REGISTER LOGIN

Safeguarding Data: A Review of Anonymization and Pseudonymization

26.04.2024
DL Attorneys at Law

Contents

Hande Çağla Yılmaz co-authored this article.

1. INTRODUCTION

In the era of digital transformation, data privacy has become a paramount concern for individuals and organizations. As data flows seamlessly across the network of the internet to sustain the privacy of the data, especially personal data, has become crucial. With this article, the importance of anonymization and pseudonymization to ensure the data privacy will be reviewed in the context of data protection legislations of European Union, United Kingdom, and Türkiye. Also, we will review the differences of these two concepts, which are always thought to be the same, are different from each other and are subject to different regulations in data protection legislations.

1.1. A Brief Overview of Data Privacy Concern

It is important to understand the need for measures to protect data and sustain data privacy. The potential risks associated with data breaches, unauthorized third-party access, and cyberattacks emphasize the need for robust protective measures. There is also the risk of data matching, which is normally a method to combine, compare or match personal data from multiple sources[1];


- To prevent fraud,

- Do direct marketing,

- To monitor personal use/To uptake of statutory services or benefits,

- For federated identity assurance services.


However, data matching may also pose a risk of for the leaked data. Data belonging to the same data subjects or groups of data subjects within the leaked datasets may be matched for malicious purposes.

1.2. Importance of Data Anonymization and Pseudonymization

The data in risk may be personal data, even special categories of personal data. Therefore, technical or organizational precautions must be taken toprevent such undesirable risks mentioned in the previous section. For this reason, anonymization and pseudonymization methods should be preferred for both the privacy and security of the data. As it is, the anonymization and pseudonymization will be comparatively reviewed in the next section of the article.

2. A LOOK AT ANONYMIZATION AND PSEUDONYMIZATION

To understand what anonymization and pseudonymization is, it would be appropriate to first review the data protection legislations in the European Union (“EU”), United Kingdom (“UK”) and Türkiye.

2.1. Anonymization

2.1.1. EU

The anonymization is not defined in the EU General Data Protection Regulation (“GDPR”) therefore the concept is controversial in the EU. For example, in the Article 29 Working Party’s Anonymization Techniques Guidance[2], the anonymization is conducted in a risk-based approach, seeking for a risk of identification as follows:


“Data controllers should not rely on the “release and forget” approach. Given the residual risk of identification, data controllers should:


Identify new risks and re-evaluate the residual risk(s) regularly,

- Assess whether the controls for identified risks suffice and adjust; accordingly, and

- Monitor and control the risks.”


Although, anonymization is not defined in the Article 4 of the GDPR, anonymous information is mentioned in the Recital 26 as follows:


“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.[3]


According to the Spanish Data Protection Authority (“AEPD”) and European Data Protection Supervisory (“EDPS”) Joint Paper[4], anonymization defines as follows:


“Anonymization is the process of rendering personal data anonymous.”


In summary, according to the EU data protection legislation, anonymous data is outside the scope of GDPR and is defined as the unidentified data and anonymization is the process of this. So, there is a question to consider here. Is it possible to re-identify anonymous data? The Joint Paper of the AEPD and EDPS also explains this issue as that re-identification is the result of poor or incomplete anonymization as follows:


“The re-identification likelihood is the probability in a given dataset of re-identifying an individual, by turning anonymized data back into personal data through the use of data matching or similar techniques…


…Throughout the years, there have been several examples of incomplete or wrongfully conducted anonymization processes that resulted in the re-identification of individuals.


The Joint Paper of the AEPD and EDPS emphasizes several misunderstandings about anonymization as follows:


- Pseudonymization is not a technique of anonymization.

- Encryption is not an anonymization but a pseudonymization technique.

- It is not always possible to lower the re-identification risk.

- Anonymization may not be forever and needsadjust due to technical developments and additional information.

- Although a 100% anonymization is the desirable goal it might not be the reality.

- It is possible to analyze and measure the degree of anonymization.

- For anonymization human expert intervention is needed.

- A proper anonymization process keeps the data functional for a given purpose.

