Under most privacy laws or data protection laws if you’re not dealing with personal data, you’re outside of the scope of the legislation. However, that line is no longer as clear as we might have thought it was historically. Privacy and anonymity gets complicated in the age of big data.
We always have to be looking at what is the state of the art when it comes to anonymisation, or de-identification. We also have to be looking at the techniques and technologies that can be used to re-identify or victimise individuals whose information might have been compromised.
Ten years ago, scientists or engineers said, “Yes. This information is de-identified. We don’t have to worry about it.” Now that ten years later that exact same data sitting on a server is in fact identifiable, because the line has continued to move.
In Canada, privacy laws hinge entirely on personal information. In other places, it’s personal data.
The law is also intended to be technologically neutral. The Canadian statute was written in 1996 and it was significantly influenced by the European directive at that time. We have 10 principles that are essentially mapped almost directly from the 8 principles of the OECD guidelines but rooted on principles rather than strict rules.
In Canada there’s no such thing as legitimate purpose. Users have to have consent, provide notice and consent for all collection, use, and disclosure of personal information.
Privacy and anonymity – Where to draw the line?
In Canada, our definition is as simple as ‘information about an identifiable individual’. If it’s information about an identifiable individual, it is personal information. The regulators in Canada have taken the view that if there is a risk that you can connect an IP address with an individual then you need to treat it as personal information, the question is – where do we draw the line?
The EU GDPR is going to be incredibly influential in the way that people are thinking about these sorts of things. According to the EU GDPR, personal data is defined as to whether or not the individual can be identified directly or indirectly. Does it include a national social insurance, social security, other sort of number? Does it include a driver’s license number, a passport number, something else like that? What are the implications for privacy and anonymity especially in the age of big data?
Importance of pseudonymisation for privacy and anonymity
The EU GDPR also introduces this concept of pseudonymisation for addressing privacy and anonymity. Pseudonymisation talks about a process, that alters personal data in such a way that the individual personal data can no longer be attributed to a specific data subject, without the use of additional information. It is also important to differentiate pseudonymisation from anonymisation, which anonymises data to the extent that the individual can no longer be identified.
The EU GDPR states that when it comes to the obligations for safeguarding information and protecting the privacy and anonymity of individuals, pseudonymisation is important. Organisations need to think about this identifiability continuum and think about how risk maps onto that and the risk to the individual.
In age of big data, data scientists are using mathematical techniques to blur information and data sets, so that it gets less likely that you could in fact identify individuals.
From the regulator’s point of view, the ability to identify one person positively is in fact the threshold that they’re concerned about. This is where the issue of consent comes in. What is interesting about the Canadian principles-based system, is that the form of the consent needs to be based on the sensitivity of the information, and the less identifiable it is, the lower down on the sensitivity continuum you are.