Pseu­do­nymi­sa­tion: Two sides of the same coin: oppor­tu­ni­ty or risk?

P
Dr Fabi­an Niemann

In the lat­est of her Duet inter­views, Dr Cal­daro­la, edi­tor of Data Ware­house as well as author of Big Data and Law, and Dr Fabi­an Nie­mann dis­cuss the facets of pseudonymisation.

Dr Nie­mann, you have writ­ten a com­pre­hen­sive chap­ter in our book “Data Ware­house” about infor­ma­tion secu­ri­ty as well as tech­ni­cal and organ­i­sa­tion­al mea­sures. For that, I take my hat off to you! It con­tains a lot of legal issues that def­i­nite­ly need dis­cussing.  Since we can­not cov­er every­thing here, let us con­sid­er a top­ic that I find extreme­ly rel­e­vant in view of the cur­rent crises: pseu­do­nymi­sa­tion. Many peo­ple are famil­iar with pseu­do­nymi­sa­tion from lit­er­a­ture. Paul Celan, Tru­man Capote, Jack Lon­don, George Sand, Françoise Sagan, Anna Seghers – none of these authors wrote under their real names. Things are no dif­fer­ent these days but in this par­tic­u­lar con­text, what exact­ly is pseu­do­nymi­sa­tion and how is it used?

Dr Fabi­an Nie­mann: First of all, when it comes to pseu­do­nymi­sa­tion, it is impor­tant to recog­nise that the word “pseu­do­nymi­sa­tion” is used as a buzz­word- and not always cor­rect­ly. Some­times the word is used for mat­ters that actu­al­ly refer to anonymi­sa­tion while oth­er times pseu­do­nymi­sa­tion is indeed meant.

What is cru­cial is whether some­one can cre­ate a sep­a­ra­tion between their per­son and their data sets when they use a pseu­do­nym – as in the lit­er­ary exam­ples you men­tioned. Pseu­do­nymi­sa­tion is a tech­ni­cal pro­tec­tion mea­sure for sep­a­rat­ing data sets from the per­son to whom these data sets belong.

In com­mon par­lance, pseu­do­nymi­sa­tion is often under­stood as mean­ing that records or data can no longer be assigned to a nat­ur­al per­son, an indi­vid­ual. If a “final” sep­a­ra­tion of the data from the indi­vid­ual takes place that can­not be restored or is dif­fi­cult to restore (in terms of time and mon­ey), then this is an anonymi­sa­tion in the legal sense. How­ev­er, if recov­ery is still pos­si­ble using an assign­ment key (e.g. because the password/pseudonym/assignment key is assigned to a per­son in a sec­ond data­base), we lawyers speak of pseu­do­nymi­sa­tion. Accord­ing to the Gen­er­al Data Pro­tec­tion Reg­u­la­tion, pseu­do­ny­mous data will con­tin­ue to be treat­ed like per­son­al data/personal data sets. In con­trast to anonymi­sa­tion, data pro­tec­tion laws con­tin­ue to apply.

In short, pseu­do­nymi­sa­tion uses a pass­word for a data set, while anonymi­sa­tion per­ma­nent­ly deletes the asso­ci­a­tion with a per­son or is very dif­fi­cult to restore.

What pseu­do­nymi­sa­tion meth­ods exist?

Of course, you can use oth­er real names – such as the authors, actors, artists men­tioned above often do. It is also pos­si­ble to use sequences of num­bers, char­ac­ters and/or let­ters. What is prob­a­bly more impor­tant to your ques­tion is how the pseu­do­nyms are created.

Not only is a ran­dom arrange­ment con­ceiv­able, but also a “method­i­cal” arrange­ment of let­ters, num­bers and char­ac­ters. Most of the time, the choice between an arbi­trary and method­i­cal arrange­ment depends on the intend­ed use. If I want to assign the data records again lat­er or if I want to make it clear that the respec­tive data records belong to dif­fer­ent peo­ple, a “method­i­cal” arrange­ment is usu­al­ly cho­sen. If I no longer want an assign­ment, then one or more arbi­trary arrange­ments can be select­ed for each data record.

