Search

SearchLoading

Executive Summaries May 23, 2018

Anonymization? Think Again

Caution is advised when considering anonymization to circumvent the rigid data collection, use and communication requirements set out in Europe's General Data Protection Regulation (GDPR) or in Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Danielle Miller Olofsson has authored this article.

Any organization considering anonymization to circumvent the rigid data collection, use, and communication requirements set out in Europe’s General Data Protection Regulation (GDPR) or for that matter in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) - which, all indications suggest, will align itself with the GDPR - should think again.

WHAT IS ANONYMIZATION

Anonymization includes a variety of technics used to disassociate individuals from their personal information so as to sell or re-use the information, often for research or marketing purposes, without triggering GDPR or PIPEDA compliance. Both laws impose strict restrictions on the way organizations treat personal information which they defined broadly to include any information about an identifiable person. If information is rendered anonymous, so the argument goes, it is no longer about an identifiable individual and therefore, its collection, use, and disclosure are no longer subject to the GDPR or PIPEDA.

WHY CAUTION IS ADVISED

Setting aside the arguments relating to the usefulness of anonymized data, given the distortion it frequently creates, a number of other factors militate in favour of caution when choosing the anonymization route.

To begin with, from a technological point of view there is no evidence that foolproof anonymization is possible. That is to say, there is always a small risk that the data can be re-identified. One only has to think of the New York Taxi case, in 2014, in which bloggers were able to discover the algorithms used to alter the medallion numbers by the New York City Taxi and Limousine Commission that released the information to reverse the pseudomization process the Commission had put in place. In case one is tempted to argue that the New York Taxi case was a freak occurrence, it should be noted that 63% of the population can be identified by a small amount of data such as their gender, date of birth, and postal code.

Moreover, organizations that base their decision to release anonymized information on a risk analysis, should remember that, if the process fails, even a minimal risk in terms of percentage still represents a substantial number of individuals: 1% of the Québec population is roughly 80,000 people – enough for a class action!

A second technicality of which organizations should be aware is that de-identification, for example the list of identifiers that Health Insurance Portability and Accountability Act (HIPAA) of the United States requires removed from health data before it can be shared, is not anonymization but rather a preliminary step in the anonymization process. Further analysis and measures are required such as removing or altering other information that could identify an individual and putting controls and safeguards in place to manage the risk of re-identification.

Finally, just because information cannot be traced back to a name does not mean that it is not considered personal information. The Canadian Office of the Privacy Commissioner, in a decision involving a telecommunications company, concluded that account information, demographics, and network usage, even if un-identified, constituted information related to specific individuals and therefore personal information. This decision puts an end to speculation that behavioural patterns are not personal information and therefore not subject to GDPR or PIPEDA regulation.

ORGANIZATIONS THAT CHOOSE ANONYMIZATION SHOULD CONSIDER THE FOLLOWING

Organizations that choose to anonymize information either to avoid regulation or to add an extra level of security to the data they collect might wish to consider the following:

  • Anonymization is not simply a question of modifying the data itself but protecting it against the environment into which it is released. It is therefore important to assess the properties of the data, the type of user, the type of application, the type of access, the modus of release and the attacker model to establish the appropriate level and form of anonymization for each type of data;
  • While a de-identification process may seem technologically sound today, technology changes fast and ongoing re-assessment is required;
  • Establishing a clear process for anonymization. The Office of the Australian Information Commissioner has issued a guide that is well worth consulting;
  • Restricting rather than extending access to data that has been anonymized; and
  • Putting in place a de-identification governance committee.

While there is a good place for anonymization in an organization’s handling of personal information, it should not be relied on to replace compliance with existing legislation. Our Privacy, Data Protection and Cyber-Crypto Security team would be pleased to answer any questions regarding anonymization or any other data protection matters.

You would also like

Executive Summaries Dec 2, 2024
Data-Privacy

Bill 82: One Step Closer to a National Digital Identity (and Modifications to Other Provisions!)

