Viviane Reding, the European commissioner for justice, fundamental rights and citizenship, has warned that data-protection rules should still apply to personal data even when individuals' names have been replaced.
Speaking at a conference on data protection organised by European Voice last week, Reding took a tough line on pseudonymous data, where the identity of the data subject is replaced by some other kind of identifier.
She said: “Pseudonymous data must not become a Trojan horse at the heart of the regulation, allowing the non-application of its provisions.”
In talks on reform of the European Union's data-protection rules, the use of pseudonymous data has emerged as one possible way of reducing the administrative burden on companies involved in processing personal data.
Several of the EU's national governments have criticised Reding's reform proposals as being too prescriptive and are seeking ways to reduce obligations for companies handling personal data. A summary of member states' positions on reform of the rules drawn up in March by Ireland, which holds the rotating presidency of the Council of Ministers, says that the use of pseudonymous data “can contribute to the calibrating of controllers' and processors' data-protection obligations while maintaining protection levels”.
Speaking at the data-protection event, Seán Kelly, a centre-right Irish MEP who drafted a report on the data-protection reform for the European Parliament's industry, research and energy committee, said about pseudonymous data: “I think once provisions are in place to control its use, it has a very important part to play in the regulation.”
Reding insisted that pseudonymous data continued to be personal data and had to be protected under the EU's Charter of Fundamental Rights and EU law. “Risksto privacy remain and are real. A single piece of data such as an email address can create a link between a very accurate profile and a person.”
She said a “robust definition” of pseudonymous data and “robust safeguards” were needed.
Reding's caution was shared by other speakers at the event. Ronan Dunne, chief executive of Telefónica UK, said: “We have to be really clear whether information falls into the category of personal information and whether it is being truly anonymised. The risk is that we create pseudo-categories as well as pseudo-anonymisation.”
Joe McNamee, executive director of European Digital Rights, said that pseudonymisation was “a useful tool” to create protection between individuals and their data. He warned that pseudonymous data was being used as “ersatz anonymisation” in the discussions on the data-protection rules. “Pseudonymous data is our personal data,” he said.
The next important stage in the process of agreeing the rules takes place on 28-29 May when the European Parliament's civil liberties committee is to vote on the reform.
Reding urged national governments and MEPs to complete work on the reform of data rules before the European Parliament elections in May 2014, saying that failing to reach agreement would suit those who wanted to lower the level of data protection.