In this con­text, it is also impor­tant that a data set remain a set includ­ing iden­ti­fi­able per­son­al data in the legal sense if – despite the removal or pseu­do­nymiza­tion of the name or clas­si­cal per­son­al data – it still con­tains data in the data set that can make iden­ti­fi­ca­tion pos­si­ble – be it on their own or based on addi­tion­al infor­ma­tion avail­able. For exam­ple, a per­son with a rare dis­ease and infor­ma­tion about their place of res­i­dence can cer­tain­ly be iden­ti­fied eas­i­ly with­out the name, at least with addi­tion­al knowl­edge obtained from pub­lic records or peo­ple know­ing the per­son. Anoth­er exam­ple: a per­son can also be iden­ti­fied if the data record con­tains, for exam­ple, “Father of two chil­dren and lives on XY Street in the city of Z. Even then, the lawyer does not speak of anonymi­sa­tion, but of pseu­do­nymi­sa­tion. Basi­cal­ly, anonymi­sa­tion and thus “cir­cum­ven­tion” of the data pro­tec­tion law becomes more dif­fi­cult the more data about a per­son is avail­able or accessible.

The GDPR gives those respon­si­ble for a dig­i­tal busi­ness mod­el more lee­way when work­ing with pseu­do­ny­mous data. Which is this leeway?

First of all, let us be clear that the use of pseu­do­nymi­sa­tion is not an absolute “must”, but pseu­do­nymiz­ing where rea­son­ably pos­si­ble is a “duty of care” and an “option” to extent data use cas­es in a com­pli­ant man­ner. Pseu­do­nymi­sa­tion is a tech­ni­cal pro­tec­tive mea­sure that is rec­om­mend­ed by the leg­is­la­ture for cer­tain sit­u­a­tions. The leg­is­la­tor also men­tions sit­u­a­tions that are only per­mit­ted with cer­tain tech­ni­cal pro­tec­tive mea­sures. So, if some­one wants to car­ry out these things which are in fact pro­hib­it­ed legal­ly, they have to imple­ment the pre­scribed tech­ni­cal pro­tec­tive mea­sures men­tioned there. In this way, the field of action for an indi­vid­ual entre­pre­neur expands. In my opin­ion, pseu­do­nymi­sa­tion is both of a duty and an option. Of course, I can gain more rights if I use pseu­do­nymi­sa­tion as a tech­ni­cal pro­tec­tion mea­sure. To me, it is like a stair­case: the first step is anonymi­sa­tion, the sec­ond is pseu­do­nymi­sa­tion and the last step is the use of per­son­al data.

I asked the ques­tion giv­en the back­ground of the Rus­sia-Ukraine war and the sanc­tions against oli­garchs. His­tor­i­cal­ly speak­ing, we know François-Marie Arou­et (known as Voltaire), who came in con­flict with the law at the age of 23 and end­ed up behind bars in the Bastille. He used 160 cov­er tac­tics, fooled his oppo­nents and thus became a pio­neer of the French Rev­o­lu­tion. He used pseu­do­nyms to pro­tect his pri­va­cy. Today, in the Rus­sia-Ukraine war and the sanc­tions imposed against Russ­ian oli­garchs, in the case of the Russ­ian oli­garch Roman Abramovich it is rel­a­tive­ly easy to impose sanc­tions on his assets because those assets are in his name. But Roman Abramovich is an excep­tion because most of the own­ers and rich oli­garchs are unknown. Their assets are dis­guised through front men and anony­mous affil­i­at­ed off­shore com­pa­nies, which make it very dif­fi­cult to iden­ti­fy the true own­ers. Tax havens, off­shore com­pa­nies, front men have always been and are a blind spot that was and is accept­ed. The OECD has been try­ing to bring more trans­paren­cy to this prac­tice for years through BEPS. Against the back­drop of the Ukraine-Rus­sia war, should we con­tin­ue to accept this prac­tice and the approved use of pseu­do­nymi­sa­tion because it is not super­fi­cial­ly clear whether it is being used for the French Rev­o­lu­tion or to sim­ply dis­guise one’s assets?

In your exam­ples, a clear dis­tinc­tion must be made between pseu­do­nymi­sa­tion and front men. Front men act in their own name for their – usu­al­ly unknown – client. Peo­ple with a pseu­do­nym do not act with their real name but still act for them­selves in their own “name”.

The effect is the same, because the real name of the oth­er per­son remains hid­den in the case of the front man, the pseu­do­nym, the off­shore company.