- Anonymization processes need to be tailored to the nature, scope, context, and purposes of processing.

- Re-identification of an individual could have a serious impact for his rights and freedoms.


In line with all this, anonymization technology is a multi-stage and periodic process that requires human expertise to sustain privacy. However, comprehensive information about this technology will be strengthened after the“Guidelines on for Anonymization” will be published by the EDPB. The Guidelines are expected to be published according to the EDPB's Work Program for 2023 and 2024[5].

2.1.2. UK

Also, the UK GDPR does not define anonymization in the Article 4, which contains definitions, of the UK GDPR. However, ICO has published a code of practice[6] for the anonymization. The Code of Practice also refers to the Recital 26 of the GDPR by emphasizing that anonymization supports the data minimization and explains issues on anonymization as follows:


- However, the UK courts have used the ‘likely reasonably’ test for the anonymization, the practical problems that arise from “likelihood” of identification or “reasonable likelihood” of it.

- Anonymization helps organizations to comply with their data protection obligations whilst enabling them to make information available to the public.

- It is not always necessary or possible to use anonymized data instead of personal data.

- Anonymization is not possible for all types of data, e.g., security data.

- Anonymization may help the safe share of the data within organizations and legal authorities.

- If personal data is produced through a re-identification process, it will be on the data controller’s responsibilities.

- Consent is generally not needed to legitimize an anonymization process.

- Postcodes, GPS data or map references may be personal data or not, depending on the situation.

- The fact that data is not personal data does not mean that it is always okey disclose it.

- Limited access is better than disclosure.

- Organizations that are anonymizing personal data need an effective and comprehensive governance structure.


With this Code of Practice, ICO has drawn a more comprehensive road map onanonymization. However, unlike AEPD and EDPS Joint Paper, ICO refers pseudonymization as a technique for anonymization and evaluated pseudonymization and data masking as separate concepts, which is a term usually used as the same technique.

2.1.3. Türkiye

According to the Turkish Data Protection Law with No. 6698 (“PDPL”)anonymization is defined as follows:


“Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.”


Differently than UK and EU data protection legislation, PDPL stipulates that anonymized data shall not be identified even if their data matching is conducted.


Also, in accordance with subparagraph (b) of paragraph 1 of Article 28 of the PDPL, personal data may be processed for purposes such as research, planning and statistics by anonymizing them with official statistics.


According to the By-Law on Erasure, Destruction or Anonymization of Personal Data (“By-Law”) the following points are stated about anonymization:


- Anonymization is one of the personal data disposal techniques (Erasure, Destruction or Anonymization).

- Personal Data Storage and Disposal Policy (“Policy”), which is a responsibility of the VERBIS (Data Controllers RegistryInformation System) registered data controller to prepare, may include anonymization policy of the data controller.

- Even if the data controller is not obliged to register to the VERBIS the obligation for data disposal techniques including anonymization continues.

- Periodic disposal may be done also with the anonymization technique plus to other data disposal techniques.

- Anonymization is also a data subject’s right due to the PDPL.

- All records of anonymization operations shall be kept.

- Data controller has the option to choose appropriate data disposal technique if the Turkish Data Protection Board (“Board”) not decide otherwise.

- The data controller is obliged to take all theorganizational and technical measures on the anonymization.

- If the data controller who is obliged to prepare a Policy needs to dispose the personal data, it shall dispose it in the first periodic disposal time.

- If the data controller who is not obliged to prepare a Policy needs to dispose the personal data, it shall dispose it in the first 3 months.

- If the legal ground of the personal data processing is overdue, the data controller shall dispose the personal data.


As it is seen, the PDPL and By-Law set stricter limits for the datacontroller than the GDPR and UK GDPR. However, what is most different from these is that Article 10 of the By-Law prefers to use the phrase "impossible to render" for anonymization. As an interpretation of the Turkish data protection regulation, it may be said that similar to the EU an UK data protection legislation, anonymized data is outside of the scope of the PDPL.


Plus, the PDPL seeks a penalty for those who do not destroy personal data, such as in accordance with the 2nd paragraph of Article 17 of the PDPL are punished for the crime of "Failure to Destroy Data" in accordance with Article 138 of the Turkish Penal Code.


