Economic and Commercial Law Researches

Related Links

Current Issue

By Issue

By Author

By Subject

Author Index

Keyword Index

About Journal

Aims and Scope

Editorial Board

Publication Ethics

Indexing and Abstracting

FAQ

Journal Metrics

News

The Importance and Legal Challenges of Data Pseudonymization: Considering the Principles of Personal Data Processing

Document Type : Original Article

Authors

1 Master’s Graduate in Private Law, University of Tehran, Tehran, Iran.

2 Associate Professor, Faculty of Law and Political Science, University of Tehran, Tehran, Iran

Abstract

Across all countries and within the framework of personal data protection laws, due to the expansion of data volume processed by various companies, fundamental principles such as legality, accuracy, security, purpose limitation, and data minimization have been established to minimize violations of individuals' privacy. Furthermore, these legal frameworks often reference specific technical methods designed to ensure the secure processing of personal data, including pseudonymization. However, due to insufficient attention to the details of these techniques and tools within the laws of leading jurisdictions—and the absence of explicit legal provisions in countries such as Iran—significant ambiguities persist regarding their proper implementation, effects, economic aspects, and the role of pseudonymization in ensuring compliance with data processing principles. This study adopts a descriptive-analytical approach, relying on both printed and digital library sources, and employs a comparative perspective to scrutinize the technical methodologies and specific requirements for effective pseudonymization. The primary research question addressed is: To what extent does pseudonymization contribute to precise implementation of legal data processing principles? The findings indicates that, although pseudonymization effectively reduces the direct linkage between data and individual identities, it alone is insufficient to guarantee full compliance with legal processing principles—particularly if the process remains reversible. Nonetheless, when combined with additional techniques such as data encryption, pseudonymization can substantially enhance compliance with data processing principles.

Keywords

References

  1. References

    Books

    1. Ansari, Bagher, Principles of Personal Data Processing, 1st edition, Tehran: Sherkat Sahami Enteshar, 2023. (in Persian)
    2. Ansari, Bagher and Attar, Shima, Rights of Cyberspace Users, 1st edition, Tehran: Sherkat Sahami Enteshar, 2023. (in Persian)
    3. Zand, Hossein, Data Protection in Iranian Positive Law, 2nd edition, Tehran: Sherkat Sahami Enteshar, 2024. (in Persian)

    Articles

    1. Al-Zubaidie, M. and Zhang, Z. and Zhang, J, "PAX: Using Pseudonymization and Anonymization to Protect Patients’ Identities and Data in the Healthcare System", International Journal of Environmental Research and Public Health, Vol. 16, No. 9, 2019, pp 1-36, https://doi.org/10.3390/ijerph16091490.
    2. Arab Sorkhi, Abouzar and Tafazoli, Tala, "Analysis of Strategic Issues in the Realm of General Data Protection Regulations", Monadi AFTA, Vol. 13, No. 2, 2024, pp 12-23. (in Persian)
    3. Bolognini, Luca and Bistolfi, Camilla, "Pseudonymization and Impacts of Big (Personal/Anonymous) Data Processing in the Transition from the Directive 95/46/EC to the New EU General Data Protection Regulation", Computer Law & Security Review, Vol. 33, No. 2, 2017, pp 171-181, https://doi.org/10.1016/j.clsr.2016.11.002.
    4. Bourdillon, Stalla and Alison, Sophie, "Anonymous Data v. Personal Data, A False Debate: An EU Perspective on Anonymization, Pseudonymization and Personal Data", Wisconsin International Law Journal, 2017, pp 1-38.
    5. El Emam, K and Jonker, E and Arbuckle, L and Malin, B. "A Systematic Review of Re-Identification Attacks on Health Data", PLoS One, Vol. 6, No. 12, 2015, pp 1-12, https://doi.org/10.1371/journal.pone.0126772.
    6. Esmaeili, Mohsen and Narimanpour, Mehdi, "Legal Foundations of Personal Data Exchange (A Comparative Study of the EU General Data Protection Regulation and Iranian Law) ", Islamic Law, Vol. 21, No. 82, 2024, pp 123-165, doi: 10.22034/ilaw.2023.708599. (in Persian).
    7. Farahzadi, Ali Akbar and Sadeghi, Hossein and Naser, Mehdi, "Duties of Controllers and Processors in Preventing Security Breaches in Information Exchange Networks", Ghezavat, Vol. 22, No. 112, 2022, pp 71-99. (in Persian)
    8. Gazizov, Andrey and Gazizov, Evgeny and Gazizova, Svetlana, "Theoretical Aspects of the Protection of Personal Data of Employees of the Enterprise by the Method of Pseudonymization", E3S Web Conf, 2020, pp 1-8, https://doi.org/10.1051/e3sconf/202021011001.
    9. Heurix, Johannes and Karlinger, Michael and Neubauer, Thomas, "Pseudonymization with Metadata Encryption for Privacy-Preserving Searchable Documents", 45th Hawaii International Conference on System Sciences, Maui, HI, USA, 2012, pp 3011-3020.