Of course, if you use a pseu­do­nym, you can ask for iden­ti­fi­ca­tion. In the case of a front man who has a secret appoint­ment with some­one else, show­ing his own ID won’t help at all. There are laws such as the Mon­ey Laun­der­ing Act that are intend­ed to pre­vent exact­ly such sit­u­a­tions. Whether these laws will be effec­tive is anoth­er mat­ter. It is pre­cise­ly in these mat­ters that super­vi­so­ry author­i­ty is need­ed to car­ry out an inves­ti­ga­tion, and this is where many such super­vi­sion is lack­ing. In my opin­ion, not every­thing can be prevented.

You are right that the intend­ed use – French Rev­o­lu­tion or tax eva­sion – leaves a bad taste. Data pro­tec­tion is great when it comes to infor­ma­tion­al self-deter­mi­na­tion of the indi­vid­ual and not good at all when it comes to ille­gal trans­ac­tions. Data pro­tec­tion does not help with all prob­lems and con­stel­la­tions. It is one law among many oth­ers that may have the com­mon goal of pre­vent­ing or mak­ing ille­gal trans­ac­tions more dif­fi­cult. Data pro­tec­tion is often “tout­ed” as the pri­ma­ry law, although infor­ma­tion­al self-deter­mi­na­tion is just one right among oth­ers. The COVID-19 cri­sis also showed us this dilem­ma, where health and eco­nom­ic loss­es were weighed against each oth­er, but not against infor­ma­tion­al self-deter­mi­na­tion in data pro­tec­tion. One had the feel­ing that data pro­tec­tion was above all else in terms of impor­tance, like a super con­sti­tu­tion­al right more impor­tant than oth­ers, but real­ly all these rights should have been mea­sured against each other.

My opin­ion is:

“When using pseu­do­nyms, it is impor­tant to look close­ly at each indi­vid­ual case and find out what is behind it. Stan­dard pro­ce­dures alone won’t help here.”

Dr Fabi­an Niemann

Aren’t the Inter­net and dig­i­tal data­bas­es or data ware­hous­es mak­ing it even eas­i­er for asset man­age­ment to mask their activ­i­ties via pseu­do­nymi­sa­tion? Very few coun­tries have pub­licly acces­si­ble reg­is­ters of the actu­al own­ers who stand to ben­e­fit from these fronts. British jour­nal­ist Chris Tag­gart has iden­ti­fied 200 mil­lion com­pa­nies from pub­licly acces­si­ble reg­is­ters world­wide. Nev­er­the­less, EU coun­tries take dif­fer­ent approach­es to this issue. While the UK and Latvia are set­ting up pub­lic reg­is­ters, Spain is keep­ing their reg­is­ters inac­ces­si­ble, Ger­many and Ire­land do not allow machine print­ing and France is only pub­lish­ing parts of their data, to name a few exam­ples. Against this back­ground, don’t we need bar­ri­ers to pseu­do­nymi­sa­tion or pub­licly acces­si­ble reg­is­ters of the real names behind the pseu­do­nyms, so that infor­ma­tion for tax opti­mi­sa­tion is com­pre­hen­si­ble, sanc­tions are pos­si­ble in times of cri­sis, some­thing can be done about this type of crime and cor­rup­tion? In Ger­many alone we do not even know how many Ger­man com­pa­nies are actu­al­ly in the hands of Russ­ian oli­garchs. At the moment, it is impos­si­ble to iden­ti­fy Russ­ian sup­pli­ers who sup­ply prod­uct parts for “Ger­man” prod­ucts. Do the lim­its of pseu­do­nymi­sa­tion need to be reassessed in view of all these issues?

The real ques­tion here is whether cer­tain process­es should be pos­si­ble with­out proof of iden­ti­ty. It makes no dif­fer­ence what­so­ev­er whether proof of iden­ti­ty need not be required for cer­tain process­es, whether an actor appears anony­mous­ly or under a pseu­do­nym, or whether no per­son­al infor­ma­tion is request­ed at all. But the polit­i­cal ques­tion that actu­al­ly aris­es here is whether activ­i­ties not required an iden­ti­ty should even be pos­si­ble or whether iden­ti­fi­ca­tion should be required so that mea­sures can be tak­en against the per­son respon­si­ble in the event of ille­gal ser­vices. It’s like all things on earth. Streets, the inter­net, AI and so on are used by police offi­cers, do-good­ers and crim­i­nals alike. This range of pos­si­ble activ­i­ties can­not be pre­vent­ed – whether by ban­ning some­thing or allow­ing it to freely occur. Pseu­do­nymi­sa­tion and anonymi­sa­tion are mere­ly tech­ni­cal mea­sures and tools- just like the Inter­net, the streets and much more; they mere­ly serve to sim­pli­fy dai­ly life.