Also, there is a Guideline[7] for data dispose by the Turkish Data Protection Authority (“Turkish DPA”), which contains comprehensive guides for the dispose techniques and in the in the Technical and Administrative Measures Guide[8] of the Turkish DPA anonymization is counted as a technical measure.

2.2. Pseudonymization

2.2.1. EU

Pseudonymization defines as follows in the Article 4 of the GDPR:


“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”


Also, many Recitals of the GDPR explains the pseudonymization as follows:


Recital 26: “Personal data which have undergone pseudonymizations, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.”

Recital 28: “The application of pseudonymization to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”

Recital 29: “In order to create incentives to apply pseudonymization when processing personal data, measures of pseudonymization should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organizational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately.”

Recital 75: “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to … unauthorized reversal of pseudonymization.”

Recital 85: “A personal data breach may, if not addressed in an appropriate and timely manner, result in …pseudonymization.”

Recital 156: “The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards (such as, for instance, pseudonymization of the data)for the rights and freedoms of the data subject pursuant to this Regulation.”


As it is seen, pseudonymization is much more clearly regulated in the GDPR than anonymization. In summary, pseudonymization may be defined as the personal data can no longer relate to a data subject unless there is an additional information. And the other difference is pseudonymized data is in the scope of GDPR.


Also, in the Article 25 of the GDPR titled “Data Protection by Design and by Default” pseudonymization exampled for the appropriate technical and organizational measures. Then, in the Article 32 of the GDPR titled “Security of Processing” pseudonymization is explained as one of the appropriate safeguards. By these phrases, it may be said that also the anonymization is under the concept of data protection by design, and by default and as an appropriate safeguard since anonymization seeks a tighter privacy.

2.2.2. UK

Also, the UK GDPR does define pseudonymization in the Article 4, which contains definitions, and refer to the Recitals of the GDPR.


However, there is a Draft Guideline[9] of the ICO, which was published on the February 2022. The Draft Guideline explains issues on pseudonymization as follows:


- Pseudonymized data is still personal data.

- Pseudonymization reduces the risk your processing poses to individual rights.

- Pseudonymization enhances the security of the personal data you process.

- Pseudonymization supports the re-use of personal data for new purposes.

- Pseudonymization supports your overall compliance with the data protection principles.

- Pseudonymization builds individuals’ trust and confidence in how you process their data.

- When considering pseudonymization, for both data protection by design and security it is needed to be considered: (i) the state of the art and costs of implementation of any measures, (ii) the nature, scope, context, and purpose(s) of your processing; and (iii) the risks your processing poses to individuals’ rights and freedoms.

- Pseudonymization techniques can reduce the risk of harm to individuals that may arise from personal data breaches.

- Pseudonymization can be a useful tool to enable further processing of personal data beyond its original purpose, such as for research, further analysis, or compatible purposes.

- The effectiveness test shall be taken before the decision of pseudonymization.

- The techniques of the pseudonymization shall be decided case-by-case.


Also, there are two criminal offences relating to the re-identification ofde-identified personal data in the UK GDPR at the section 171(1) and 171(5).

2.2.3. Türkiye

Pseudonymization is not defined or described in the Turkish DataProtection Legislation but recognized in the Board's decisions. However, in the Technical and Administrative Measures Guide of the Turkish DPA pseudonymization is deemed as a technical measure. The Board decisions are as follows:


- pseudonymization (processes such as deleting, crossing out, painting, and starring certain areas of personal data so that they cannot be associated with an identified or identifiable natural person)[10]

- The data controller shall store users' personal data by pseudonymization or encrypting them[11].

- Methods such as pseudonymization and anonymization should be used when processing data, and if it is necessary to use another data that identifies the person (for example, Turkish Republic ID number) in addition to the person's name and surname information, the relevant data should be used by masking[12].

- The data controller is obliged to apply the necessary partial de-identification or pseudonymization measures on the printed material containing the patient's personal health data and to take measures that will make it difficult to identify the person in question if the material in question falls into the hands of unauthorized persons[13].