    https://doi.org/10.1109/HICSS.2012.491.

    1. Heurix, Johannes and Karlinger, Michael and Schrefl, Michael & Neubauer, Thomas, "A Hybrid Approach Integrating Encryption and Pseudonymization for Protecting Electronic Health Records", Proceedings of the 8th IASTED International Conference on Biomedical Engineering, Innsbruck, Austria, 2011, pp 1-8.

    https://doi.org/10.2316/P.2011.723-117.

    1. Heurix, Johannes and Neubauer, Thomas, "Privacy-Preserving Storage and Access of Medical Data through Pseudonymization and Encryption", Lecture Notes in Computer Science, 6863, Berlin, Heidelberg, 2011, pp 1-12, https://doi.org/10.1007/978-3-642-22890-2_16.
    2. Hosseini, Ali, "Data Protection Law in Algorithmic Processing: Challenges and Solutions", Government and Law, Vol. 5, No. 1, 2024, pp 99-122. (in Persian)
    3. Latifzadeh, Mahdieh and Ghobouli Dorafshan, Seyed Mohammad Mehdi and Mohseni, Saeed and Abedi, Mohammad, "Analysis of the Legal Framework for Personal Data Protection in the European Union", Information Processing and Management Research Journal, Vol. 37, No. 2, 2021, pp 439-472, https://doi.org/10.52547/jipm.37.2.439, (in Persian).
    4. Lehmann, Anja, "ScrambleDB: Oblivious (Chameleon) Pseudonymization- as-a-Service", Privacy enhancing technologies, No 3, 2019, pp 289–309, https://doi.org/10.2478/popets-2019-0048.
    5. Lubarsky, Boris, "Re-Identification of “Anonymized” Data", L. TECH. REV, 202, 2017, pp 202-213.
    6. Machanavajjhala, A. and Gehrke, A. and Kifer D. and Venkitasubramaniam, M. "L-Diversity: Privacy Beyond k-Anonymity", 22nd International Conference on Data Engineering (ICDE'06), Atlanta, GA, USA, 2006, pp 24-24, https://doi.org/10.1145/1217299.1217302.
    7. Mazinanian, Saeedeh, "Regulating Privacy in Cyberspace (A Comparative Study in the Laws of the United States, European Union, and Iran) ", Economic and Commercial Law Research, Vol. 1, No. 2, 2023, pp 207-239, doi: 10.48308/eclr.2023.232727.1030, (in Persian)
    8. Neubauer, Thomas and Heurix, Johannes, "A Methodology for the Pseudonymization of Medical Data", International Journal of Medical Informatics, Vol. 80, No. 3, 2011, pp 190-204.

    https://doi.org/10.1016/j.ijmedinf.2010.10.016.

    1. Neumann, G.K. and Grace, P. and Burns, D. et al, "Pseudonymization Risk Analysis in Distributed Systems", Journal of Internet Services and Applications, Vol. 10, No. 1, 2019, pp 1-16.

    https://doi.org/10.1186/s13174-018-0098-z.

