Introduction
On January 16, 2025, the European Data Protection Board (EDPB) adopted new guidelines on pseudonymization. These guidelines provide important clarifications on the use and benefits of pseudonymization in accordance with Europe’s General Data Protection Regulation (GDPR), including (i) what pseudonymization means, (ii) how to use it to meet data protection requirements, and (iii) how to implement it. These guidelines may have an impact on Canadian organizations subject to the GDPR or may be of interest to those looking to understand the notion of de-identification in Canada and more specifically, in Québec.
What is Pseudonymization?
Art. 4(5) of the GDPR defines pseudonymization as “the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it is not attributed to an identified or identifiable natural person.” Pseudonymization can be implemented through various techniques, such as the use of tables that map pseudonyms to original identifiers while keeping pseudonyms and original identifiers separate and secure (e.g., in the hands of two separate organizations).
When is Pseudonymization Useful?
While pseudonymization is not mandated by the GDPR, it is a useful strategy to address risks associated with data processing. For example, it can help organizations:
- rely on lawful bases for processing personal data, such as “legitimate interests” (provided all other requirements are met);
- practice the principles of data minimization, data protection by design and by default;
- reduce the risks of unauthorized access or function creep, where data may be used for purposes other than those for which it was collected; and
- enhance the confidentiality and security of data processing.
Is Pseudonymized Data Still Personal Data?
The guidelines clarify that pseudonymized data remains personal data subject to the GDPR. It should not be considered anonymized, which requires data to be irreversibly unidentifiable. This is also the case in Québec, where a regulation determines the modalities by which personal data is considered anonymized.
That pseudonymized data remains personal data may create operational challenges for organizations. For example, organizations receiving access or rectification requests or who have data breach notification obligations may be unable to fulfill these obligations without difficulty.
Is Pseudonymized Data Still Personal Data When Transferred to a Third Party?
Pseudonymizing data before transferring it to third parties can be an effective strategy for ensuring data security and for complying with the data minimization principle. In such cases, it is possible that third parties are unable to reidentify the individuals such that the data is arguably anonymous to them.
It is in this context that the Advocate General of the Court of Justice of the European Union (CJEU) released an opinion on February 6, 2025. He reasoned that where pseudonymization is sufficiently robust to conclude that data is not reasonably identifiable to the organization, it is not processing personal data. Whether this is the case depends on “all objective factors such as the costs of and amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
However, as his opinion is non-binding, it is unclear whether the CJEU will follow the Advocate General’s position.
The French privacy regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), stated in a recent reminder of obligations (in French only) that there is a distinction between anonymized data and pseudonymized personal data held by a processor, to which the GDPR still applies. Therefore, this issue remains unresolved.
In Québec, this situation has not been resolved yet. That being said, an organization wishing to take the position that they cannot identify individuals using pseudonymized data will likely face challenges. For example, organizations may still need to address access or rectification requests if the requester can assist the organization to identify them, such as by providing the pseudonym.
For More Information
Fasken is here to help. Do not hesitate to visit our Law 25 resource centre or contact this bulletin’s authors if you require assistance with any matters related to privacy or cybersecurity.
