Virtual identities have come along with the rise of technology and online communication, having led to the information society we live in. To identify online or by use of data in one way or another are practices of daily life, but the data used to do so shall not be exposed to unauthorized access. In particular, big data applications have created a new dimension of risks to virtual identities.
A way to protect a virtual identity is to make use of pseudonyms, which is possible from a technical point of view. Legally, provisions on threat prevention could be a way to address these risks. Nevertheless, the existing EU Data Protection Directive (95/46/EG) has not regulated pseudonymisation explicitly. By way of contrast, the General Data Protection Regulation (GDPR), applicable from May 2018, does address pseudonymisation to a certain extent. According to recital 28, pseudonymisation of personal data is a mean to “reduce the risks to the data subjects concerned” and to “help controllers and processors to meet their data-protection obligations”. Hence, the regulation seeks to create incentives for the controllers to apply pseudonymisation (see recital 29). Such incentives can be found in different parts of the GDPR, e.g. when citing “pseudonymisation” as an example for an appropriate measure to implement technical and organisational measures in order to meet the requirements of the GDPR and to protect the rights of data subjects (art. 25 “Data protection by design and by default”). Furthermore, according to art. 32 (“Security of processing”), it is cited as an appropriate measure to ensure a level of security appropriate to the risk.