Pseudonymisation of data refers to the processing of personal data in such a way that it cannot be attributed to a specific individual without additional data. This additional data is kept separate to ensure security. In India, while the Digital Personal Data Protection Act does not provide a concrete definition for pseudonymisation, it recognises it as a data protection technique. However, the Act remains vague regarding the technical criteria and their role within the country’s data protection regime.
This ambiguity grants significant discretion to businesses and governments. Unlike anonymised data, pseudonymised data remains under the purview of the DPDP Act, as it is protected through techniques such as separation and transformation.
READ I Can the electric vehicle market survive without subsidies?
Global practices in pseudonymisation
In this context, analysing how other legal systems implement pseudonymisation becomes essential. Both the EU’s General Data Protection Regulation (GDPR) and the US’ California Consumer Privacy Act (CCPA) define pseudonymisation similarly — as the processing of personal data requiring additional information to link it to a specific consumer. The CCPA also discusses related concepts like deidentification, a broader term than pseudonymisation, where direct identifiers are removed.
Additionally, aggregation techniques reduce the risk of re-identification by eliminating indirect identifiers, such as pseudonyms. However, the extent to which pseudonymisation is enforced varies between these laws. In the US, pseudonymisation primarily limits liability for controllers in research contexts. In contrast, the European law adopts a stricter interpretation where pseudonymisation is considered an appropriate safeguard when handling personal data.
Despite these clear definitions, judicial decisions often adopt a more subjective approach to pseudonymisation. For instance, the European Court of Justice’s ruling in Patrick Breyer v Bundesrepublik Deutschland determined that whether a dataset constitutes personal data depends on the service provider’s ability to identify an individual, factoring in legal and practical means, as well as any additional data held by third parties. This departs from rigid precedents, like Scarlet Extended, emphasising the dynamic nature of liability under both member state and EU law.
Pseudonymisation in India
In India, where specific pseudonymisation techniques are not defined, it would be useful to analyse globally accepted methods and practices. Switzerland’s Federal Act on Data Protection (FADP) mandates a “data protection by design and default” policy, requiring minimal data processing unless expressly needed by the data subject. Similarly, the GDPR holds data processors and controllers responsible for ensuring regulatory and technical compliance concerning pseudonymisation. However, these technicalities are subject to guidance from the European Data Protection Board (EDPB). In contrast, India’s Data Protection Authority lacks comparable powers, especially when compared to the previously proposed Data Protection Board in the 2019 Personal Data Protection Bill.
Another area of concern is the differing impact on data subject rights. Under the GDPR, data processors must safeguard rights like access, rectification, and erasure, even for pseudonymised data. The regulations also address re-identification risks, requiring that any additional data that could lead to re-identification be kept separate and pseudonymised. In India, however, the DPDP Act is silent on the technical requirements for mitigating re-identification risks. Moreover, enforcement remains a challenge. Unlike the GDPR, where Data Protection Authorities actively enforce pseudonymisation guidelines across member states, India’s Data Protection Board offers only a general framework for data protection, without specific technical guidance.
A European alternative
A potential solution to India’s ambiguity around pseudonymisation techniques can be found in the European Union Agency for Cybersecurity’s (ENISA) report on Data Pseudonymisation. ENISA suggests several broad policies and techniques, such as cryptographic hash functions, which apply a hash function to an identifier, or message authentication codes (MAC), where identifiers are linked to pseudonyms via a secret key. While concerns about scalability exist, more robust pseudonymisation systems—such as random number generation (RNG), which assigns numbers to an identifier using an algorithm, and Symmetric Encryption, where the encryption cipher serves as both the pseudonymisation and recovery secret—offer greater security.
Advanced cybersecurity techniques increasingly rely on cryptographic systems, which use algorithms and mathematical principles to obfuscate information. The EU promotes methods like asymmetric encryption, which uses both public and private pseudonymisation keys, and ring signatures, a digital signature granting anonymity to the signer within a group.
Greater security can also be achieved through chaining multiple cryptographic hash functions to pseudonymise personal data. Other methods, like deriving pseudonyms from multiple identifiers using techniques such as Merkle trees, could further strengthen data protection.
A critical challenge for data protection regimes globally is ensuring that the rights of data subjects are preserved during data processing. In the case of pseudonymisation, data subjects may only need access to pseudonyms, not the original identifiers. Therefore, it is vital to introduce ownership-based pseudonyms in data protection regulations, using cryptographic commitment schemes to enforce the security of pseudonyms while protecting against impersonation attempts.
Even though India’s data protection regime is still in its early stages, it is important to avoid abuses of legal gaps by clarifying data protection techniques. Adopting pseudonymisation practices from other jurisdictions could help define the responsibilities of the state and data processors, while enhancing the rights of data subjects. India’s judiciary, with its long history of adopting foreign legislative provisions, could play a key role in solidifying these practices, ensuring they remain within the framework of constitutional rights.
(Akhil Joseph Mathew is a final year law student at Rajiv Gandhi National University of Law, Punjab.)