News

GDPR Brief: Are pseudonymised data within the GPDR’s scope?


The GDPR now explicitly mentions, and even defines, pseudonymisation, namely the processing of personal data so they can no longer be attributed to a specific data subject without the use of additional information (provided certain measures are in place to prevent re-identification). Coding is commonly used in health research and can, in some cases, act as a pseudonymisation technique.

The question arises as to whether pseudonymised data are no longer personal data and hence no longer subject to the GDPR.

The Article 29 Working Party opined in 2007, in the pre-GDPR era, that for clinical trial data, this can be the case when the re-identification data are held by a different entity and both are subject to a specific scheme prohibiting re-identification and with appropriate measures in place to prevent this. It noted that the then-adequate EU–U.S. Safe Harbour Scheme explicitly stated that pseudonymised pharmaceutical research data are not personal data.

But the Working Party’s more recent 2014 guidance suggests that pseudonymised data remain personal data, deeming this fact “especially relevant in the context of scientific, statistical or historical research.”

The question might at first appear to be definitively resolved by Recital 26 of the GDPR, adopted in 2016, which similarly states that pseudonymised data “should be considered to be information on an identifiable natural person.”

The European Court of Justice’s 2016 Breyer decision, however, appears to allow some room for this not to be the case. The case asked whether certain data within the definition of pseudonymous (although the Court never used this term, and the data had not deliberately been pseudonymised) remained personal data. They remained personal data, the Court held, but only because the entity holding them had the legal means to identify the data subject (interpreting this notion very broadly).

Health Research Authority guidance in the United Kingdom in 2018 went so far as to state that in research, pseudonymised data are not personal data even when re-identifiable within the same organisation (in Example 4 of the linked document).

Given these contradictions, commentary by the UK Information Commissioner’s Office (ICO) during the GDPR legislative process appears prophetic. The ICO warned that the GDPR’s approach to pseudonymisation is confusing: defining the concept of personal data as a function of the means reasonably likely to be used to identify an individual squares poorly with insistence that pseudonymised data are invariably personal data.
Because of the continuing uncertainty in this area, it is recommended to consult any guidance from the data protection authority of one’s own Member State, or to seek legal advice when considering whether to treat pseudonymised data as anonymous.

Further Reading

Relevant GDPR Provisions

  • Recital 26 – Pseudonymised data should be considered to be personal data
  • Recital 29 – Pseudonymisation is permissible within the same controller
  • Article 4(5) – Definition of pseudonymisation

Mark Phillips is a lawyer with a background in computer science, and an academic associate at McGill University’s Centre of Genomics and Policy. He advises clients on and writes about various data protection issues.