By the comment of the Turkish Data Protection Regulation, it may be said that masked data is in the scope of the PDPL, and it is a technical measure to ensure privacy.

3. CONCLUSION

Regardless of UK, EU or Turkish data protection legislation, measures must be taken to ensure data security and data privacy. Among these measures, anonymization and pseudonymization, which are in the technical measure category, are recommended. When choosing which method to use, the category of data, size of the data, processing process, etc. are taken into consideration. A case-by-case review should be carried out by evaluating all issues. In summary, it is common that data within the scope of anonymization will remain outside the data protection legislation, but pseudonymous data is considered within the data protection legislation. What is important is which region'sdata protection legislation will carry out these transactions, as sometimesthere may be regional differences, even if small or big.

[1] Information Commissioner’s Office (“ICO”), “Examples of Processing Likely to Result in High Risk”,https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/>

[2] Article 29 Working Party, “Anonymization Techniques”, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf>

[3] GDPR, Recital 26, https://gdpr-info.eu/recitals/no-26/>

[4] EDPS & AEPD, “10 Misunderstandings Relatedto Anonymization”, https://www.edps.europa.eu/system/files/2021-04/21-04-27_aepd-edps_anonymisation_en_5.pdf>

[5] EDPB, “EDPB Work Programme 2023/2024”, https://www.edpb.europa.eu/system/files/2023-02/edpb_work_programme_2023-2024_en.pdf>

[6] ICO, Anonymization: Managing Data ProtectionRisk Code of Practice, https://ico.org.uk/media/1061/anonymisation-code.pdf>

[7] Turkish DPA, Guide to Deletion, Destruction or Anonymization of Personal Data, https://www.kvkk.gov.tr/yayinlar/K%C4%B0%C5%9E%C4%B0SEL%20VER%C4%B0LER%C4%B0N%20S%C4%B0L%C4%B0NMES%C4%B0,%20YOK%20ED%C4%B0LMES%C4%B0%20VEYA%20ANON%C4%B0M%20HALE%20GET%C4%B0R%C4%B0LMES%C4%B0%20REHBER%C4%B0.pdf>

[8] Turkish DPA, “Technical and Administrative Measures Guide”, https://www.kvkk.gov.tr/yayinlar/veri_guvenligi_rehberi.pdf>

[9] ICO, “Draft Anonymisation, Pseudonymisation AndPrivacy Enhancing Technologies Guidance”, https://ico.org.uk/media/about-the-ico/consultations/4019579/chapter-3-anonymisation-guidance.pdf>

[10] https://www.kvkk.gov.tr/Icerik/6668/2019-389

[11] https://www.kvkk.gov.tr/Icerik/7001/2021-311

[12] https://www.kvkk.gov.tr/Icerik/7270/2021-1214

[13] https://www.kvkk.gov.tr/Icerik/7566/2022-594

This website is available “as is.” Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

Popular Articles on Data Protection & Privacy

Kişisel Verileri Koruma Kurulunun 2023/134 Sayılı Kararı Doğrultusunda Tiktok Hakkında 1.750.000 TL İdari Para Cezası Uygulanmasına Karar Verildi
Data Protection & Privacy 2023 Guide for Turkey - 2
Data Protection & Privacy 2023 Guide for Turkey - 1
Epic Games, Çocuk Mahremiyeti İhlalleri ve İstenmeyen Ücretlerle İlgili FTC İddiaları Üzerine 520 Milyon Dolar Ödeme Yapacak
Guide to Direct Marketing Using Live Calls Published By ICO

Latest Insights from DL Attorneys at Law

Kişisel Verileri Koruma Hukuku Güncel Gelişmeler Nisan 2024
Veri Koruması İçin Yöntemler: Anonimleştirme ve Psödönimleştirme Hakkında Bir İnceleme
Safeguarding Data: A Review of Anonymization and Pseudonymization
The Importance of Personal Data Protection Law Within the Scope of ESG
ÇSY Kapsamında Kişisel Verilerin Korunması Hukukunun Önemi
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent