The Core Choice
When you protect private records, you face one key decision: can you get the original back?
Permanent redaction removes content for good. There is no way to recover it.
Reversible encryption swaps names and IDs for tokens. You can restore the original with the right key.
That gap shapes your legal and compliance options. Choose wrong, and you may not meet a court order or a regulator's request.
Both methods have valid uses. The key is knowing which one to use, and when. Most tools only offer permanent removal. That limits your options when things change.
See our legal compliance overview for how each approach maps to common legal duties.
GDPR Draws a Clear Line
GDPR splits the world into two groups: anonymized records and pseudonymized records.
True anonymization
If a record cannot be linked to a person, GDPR does not apply. The law is out of scope.
Three things must be true:
- Re-linking must be not possible.
- No extra file can allow re-linking.
- The process must be one-way.
This is the main benefit. Anonymized records sit outside GDPR.
Pseudonymization under Article 4(5)
Pseudonymization swaps IDs for tokens. The original can be restored using a stored key.
Key facts:
- It still counts as personal records under GDPR.
- It qualifies as a security measure under Article 32.
- It cuts breach risk.
- It allows research use under Article 89.
| Method | GDPR Status | Can Restore | Main Use |
|---|---|---|---|
| Anonymization | Not personal | No | Public files |
| Pseudonymization | Personal | Yes | Internal work |
When Permanent Removal Creates Risk
Legal discovery
Courts can order you to produce the original files.
- Privilege claims can be challenged.
- Judges can review files in private.
- Opposing counsel can dispute what was removed.
- Appeals may need the full, original text.
If you have wiped the content for good, you cannot comply.
A law firm removed client names from all case files. The court questioned a privilege claim. The firm could not produce the originals. Sanctions followed.
Regulatory audits
Auditors can ask to see complete records.
- Finance audits need full transaction detail.
- Health audits require patient records.
- GDPR audits may cover all processing steps.
Saying "we removed that for good" is rarely an acceptable answer.
Research that needs re-linking
Long studies must link records across time.
- Medical work tracks patient results over years.
- Academic work needs follow-up rounds.
- Quality reviews need trend data.
Permanent removal blocks all of this.
Business needs
Teams often need the original records back.
- Clients ask for their original documents.
- Internal reviews need the full picture.
- Key decisions need all the context.
- Audit trails may require the raw source text.
When to Use Each Method
Use permanent removal when:
| Case | Example |
|---|---|
| Public release | Open data projects |
| No re-linking needed | Published counts |
| Required by law | Some breach notices |
| Storage limits | Files you must not keep |
Use reversible encryption when:
| Case | Example |
|---|---|
| Legal discovery | E-discovery output |
| Internal reports | Analytics, dashboards |
| Research | Long-term studies |
| Client work | Document management |
| Audit evidence | Compliance records |
How Reversible Encryption Works
anonym.legal uses AES-256-GCM to encrypt and restore content.
Encrypt step
Original: "John Smith, SSN 123-45-6789"
↓
[Detect PII]
↓
Entities: PERSON("John Smith"), SSN("123-45-6789")
↓
[Generate key]
↓
[Encrypt each item]
↓
Output: "[PERSON_abc123], SSN [SSN_def456]"
Decrypt step
Input: "[PERSON_abc123], SSN [SSN_def456]"
↓
[Load key]
↓
[Decrypt tokens]
↓
Output: "John Smith, SSN 123-45-6789"
Key security
The key is:
- Made on your device. It uses a secure random source.
- Never sent to anonym.legal servers.
- Stored in your own key vault.
- Protected by your own login.
Without the key, you cannot decrypt. It is not possible.
A Legal Discovery Example
A law firm must produce files in a lawsuit.
Without reversible encryption
- Permanently remove all privileged content.
- Send files to opposing counsel.
- Court disputes the privilege claim.
- Firm cannot produce the originals.
- Sanctions follow.
With anonym.legal
- Encrypt the privileged content (reversible).
- Send the encrypted version.
- Court disputes the privilege claim.
- Decrypt and submit for private court review.
- Court rules on the claim.
- Send the right version.
You keep control at every step. You can meet any court order. Our legal use case page covers the full flow. See the zero-knowledge page for how keys stay on your side only.