In EU, Pseudonymous Data Needs Incentives and Protection

For nearly 18 months, European politicians and officials have been deep in debate on the proposed Data Protection Regulation. The discussion has been heated and at times controversial, with keen participation by companies, civil society, data protection authorities, and governments – from the European Union and beyond. Currently, Members of the European Parliament face the difficult task of assessing several thousand proposed amendments to the original proposal, and representatives of Member State governments try to work out how differences in rules and practices across the 27 countries can be reconciled.

CDT has contributed actively to this debate. In our initial analysis of the DPR, we stated our strong support for the Commission’s proposal, and suggested a number of areas for further work. In particular, we highlighted The Right To Be Forgotten as a provision that requires further attention, and earlier this month, we brought out an in-depth examination of the issue.

Now, CDT addresses another central issue that has emerged in the debate on the DPR: Pseudonymous data. The broad question is, whether data held by data controllers that do not readily identify individuals should be subject to less stringent obligations than information which relates directly to an individual. Viviane Reding, the European Commissioner responsible for the DPR, has discussed the issue in recent speeches, and has argued that it makes sense to encourage data controllers to use pseudonyms rather than actual names.

In our paper, CDT sets out our views on how the concept can be made operational in the context of the DPR. Like Commissioner Reding, CDT has argued that the Regulation should be formulated to incentivize companies to keep data in less readily-identifiable forms, and different treatment of pseudonymous data does make sense in certain cases. At the same time, we believe that the definition and rules for the processing of “pseudonymous data” must be carefully constrained so that this exception does not swallow the rule that citizens have a right to the protection of their personal — including pseudonymous — data.

CDT’s paper suggests approaches to determining what constitutes pseudonymous data, and which types of such data could qualify for less stringent rules under the DPR. Key criteria are the ease with which a pseudonym may be tied to a real-world identity, and whether the pseudonym can be considered persistent and universal. We also discuss the obligations that different categories of data should carry. For some pseudonymous data sets it may be reasonable to limit obligations such as access rights and data portability. Equally, in cases of data breach the obligation to notify the data subject may not apply, but only if the data cannot reasonably be tied to particular individuals.

Pseudonymous data involve some difficult and complex issues, and the discussions among Members of Parliament, Member State and Commission officials will continue for some time. We hope the paper helps illuminate the central questions and move the debate forward.