News of the Firm Nov 21, 2024
Entrepreneurship forum

Entrepreneurship Forum: Vision 2025
Executive Summaries Nov 6, 2024
Athlete

Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

Executive Summaries Nov 1, 2024
data-protection

Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

Executive Summaries Oct 18, 2024

Right to Data Portability: Is your Organization Ready?

News of the Firm Oct 9, 2024
Tech Forum 360

Tech 360 Forum: Growth and Inflection Points
News of the Firm Jun 3, 2024

Prospera: Québec’s Economic Barometer
Press Release May 14, 2024

Canada's Best Managed Companies: BCF Recognized for 17th Consecutive Year
Press Release Apr 2, 2024
paul et misha

BCF Strengthens its Expertise in Artificial Intelligence

Press Release Jan 10, 2024
new-partners-2024

BCF Has Appointed Three New Partners
News of the Firm Dec 1, 2023

Who’s Who Legal : 5 BCF Professionals Stand Out
Press Release Dec 1, 2023

BCF extends its Partnership with the Canadian Association of Black Lawyers to a Third Year
Executive Summaries Nov 23, 2023

Demystifying Privacy Impact Assessments (PIAs)
Executive Summaries Nov 21, 2023

The Data Processing Agreement: An Essential Resource to Implement
Executive Summaries Nov 15, 2023
camera-on-a-wall

The Incident Response Plan: the Cornerstone of Effective Crisis Management
Training and Events Nov 7, 2023
forum-privacy-en

Strategic Forum on Enterprise Data Protection
News of the Firm Sep 28, 2023

Chambers Canada Ranking: Five of our Lawyers Recognized
Press Release Sep 11, 2023
Photo of Julie Doré

Julie Doré Takes Over Management of The BCF Business Law Firm
News of the Firm Jul 13, 2023

Prospera – Quebec Economic Barometer
Media Coverage Jun 19, 2023

Julien Tricart, Member of the Meritas Sports Law Group
News of the Firm Jun 1, 2023

Pride Month: Let’s Create an Inclusive Future
News of the Firm May 10, 2023

Canada’s Best Managed Companies: BCF Recognized for 16th Consecutive Year
Executive Summaries Mar 30, 2023

New Privacy Requirements: Is Your Business Compliant?
News of the Firm Mar 8, 2023

Every Woman Counts
Training and Events Feb 27, 2023

Strategic Forum on the Role Played by Businesses in the Fight Against Climate Change
Press Release Feb 27, 2023

BCF Partners with the Canadian Association of Black Lawyers to Promote Diversity in Québec Law Faculties
Press Release Feb 14, 2023

BCF's More Inclusive Approach: Improved Parental Leave
Press Release Feb 8, 2023

Shaun E. Finn Appointed to the Superior Court of Québec
Major Cases Feb 3, 2023

How to Ensure a Business Succession?
Executive Summaries Jan 24, 2023
Business black folders on table

Adoption of Bill 78 on Transparency Business: Are You Ready?
Training and Events Jan 17, 2023

Strategic Forum on Market Consolidation and Business Succession
Press Release Dec 5, 2022

BCF Partners with the Clinique Juridique de Saint-Michel to Promote Access to Legal Studies for Young People from Diverse Communities
Executive Summaries Nov 2, 2022

What Are the Best Practices for Managing Privacy Incidents?
News of the Firm Oct 20, 2022

Shaun E. Finn, Co-Author of In the Public Eye: Privacy, Personal Information, and High Stakes Litigation in the Canadian Public Sector
Executive Summaries Oct 14, 2022

Should Using Personal Information Obtained Without Consent Be Grounds for Class Action Authorization?
News of the Firm Sep 29, 2022

Five of our Lawyers Stand out in the 2023 Edition of the Chambers Canada Ranking
Executive Summaries Sep 19, 2022

Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27
Executive Summaries Sep 16, 2022

Is the Loss of Personal Information Sufficient to Justify the Success of a Class Action on the Merits?
Executive Summaries Sep 16, 2022

Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy
Executive Summaries Sep 1, 2022

Jocelyn Poirier, BCF’s Chief Privacy Officer
News of the Firm Aug 25, 2022

43 BCF Professionals Stand Out with 78 Nominations in the 2023 Editions of Best Lawyers in Canada and Ones to Watch
News of the Firm Jul 21, 2022

