the GDPR as the processing of personal data such that it cannot be attributed to a specific data subject without the use of additional information. This definition incorporates technical measures like separating the pseudonymised data from identifiers and ensuring organizational controls over access. While pseudonymised data still qualifies as personal data, it is distinguished from anonymised data, which cannot be traced back to individuals.

The GDPR does not mandate pseudonymisation universally; rather, it positions it as a valuable tool for mitigating risks. Specific circumstances, such as implementing data protection by design and by default or complying with data minimisation principles, may necessitate its application. Moreover, pseudonymisation supports legal obligations like ensuring security measures appropriate to processing risks and facilitating compliance with Article 6(1)(f) GDPR, which concerns processing based on legitimate interests.

Advantages and Objectives of Pseudonymisation

One of the primary objectives of pseudonymisation is risk reduction. It minimizes confidentiality risks by replacing direct identifiers with pseudonyms, thus limiting the exposure of sensitive information. For example, in the event of unauthorized data access, pseudonymised data is less likely to lead to harmful consequences for the data subjects.

Additionally, pseudonymisation supports secondary data usage, such as research and statistical analyses, without compromising individual privacy. By allowing for the reversible linking of datasets under controlled conditions, pseudonymisation strikes a balance between privacy preservation and data utility.

The guidelines emphasize the role of pseudonymisation in preventing function creep, where data is used for purposes beyond the original intent. This ensures adherence to purpose limitation principles while fostering trust in data processing activities.

Technical and Organizational Measures

Implementing pseudonymisation effectively requires robust technical and organizational measures. The guidelines outline two primary types of pseudonymising transformations: cryptographic methods and lookup tables. Cryptographic methods, such as one-way functions or encryption, provide strong safeguards against unauthorized attribution, while lookup tables facilitate controlled reversibility.

The concept of a pseudonymisation domain is central to the guidelines. This domain encompasses the context, people, and systems authorized to access pseudonymised data. Controllers must ensure that pseudonymised data remains within this domain and is not linked to additional information that could enable attribution.

To further prevent unauthorized attribution, controllers must address quasi-identifiers, attributes that can indirectly identify individuals when combined. Techniques like generalization, randomization, or limiting the pseudonymisation domain’s scope can mitigate such risks.

Enhancing Compliance and Security

Pseudonymisation plays a pivotal role in achieving data protection by design and by default, as stipulated in Article 25 of the GDPR. By embedding privacy measures into processing activities, pseudonymisation supports principles of confidentiality, data minimisation, and fairness. It also serves as a supplementary measure for secure cross-border data transfers, aligning with Article 46 of the GDPR.

The guidelines stress that pseudonymisation alone is insufficient for comprehensive data security. It must be complemented by measures like encryption, access controls, and secure key management. Moreover, controllers must continually assess the effectiveness of their pseudonymisation practices in light of evolving risks and technologies.

Impact on Data Subject Rights

Pseudonymisation does not absolve controllers from complying with the requirement of facilitating data subject rights under Chapter III of the GDPR. However, in scenarios where controllers cannot effectively identify data subjects, certain rights may not apply. In such cases, controllers must transparently communicate the limitations to data subjects.

Conclusion

The EDPB’s Guidelines on Pseudonymisation serve as a crucial resource for organizations seeking to leverage this technique to balance data protection obligations with operational needs. By emphasizing risk reduction, compliance, and robust implementation, the guidelines highlight pseudonymisation’s potential to foster trust and innovation in data processing while safeguarding individual privacy.

If your organization is dealing with copious amounts of data, do visit www.tsaaro.com

The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation! Learn more about the Draft Rules here:  

• Understanding the Draft DPDP Rules
• Consent Notice
• Consent Manager
• Processing of Children’s Data
• Data Retention
• Data Principal Rights
• Security Safeguards
• Data Protection Board of India

News of the Week

1. PayPal Faces $2 Million Fine Over Cybersecurity Lapses

PayPal will pay a $2 million civil fine for cybersecurity failures that exposed customers’ Social Security numbers in 2022. An investigation by New York’s Department of Financial Services found the company lacked qualified staff and adequate training. PayPal discovered the issue after cybercriminals exploited a vulnerability using “credential stuffing.” The company lacked sufficient security measures like multifactor authentication and CAPTCHA. The company has since implemented these measures and cooperated with the probe.

https://www.reuters.com/technology/paypal-fined-by-new-york-cybersecurity-failures-2025-01-23

2.LinkedIn Sued for Privacy Breach Over AI Training

LinkedIn is facing a class action lawsuit from Premium customers who claim the platform disclosed their private messages to third parties for AI training without consent. The lawsuit alleges LinkedIn introduced a privacy setting in August 2024, allowing users to opt out of sharing personal data. However, in September 2024, LinkedIn allegedly discretely updated its privacy policy to include AI training, stating opting out wouldn’t affect past training. The suit seeks damages for breach of contract, violations of California’s unfair competition law, and $1,000 per person under the federal Stored Communications Act. LinkedIn has denied the claims.

https://www.reuters.com/legal/microsofts-linkedin-sued-disclosing-customer-information-train-ai-models-2025-01-22

3.FTC Updates COPPA Rule to Strengthen Kids’ Online Privacy Protections

On January 16, 2025, the FTC, through a press release, announced updates to the Children’s Online Privacy Protection Act (COPPA) to enhance protections for children’s data. Key amendments include requiring verifiable parental consent for data sharing, expanding the definition of personal information, and mandating stronger security measures. Operators must also retain children’s data only as necessary and establish secure data retention policies. The rule takes effect in 60 days from publication in the federal register, with full compliance due within a year.

https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-finalizes-changes-childrens-privacy-rule-limiting-companies-ability-monetize-kids-data?utm_source=govdelivery

4.South Korea Fines KakaoPay and Apple Pay 

South Korea’s Personal Information Protection Commission (PIPC) fined KakaoPay and Apple Pay a total of 8.3 billion won ($5.8 million) for transferring personal data of 40 million users to China’s Alipay without proper consent on three occassions. The data, including sensitive information, was shared for payment evaluation purposes without user notification or disclosure in privacy policies. KakaoPay was fined $4.2 million for unlawful international data transfers and must address compliance issues, while also disclosing violations on its website and app. Apple Pay was fined $1.7 million for failing to inform users about outsourcing data processing to Alipay and not disclosing data transfers in its privacy policy. Both companies were ordered to correct their practices. Additionally, Alipay must destroy NSF score calculation models based on the transferred data. 

5.Hewlett Packard Enterprise Investigates Data Breach Claim

Hewlett Packard Enterprise (HPE) is investigating claims by hacker “IntelBroker” that sensitive data, including product source code, private GitHub repositories, and access keys to various HPE services, has been stolen. The hacker also alleges access to HPE user data, including personally identifiable information. HPE has activated its cyber response protocols, disabled compromised credentials, and is evaluating the validity of the claims, stating no operational impact or customer data involvement at this time.

https://techcrunch.com/2025/01/21/hpe-investigating-security-breach-after-hacker-claims-theft-of-sensitive-data