Let’s con­sid­er the prac­tice of the many pseu­do­nyms cir­cu­lat­ing on the Inter­net. Be it the many plat­forms where cit­i­zens can par­tic­i­pate under false names, look for part­ners, chat etc.  Even avatars are pseu­do­nyms. Every per­son is usu­al­ly reg­is­tered at birth. What about pseu­do­nyms and avatars? Do we need an assign­ment to real names? What hap­pens when we move from the real world to the Meta­verse, where dif­fer­ent rules and laws may apply? Do we need a reg­is­tra­tion of pseu­do­nyms and avatars of an actu­al per­son for the attri­bu­tion and respon­si­bil­i­ty of his/her actions in the Meta­verse as well as in the real world?

Of course, the Meta­verse is par­al­lel to the real world. So far, the same rules which gov­ern the real world also apply to the Meta­verse. If an Avatar wants to pur­chase a weapon or open an account in the Meta­verse, they must pro­vide their real-world iden­ti­ty. It’s dif­fer­ent with games in the Meta­verse. Iden­ti­fi­ca­tion is not absolute­ly necessary.

Of course, the Meta­verse knows no nation­al bor­ders by which the applic­a­ble law can be deter­mined. But we are also famil­iar with this phe­nom­e­non of a “bor­der­less ter­ri­to­ry” from the Inter­net, and rules for deter­min­ing the applic­a­ble law have also emerged there.

And of course, the Meta­verse is not a gov­ern­ment under­tak­ing. Rather, it was brought into being by com­pa­nies, so one could of course ask whether state or pri­vate sec­tor rules apply here, i.e. only the com­pa­ny’s own “rules of the game / code of con­duct / governance”.

The Meta­verse is and remains – tech­ni­cal­ly speak­ing- a game like any clas­sic board game at home. If the “game” is not attrac­tive enough, then users and play­ers will stay away. Like­wise, I can’t ask the police to gain entry for me into a game in the Meta­verse if the com­pa­ny does­n’t let me. This is the case with every board game, foot­ball game etc.

It is also true that dig­i­tal cloth­ing, dig­i­tal hous­es and much more are sold in the Meta­verse. Com­pa­nies hope to increase their real-world sales in the Meta­verse because the avatars there are not yet sat­u­rat­ed and still have “needs.” But let’s be hon­est, who wants and will seri­ous­ly spend mon­ey on these immov­able things (dig­i­tal jeans, dig­i­tal house…), espe­cial­ly when the Meta­verse can dis­ap­pear at any time? Is it just sell­ing the dream of a sup­pos­ed­ly new alter­na­tive life with new pos­si­bil­i­ties and sup­pos­ed­ly new start­ing con­di­tions? It is not for­bid­den to escape from real life into anoth­er, more beau­ti­ful world and to sup­press every­day wor­ries – be it the Meta­verse or sim­ply a tech­no par­ty in the real world where peo­ple dance for hours. The Meta­verse is a leisure activ­i­ty and ulti­mate­ly just a com­put­er game like Monop­oly that does not need to be regulated.

The GDPR and pseu­do­nymi­sa­tion are not a means of spe­cial­ly reg­u­lat­ing the Meta­verse. This requires oth­er tools. Of course, the GDPR applies in the Meta­verse like in the real world – not more, not less. The first well-known Meta­verse was called “Sec­ond Life”. No rea­son to apply dif­fer­ent rules to your sec­ond than to your first life.

