Why pseudonymization is not the silver bullet for GDPR.
Pseudonymization will not save online advertising companies from having to seek consent to use browsing and other personal data. This note explains why.
Personal data will become toxic in May 2018 when the General Data Protection Regulation is applied, unless data subjects have given consent.
Some businesses may try to rely on “pseudonymization”, a partial method of anonymization, to continue to use personal data without consent. This would be a mistake, as the GDPR (and a previous opinion from the Article 29 Working Party).
Pseudonymization separates personal data so that identifiers that could link the data to a specific person are no longer linked to the other data, so that unless these data re relinked the person is not identifiable. The Regulation mentions pseudonymization in several recitals and articles as a useful tool to reduce risks to data subjects.
[prompt type=”left” title=”Access the GDPR/ePR repository” message=”A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.” button_text=”Access Now” href=”https://pagefair.com/datapolicydocs/”]
However, the GDPR also makes clear that pseudonymized personal data data remain personal data nonetheless, provided the controller or another party has the means to reverse the process. As The Article 29 Working Party cautioned in 2014 that pseudonymization was a partial and reversible measure that “merely reduces the linkability of a dataset with the original identity of a data subject”.
Consider the following example in the domain of online advertising: a DMP (data management platform) that receives pseudonymized personal data from an ad exchange could partner with a website that retains users’ login details to find data subject’s real e-mail addresses. The DMP could then not only reverse the pseudonymization, but could combine these personal data with other data about the same person that it has collected from other websites, from data brokers, and other sources.
Under the GDPR companies have the flexibility to use personal data for “general analysis” if they pseudonymize the data. However, to do this a company must first have had consent to process the original data.
In other words, whether or not personal data are pseudonymized, the company that controls the data must have consent.
As we have noted previously, consent – and nothing short of it – is the necessary legal basis for processing personally identifiable data for behavioral advertising.
The way forward
Brands, publishers, agencies, and adtech companies are faced with two challenges. The first is to obtain consent, or find ways to target ads and operate programmatic without personal data. The second is to fix data leakage.
PageFair is welcoming collaborators to its Data Protection Platform project to work on this.
[column type=”1/2″ last=”false”]
- Why the GDPR ‘legitimate interest’ provision will not save you
- European Commission proposal will kill 3rd party cookies
- Europe’s new privacy regime will disrupt the adtech Lumascape
[column type=”1/2″ last=”true”]
- PageFair statement at European Parliament ALDE shadow rapporteurs session on the proposed ePrivacy Regulation
- Supporting new European regulation
[x_callout type=”center” title=”Perimeter: the regulatory firewall for online media and adtech. ” message=”Feature-rich adtech, even without personal data. Control user data and 3rd parties in websites + apps. Get robust consent.” button_text=”Learn more” href=”https://pagefair.com/perimeter”]
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)  OJ L119/1, Article 6, paragraph 1.
 Article 29 Working Party of EU Member State data protection authorities. See “Opinion 05/2014 on Anonymisation Techniques”, Article 29 Working Party, April 2014.
 The Regulation defines pseudonymization as: “‘pseudonymization’ separates personal data from identifiers that could link the data to a specific person, so that unless these data re relinked the person is not identifiable specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)  OJ L119/1, Article 4, paragraph 5.
 ibid., Recital 28, Recital 29, Recital 78, Article 25, paragraph 1, Article 32, paragraph 1, (a), and pseudonymization is mentioned in Article 40, paragraph 2, (d)’s reference to codes of conduct.
 ibid., Recital 26; and speaks of ““unauthorised reversal of pseudonymization” in Recital 75 and 85.
 “Opinion 05/2014 on Anonymisation Techniques”, Article 29 Working Party, April 2014, p. 3.
The Working Party notes that “linkability will still be trivial between records using the same pseudonymized attribute to refer to the same individual. Even if different pseudonymized attributes are used for the same data subject, linkability may still be possible by means of other attributes”. “Opinion 05/2014 on Anonymisation Techniques”, Article 29 Working Party, April 2014, p. 21.