Fact sheets

Anonymisation or pseudonymisation

Anonymisation is a technique that consists in “suppressing any identifying characteristics of a set of data”. According to the standard ISO 29100, it corresponds to the “process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other party”. (ISO 29100: 2011).

Anonymisation is therefore recognisable by the irreversibility of the loss of any identifiable individual characteristics.

Conversely, the pseudonymisation or “reversible anonymisation”, “consists in replacing identifying information with an alias in a recording. Hence, the physical (natural) persons may still be likely to be identified indirectly”. For example, the codification of the name of a client will not prevent his individualisation if it is possible to gain access to other characteristics, such as, for example, gender, postal address, or date of birth.

As such, the pseudonymisation may reduce the risk of direct correlation between the personal data, but may not completely eliminate, in any way, the personal nature of the processed data.

As a result, the pseudonymisation is not a watered down form of anonymisation, but a simple security measure.

Where pseudonymisation is positioned as a bulwark in front of personal data, anonymisation neutralises irreversibly the personal nature of the data.

Distinct objectives

The choice of anonymisation or pseudonymisation depends less on the technical choice than on the necessity to preserve or not the personal data.

Pseudonymisation lends itself to situations that necessitate or allow the backward reverting of coded personal data to primitive personal data. For example, data processing may necessitate, due to legal obligations, the identification of a specific person.

Conversely, anonymisation does not subscribe to subsequent processing of re-identification and it does not have the calling to allow such backward reverting.

The notions of pseudonymisation and anonymisation answer two distinct objectives: to preserve or not the personal nature of the data. As a result, an anonymisation that may be defeated by the use of sophisticated techniques (for example, by computer software) will not be reconciled with a pseudonymisation.

Pseudonymisation is not an anonymisation “low cost”, but a method sufficient for a specific goal.

The risks of classification

The article, paragraph 2 of law no. 1.165 defines that “personal data, in all of its forms, are any information that can be used to determine a natural or legal person’s identity (specific or identifiable). Is recognized as identifiable, a person who can be identified, directly or indirectly, in particular with reference to an identification number or one or more specific marks that form the person’s own physical, physiological, psychic, economic, cultural, or social identity.”

In the draft amendment of law no. 1.165 regulating the processing of personal data, it is mentioned (pages 9 and 10 of the explanatory statement) “that indeed a person may be identified either directly by his or her name, indirectly by a phone number, number plate, social security number, identity card, or even through a significant combination of criteria enabling the recognition within a limited group of people (for example, age, address, function, position, and so on).”

It is consequently clear to note that the legislator privileged the result over the intention: as long as the person is specific or identifiable, directly or indirectly, the law no. 1.165 applies.

Therefore, by eliminating the characteristics specific of a natural person, anonymisation enables the data to be removed from the scope of application of this law.

On the other hand, the pseudonymised data of which the identifiable nature has not been reduced are still subject to the law no. 1.165.

The choice of the method to disidentify is not neutral in that it dictates the scope of application of the processed data.

Let’s take a look at a concrete example

The article 10-1 of law no. 1.165 states that “personal data must be stored in a form which permits the identification of data subjects for no longer than is necessary to complete the final purpose for which they were collected or for which they will be subsequently processed”.

The anonymisation of personal data, in that it suppresses the identifying characteristics of the data subjects, allows the storage of anonymised data after the realisation of the final purpose of the processing.

On the other hand, the pseudonymisation does not allow the storage of personal data after the storage period defined by the processing.

Unlike pseudonymisation, anonymisation is more a denaturing measure of security