Seven New Lawyers Join BCF
Major Cases Jun 14, 2022

Adoption of Bill 96: Be Ready
News of the Firm Jun 1, 2022

Pride Month: The Value of Diversity
Press Release May 16, 2022

BCF, the 3rd Largest Law Firm in Québec
Press Release May 11, 2022

Canada’s Best Managed Companies: BCF Recognized for 15th Consecutive Year
News of the Firm Nov 22, 2021

BCF Recognized by the Globe and Mail as one of Canada’s top Law Firms
News of the Firm Sep 20, 2021

Chambers Canada 2022: BCF Earned Band 1 Ranking in Québec for Corporate and Commercial Law
News of the Firm Aug 20, 2021

Seven New Lawyers Join BCF
Training and Events May 3, 2021

Privacy and Data Protection Class Actions: Trends, Challenges and Best Practices
Media Coverage Apr 26, 2021

A First in Canada: Privacy Class Action Dismissed on the Merits
News of the Firm Mar 22, 2021
escalier

BCF Welcomes Seven New Lawyers
Executive Summaries Dec 15, 2020

Collaboration in the Time of COVID-19: Legal Considerations for Successful AI and Healthcare Partnerships
News of the Firm Sep 30, 2020

Shaun E. Finn and Danielle Miller Olofsson Publish a Unique Practical Handbook on Privacy and Data-Protection Class Actions
Executive Summaries Jul 24, 2020

What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?
Media Coverage Jun 30, 2020

Investigation on Tim Hortons’ Application
Executive Summaries Jun 18, 2020

Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?
Media Coverage May 6, 2020

Does the Use of Thermal Imaging Cameras in Stores Comply with Privacy Laws?
Major Cases Apr 30, 2020

COVID-19: Solutions to Address this Situation
Executive Summaries Apr 27, 2020

COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications
Media Coverage Apr 3, 2020

Tracking the COVID-19 Pandemic with Cellphones
Executive Summaries Mar 13, 2020

COVID-19: Don’t Forget Data Protection When Designing a Response Strategy
Press Release Jan 30, 2020

BCF once again ranks as one of Montreal's Top Employers
News of the Firm Jan 13, 2020

BCF Names 16 New Partners for Its 25th Anniversary
Executive Summaries Dec 11, 2019

Joint Controllership or the Risks of using Website Plugins
Executive Summaries Oct 25, 2019

Are You a Leader or a Follower?Results of the Innovation Survey
News of the Firm Oct 1, 2019

Chambers Canada 2020: BCF Recognised in Corporate and Commercial Law
Training and Events Sep 20, 2019

Strategic Forum on Innovation
Executive Summaries Sep 16, 2019

Different Legislative Approaches to 5G
Major Cases Sep 9, 2019

Innovating to Survive: Are You a Leader or a Follower?
Executive Summaries Aug 27, 2019

Is Your Company Implementing a New Technology System? Remember to Protect Your Data
Executive Summaries Aug 26, 2019

5G Technology Is Coming: Legal Questions Abound
Executive Summaries Aug 22, 2019

Legal Issues Surrounding the Industrial Revolution 4.0
Executive Summaries Aug 22, 2019

Where Does Québec Stand in Terms of Privacy Class Actions?
Executive Summaries Feb 21, 2019

De-fogging the Cloud Act
Executive Summaries Jan 30, 2019
fenetres

Google and CNIL: a Case of Inappropriately Obtained Consent
Executive Summaries Jun 4, 2018

Best Practices for Québec Companies Receiving European Data
Executive Summaries Apr 20, 2018

The Deep Web and Dark Web Demystified for Businesses
Executive Summaries Apr 17, 2018

The GDPR is Coming: How to Get Ready
Media Coverage Apr 9, 2018

Protection of Personal Data: New Measures Put in Place by the European Union
Executive Summaries Apr 6, 2018

Is Your Organisation Collecting Too Much Data and Is It Well Protected?

Get the latest thought leadership