Europe is currently discussing an update of its data protection regime. The Albrecht Report suggests several amendments to the Commission’s proposal for a new regulation. One of the proposals is to limit the protection for pseudonymous data. I think this a dangerous idea.

In the privacy debate, pseudonyms are a red herring. They offer only a weak level of protection. People often believe that they can hide behind a pseudonym. But this belief is wrong. Pseudonyms only provide context separation. They make it impossible to link data about me in one context with data about me in another context. Within one context, pseudonyms act like real identifiers, and behave just like real names.

Whether a data record refers to me by name, or by email address, or by a strong pseudonym (that cryptographically prevents the pseudonym to be linked to me) does not really matter. The data refers to me, and the data will be used, within that context, to judge me, make decisions about me, etc. Therefore, the protection offered by the regulation is just as necessary for pseudonymous data as it is for non-pseudonymous data. This is not to say that pseudonyms are useless. They are a sane technical measure in the privacy-by-design toolchest. But they should not provide an escape route to avoid compliance with the data protection regulation.