Egin Kongoli is a 3L JD Candidate at Osgoode Hall Law School. This article was written as a requirement for Prof. Pina D’Agostino’s IP Innovation Program.

Canada is getting serious about consumer privacy, or so our lawmakers claim.

Parliament has recognized the public’s need for a data framework that ensures proper transparency and accountability.[i] Ottawa’s response is and the proposed Consumer Privacy Protection Act��(CPPA), meant to govern the future collection, use, and disclosure of personal information for commercial purposes. However, while the law modernizes elements of the privacy framework, it leaves out exceptions for de-identified data practices that undermine the very trust the legislation is meant to foster. Standing tenuously on technological assumptions, the exception creates a wild-west scenario ripe for harmful data practices.��

Under the CPPA, organizations are not required to obtain user consent to de-identify, a process that modifies data so that “an individual cannot be directly identified.”[ii] The legislation creates an offence for re-identification and, as such, seems aware of the risk.[iii] Nonetheless, further exceptions are made for data anonymization, by which an organization “irreversibly and permanently modif[ies] personal information… to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”[iv] The CPPA excludes the anonymized data from its purview because, by their definition, there is no reasonable prospect of re-identification.

This logic rests on several problematic assumptions. First, the line which separates de-identified and anonymized data is vague and rarely obvious until re-identification occurs. De-identified data is by its nature not meant to be re-identified, and thus anonymous by the government’s definition. Moreover, the law assumes organizations have the technological capabilities to ensure irreversible and permanent anonymization. While identifiers may be removed, many other seemingly innocuous data points can be used to . Research from Oxford recently found that . One might imagine many disturbing consequences, from identity fraud to the cancer patient whose allegedly-anonymous data is used to change their insurance coverage and rates.

How can the disclosure and use of data be monitored if the law excludes anonymized data from regulation? Privacy enforcement may require individuals to come forward with complaints about the misuse of their data.[v] The system thus asks users to not only be aware of their data anonymization (which they never consented to) and its subsequent disclosure (kept secret from them) but to catch the bad actors re-identifying information the regulators turned a blind eye to. Our framework’s release-and-forget de-identification model thus opens the door to potential misuse of personal information that will remain altogether hidden from the regulator’s or public’s view. Where is the transparency or accountability?

While the anonymized exception answers the growing demands of businesses seeking to use personal data, the current state of de-identification practices does not satisfy the standards of the CPPA. The European GDPR includes data that does not contain direct identifiers but is capable of re-identification, “,” as within the scope of the law. That our lawmakers decided against regulating allegedly-anonymous data begs whether their priorities indeed lay with the needs of the public or of commerce.

[i] Bill C-27,��An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts,��1st Sess, 44th Parl, 2022, preamble, para 8.

[ii] Ibid at s 2(1).

[iii] Ibid at s 128.

[iv] Ibid at s 2(1).

[v] Ibid at s 107.

The post Anonymous for Now: Demystifying Data De-Identification appeared first on IPOsgoode.

Photo credits: Amza Andrei (unspash.com)

Written by Tiffany Wang, IPilogue Contributing Writer and J.D. candidate at Osgoode Hall Law School (Class of 2023).

��

Big Tech companies like Facebook and Google collect and store users’ personal and potentially sensitive information. Canadians are generally compelled to accept this practice; however, the ongoing COVID-19 pandemic has sparked new over surveillance practices, like tracking and recording individuals. In an , Samuel Woodhams, a digital rights activist, indicates that 25 percent of the 53 contact-tracing apps used globally lack privacy policies. Without privacy protection, the risks of personal data leakage are too high to ignore.

On November 17, 2020, the federal government introduced Bill C-11, the (DCIA). It proposes three major changes:

1. Repeal Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) governing personal information and privacy;
2. Enact the Consumer Privacy Protection Act (CPPA); and
3. Introduce a Personal Information and Data Protection Tribunal (Tribunal) governed by PIPEDA.

These recommendations would strengthen the impact of Canada’s privacy laws on the private sector. They underscore the federal government’s attempt to balance individuals’ fundamental right to privacy and the crucial function of information in advancing business, innovation, and commerce.

Consumer data is subject to heightened protection pursuant to Bill C-11. If enacted, the DCIA would, barring consumer consent, shield sensitive medical, financial, and social information and data from private entities. In effect, individuals would have increased autonomy over their online identity, by allowing them to meaningfully consent to the sharing of their data.

The DCIA’s new transparency requirements also address algorithmic transparency concerns. For example, businesses must be transparent about how they deploy . These requirements will entitle consumers to request that businesses explain how they process and use personal information. In turn, businesses must comply with the DCIA to clarify how their algorithmic systems generate and analyze consumer data. Bill C-11 and will implicate a larger number of computer systems than those currently captured by PIPEDA.

It is important that the federal government balances privacy concerns with advancing Canada’s innovation and technology sector. Bill C-11 notes Canada’s ambition to keep pace with the European Union and the United States in simplifying privacy and e-protection laws for commerce and businesses. For example, Bill C-11 adds a new “business activities” exception for requiring consent. Businesses will not be required to obtain consumer consent for every transaction in the process of delivering products or services.

Additionally, Bill C-11 promotes the sharing of data between private and public spheres to leverage data pools. Under Bill C-11, the federal government possesses increased oversight and enforcement powers over private parties. If the CPPA were successfully implemented, the Privacy Commissioner will reside above business entities, enabling the Government to stop organizations from collecting certain data. In addition, the Privacy Commissioner may, through the Tribunal, impose administrative fines up to three percent of a business entity’s global revenue, or $10 million for breaches.

Bill C-11 is attractive from both consumer and business standpoints. Not only do its recommendations strengthen individual autonomy and information transparency, but they also simplify business transactions by making it easier to obtain consent and foster increased dialogue between governmental agencies and private companies in sharing de-identified data.

Perhaps there is a silver lining to the pandemic to pave way for more robust privacy laws. As Canadian technology and commercial innovation increasingly depend upon data collection, it is prudent to bolster privacy.

The post An Antidote to Privacy Infringements: Will Bill C-11 Unite Consumers and Big Tech? appeared first on IPOsgoode.