    1. Ninghui, Li and Tiancheng, Li and Venkatasubramanian, Suresh, "T-Closeness: Privacy Beyond k-Anonymity and l-Diversity", IEEE 23rd International Conference on Data Engineering (ICDE), No 2, 2007, pp 106-115.
    2. Pinnamaneni, Nikhil and Dodda, Sumanth and Muvva, Sai Charan, "Survey Paper on Anonymization and Pseudo-Anonymization for E-healthcare", International Research Journal of Modernization in Engineering, Technology and Science, Vol. 3, No. 7, 2021, pp 769-775.
    3. Pouryousef, Zahra and Rajaei, Mehri and Balochzehi, Nik Mohammad, "Preserving Vehicle Privacy in Vehicular Communication Networks", National Conference on New Researches in Science and Technology, 2018, Tehran, Iran. (in Persian)
    4. Ribeiro, S. L. and Nakamura, E. T, "Privacy Protection with Pseudonymization and Anonymization in a Health IoT System: Results from OCARIoT", IEEE 19th International Conference on Bioinformatics and Bioengineering (BIBE), Athens, Greece, 2019, pp 904-908, https://doi.org/10.1109/BIBE.2019.00169.
    5. Sadeghi, Hossein and Naser, Mehdi, "An Inquiry into the Nature of Private Data in the Functioning Mechanism of Internet of Things Technologies", Technology Growth, Vol. 19, No. 2, 2023, pp 33-41. (in Persian)
    6. Shin, Soo Yong and kim, Hun Sung, "Data Pseudonymization in a Range That Does Not Affect Data Quality: Correlation with the Degree of Participation of Clinicians", Journal of Korean Medical Science, Vol. 36, No. 44, 2021, pp 1-11, https://doi.org/10.3346/jkms.2021.36. e299.
    7. Starchon, Peter and Pikulik, Tomas, "GDPR Principles in Data Protection Encourage Pseudonymization through Most Popular and Full-Personalized Devices - Mobile Phones", Procedia Computer Science, No 151, 2019, pp 303-312, https://doi.org/10.1016/j.procs.2019.04.043.
    8. Sweeney, L, "K-Anonymity: A Model for Protecting Privacy, International Journal on Uncertainty", Fuzziness and Knowledge-Based Systems, Vol. 10, No. 5, 2002, pp 557-570.

    https://doi.org/10.1142/S0218488502001648.

    Websites

    1. Data Protection Commission IE, "Guidance on Anonymisation and Pseudonymisation", Available at:

    20 Anonymisation%20and%20Pseudonymisation.pdf) Visited 2025/02/08.

    1. Dotic "Personal Data and Information Protection Bill, dated 26/06/1400 (September 17, 2021), Available at:
    2. https://media.dotic.ir/uploads/org/2021/10/09/163377045160152200.pdf, Visited: 2025/08/11, [In Persian].
    3. ISO/IEC, "Privacy Enhancing Data De-Identification Terminology and Classification of Techniques", Available at:

    (https://www.iso.org/obp/ui/#iso:std:iso-iec:20889:ed-1:v1:en) Visited 2025/01/25.

    1. uk, "google-v-vidal-hall-judgment", Available at:

    (https://www.judiciary.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf) Visited 2025/08/11.

    1. ir "Personal Data Protection Bill, dated 15/07/1403 (July 6, 2024)", Available at: (https://rc.majlis.ir/fa/legal_draft/show/181672), Visited visited: 2025/08/11, [In Persian]
    2. Robin data, "What is Pseudonymised Data? " Available at: (https://www.robin-data.io/en/data-protection-and-data-security-academy/wiki/pseudonymised-data) Visited 2025/01/25.
    3. European Data Protection Board, "Guidelines 01/2025 on Pseudonymisation", Available at: (https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en) Visited 2025/02/08.
Economic and Commercial Law Researches
Volume 3, Issue 2 - Serial Number 10
September 2025
Pages 71-100
Files
Share
How to cite
Statistics