Anonymization and De-Identification: A Comparison of PIPEDA and Bill C-27

The proposed Consumer Privacy Protection Act (“CPPA”) in the federal government’s Bill C-27 will, if passed, replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”) that currently governs the collection, use and disclosure of personal information in certain Canadian jurisdictions. The CPPA will introduce new requirements with respect to “de-identified” and “anonymized” data that will affect how organizations access and use previously collected data. Organizations wishing to make effective use of collected data should endeavour to gain an understanding of these changes and how to comply with the new requirements.

Under PIPEDA, “personal information” is defined as “information about an identifiable individual.” Information is considered personal information if it can identify an individual directly or indirectly through reasonably available information. Information that meets this definition is subject to the privacy protections set out in the legislation. If information is modified such that it no longer meets the definition of personal information, then the organization is free to use the information for any purpose without further notification to, or consent from, the affected individual.

Anonymization and de-identification are two methods that organizations may employ for this purpose. The process of de-identification typically involves removing or modifying direct identifiers in a data set. While de-identification is a valid privacy-protecting technique that can be used to add additional value to data collected by organizations, a risk remains that the information could be re-identified. Anonymization, by contrast, typically involves permanently removing or modifying direct and indirect identifiers in a data set in a way that ensures no individual can be identified from the information. PIPEDA does not use either of these terms or provide guidelines for modifying data to ensure that it falls outside the scope of PIPEDA requirements. It remains up to the organization to determine appropriate and effective techniques.

The CPPA would introduce separate definitions and requirements for anonymized and de-identified data. The definitions found in Bill C-27 are as follows:

• “Anonymize” means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.
  
  
• “De-identify” means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.
  

The CPPA expressly would not apply to personal information that has been successfully anonymized. De-identified information, on the other hand, would remain subject to the CPPA but would allow organizations to use and disclose the de-identified information without further knowledge or consent in limited circumstances, including:

1. internal research, analysis and development purposes;
2. use or disclosure in connection with a prospective business transaction; and
3. disclosure to a government, health or educational institution for a socially beneficial purpose.

Further, under the CPPA, de-identified information is not considered personal information for the purposes of certain specific provisions of the CPPA and, therefore, is not subject to the same requirements as information that has not been de-identified. For example, requirements relating to access, correction and disposal would not apply to de-identified data.

While the CPPA imposes a high standard for anonymization, the definition is qualified by reference to “generally accepted best practices,” the interpretation of which remains yet to be seen. While approached from the lens of preventing inadequate anonymization techniques, the Office of the Privacy Commissioner of Canada (“OPC”), in its submission to the Standing Committee on Industry and Technology dated April 26, 2023, highlighted this issue and recommended that reference to generally accepted best practices be struck from the legislation.

The language recommended by the OPC may be onerous to organizations; however, it is clear that the current language is ambiguous and may also present challenges. Uncertainty regarding whether information has truly been anonymized and rendered not subject to the CPPA would create risk for organizations wishing to make use of this provision.