A lot of mon­ey is said to be laun­dered through the use of pseu­do­nyms in the block chain. There are also many pseu­do­nyms on the dark web and, of course, many attacks on dig­i­tal tools come from anony­mous hack­ers. Fake online shops appear on the inter­net and can be mis­tak­en for real ones. Com­pa­nies and author­i­ties are usu­al­ly help­less in these sorts of sit­u­a­tions while per­pe­tra­tors usu­al­ly can­not be uncov­ered. It seems that pseu­do­nyms are expe­ri­enc­ing a new trend in the dig­i­tal world. What sort of rela­tion­ship between infor­ma­tion­al self-deter­mi­na­tion, pseu­do­nymi­sa­tion and trans­paren­cy is need­ed to avoid mis­use? Are manip­u­la­tion secu­ri­ty, authen­ti­ca­tion, access and access con­trols, cryp­tog­ra­phy, encryp­tion enough in these sit­u­a­tions with­out hav­ing pre­cise knowl­edge of the real per­son or their real name?

Here we are talk­ing about whether cer­tain ser­vices on the Inter­net or Meta­verse require the per­son act­ing to be iden­ti­fi­able – i.e. anonymi­ty is per­mit­ted. Today you can access the Inter­net with­out reveal­ing your identity.

It is a com­plete­ly dif­fer­ent mat­ter whether and, if so, which ser­vices one would like to allow or tol­er­ate anony­mous­ly in the dig­i­tal world and for which ones identification/ID con­trol should be required. This has less to do with data pro­tec­tion and the tech­ni­cal pro­tec­tive mea­sure pseu­do­nymi­sa­tion com­mon­ly used there.

There are sev­er­al cas­es for iden­ti­fy­ing peo­ple. Minors must declare their age so that sales trans­ac­tions are pos­si­ble and legal. The same applies to trans­fer­ring mon­ey, pay­ing with cred­it cards, open­ing a bank account, to name a few exam­ples. There are already many sit­u­a­tions in the real world in which iden­ti­fi­ca­tion was and is required. Many of these same con­stel­la­tions now also apply to dig­i­tal businesses.

Whether these mea­sures are enough and whether there should be more nuanced descrip­tions for actions tak­ing place in the dig­i­tal world due to the fact that you are no longer face to face and do not get an impres­sion of the per­son is a polit­i­cal issue. I would even dare to say that there won’t be much change because the nec­es­sary majori­ties in the var­i­ous rul­ing gov­ern­ments need­ed for enact­ing changes are cur­rent­ly not there, at least in all EU coun­tries includ­ing Germany.

Nation­al data pro­tec­tion laws around the world vary wide­ly. Are there also major dif­fer­ences in pseu­do­nymi­sa­tion or is this a field where there is wide­spread glob­al agree­ment about its tech­ni­cal imple­men­ta­tion, use and limits?

There are some tech­ni­cal meth­ods for pseu­do­nymis­ing data and datasets. There may be more in the future as tech­nol­o­gy improves. How­ev­er, pseu­do­nymi­sa­tion has noth­ing to do with polit­i­cal inter­ests of whether cer­tain ser­vices require iden­ti­fi­ca­tion of a per­son or not. There are quite dif­fer­ent views among the coun­tries with their var­i­ous forms of government.

Dr Nie­mann, thank you for shar­ing your insights on pseudonymisation

Thank you very much, Dr Cal­daro­la, and I look for­ward to read­ing your upcom­ing inter­views with recog­nised experts, delv­ing even deep­er into this fas­ci­nat­ing topic.

About me and my guest

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

Dr Fabian Niemann

Dr Fabian Niemann is a lawyer and partner in the Frankfurt office of Bird & Bird LLP. He is co-head of Bird & Bird's international Technology & Communications Sector Group and co-leads firm’s AI and cybersecurity practice groups. He specialises in IT and data protection law, particularly in issues relating to cloud computing, AI, data economy, security as well as new business models and technologies. Dr Niemann studied and received his doctorate in Bonn, Honolulu and London.

Dr Maria Cristina Caldarola

Dr Maria Cristina Caldarola, LL.M., MBA is the host of “Duet Interviews”, co-founder and CEO of CU³IC UG, a consultancy specialising in systematic approaches to innovation, such as algorithmic IP data analysis and cross-industry search for innovation solutions.

Cristina is a well-regarded legal expert in licensing, patents, trademarks, domains, software, data protection, cloud, big data, digital eco-systems and industry 4.0.

A TRIUM MBA, Cristina is also a frequent keynote speaker, a lecturer at St. Gallen, and the co-author of the recently published Big Data and Law now available in English, German and Mandarin editions.

FOL­LOW ME