Home Compliance Bulletins Non-identifiable information under Bill C-27

Non-identifiable information under Bill C-27

On June 16, the federal government introduced Bill C-27, its revised proposed new private sector privacy legislation – the Digital Charter Implementation Act, 2022 – essentially an updated Consumer Privacy Protection Act (CPPA) and Act to establish the Personal Information and Data Protection Tribunal (Tribunal Act) plus a new proposed law, the Artificial Intelligence and Data Act (AIDA).

The Bill constitutes an updated version of former Bill C-11, the Digital Charter Implementation Act, 2020, introduced in November 2020 as the government’s initial foray into the realm of “second generation” privacy laws.  Bill C-11 died on the order paper with last fall’s election but was due for amendment before being adopted on account of extensive stakeholder input received over the 19 months’ hiatus since its tabling.

A significant revision to the former version of the CPPA is Bill C-27’s more comprehensive framework for application (or non-application) of the law to de-identified and anonymized information.  With certain exceptions, de-identified information is considered personal information subject to all the CPPA’s provisions.[1] Conversely, anonymized information is stipulated as outside application of the law.[2]

There are a number of reasons for making personal information non-identifiable, including enabling research and innovation, making it available for socially beneficial purposes, enhancing protection against breaches, and disposing or destruction of personally-identifiable information once its intended uses have been achieved.  A further potential application is as a mitigation of privacy risks in circumstances where a consent otherwise required to use personal information may not be meaningful.[3]

The current law – PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) addresses neither express criteria for nor potential oversight of non-identifiable information.  However, by its definition of “personal information” (information about an identifiable individual) and its application provision (applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities), an argument could be made that information that is no longer identifiable is outside the scope of the law.

If outside the law, non-identifiable information could be used for diverse purposes without consent, assuming that consent was not required – or was obtained – in order to make it non-identifiable.  On the other hand, PIPEDA did not address, expressly, the potential risks of re-identification or the result that information that is re-identified as personal information again becomes subject to the law.

Former Bill C-11

In the initial version of the CPPA set forth in former Bill C-11 the government partially addressed the gaps in PIPEDA by including the concept of “de-identified information” and providing for a requirement to apply technical and administrative measures to protect such information and a prohibition against using such information to identify an individual.  Bill C-11 provided a definition which could have been construed to mean information that is outside application of the law since what it describes is not personal information.  Bill C-11 defined “de-identify” to mean:

“to modify personal information — or create information from personal information — by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual”.‍

However, the Bill confused the issue by providing permitted uses for such de-identified information,[4] leading to the conclusion that the law would continue to apply to such information at least in some respects since other uses were not permitted.  This result was unsatisfactory because it left unclear the exact boundaries of application of the law at the same time as providing a definition of non-personal information, apparently within the scope of the law but potentially requiring procedures equivalent to anonymization, suggesting a category of information outside the scope of the law.[5]

Bill C-27’s framework for non-identifiable information

Bill C-27 aligns its treatment of non-personal information with the EU’s General Data Protection Regulation (GDPR) and Quebec’s Bill 64 (now Law 25), stipulating as categories of non-identifiable information, de-identified information and anonymized information.[6]

The Bill defines de-identified information as information that has been modified so that an individual cannot be directly identified from it.[7]  The definition further recognizes that a risk of re-identification remains with any information de-identified on this basis.  The Bill defines anonymized information as information that has been irreversibly and permanently modified, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly.[8]

Bill C-27 maintains the exceptions to consent for de-identified information contained in Bill C-11.[9]  However, it extends the non-application of the law for de-identified information to a number of procedural rights, specifically, disposal/destruction at the request of the individual, the obligation of accuracy, the right of access to their information, the right to require amendment of inaccuracies, and the new mobility right.  It is not clear why most of these further exceptions are provided.[10]  Commentators have noted that if the organization retains the ability to re-identify the information, the protections for personal information should remain.[11]

Bill C-27 also maintains the protective provisions in Bill C-11 against re-identification.  Section 74 requires an organization to implement technical and administrative measures with respect to the information, proportionate to the purpose for which the information is de-identified as well as to the sensitivity of the information.[12]  Section 75 stipulates a prohibition, breach of which is a criminal offence, against using de-identified information to identify an individual, subject to specified exceptions.[13]  While these provisions specifically reference de-identified information, a reasonable interpretation indicates that they also apply to protecting anonymized information.

It may be argued that the lower threshold for qualifying de-identified information – requiring simply the removal of direct identifiers – poses a significantly increased risk of re-identification – recognizing in effect the ease of re-identification for information from which only direct identifiers have been removed.  However the purposes specified in the Bill for which de-identified information may be used, without user consent, are limited and any organization using such information for such purposes would be governed by the protective measures noted above – meaning that an organization that uses de-identified information for such purposes must take measures to protect against re-identification.

The one caveat to this conclusion concerns the proposed exception for disclosure of de-identified information to (mostly public sector) organizations for socially beneficial purposes.[14]  It is not clear from the current provisions of the Bill that, or to what extent, an organization which discloses de-identified information to a third party must incorporate into its process for providing that information protective protocols ensuring that the third party also protects the de-identified character of the information.  The receiving organization may or may not be subject, independently, to statutory protective rules equivalent to those under the CPPA.[15]

Anonymized information – not entirely out of scope

As noted, the CPPA under Bill C-27 provides for a category of anonymized information that is not subject to application of the law.  In other words, such information, if it was personal information originally but has been anonymized, may be used or disclosed for purposes without any requirement for consent.  Furthermore, such information would not be subject to any of the CPPA’s individual rights such as access, correction or mobility.  This framework is aligned with analogous rules under the GDPR and Quebec’s Law 25.  Taken together with the CPPA’s provisions regarding de-identified information, it clarifies the extent of application of the law.  It also should enable a broader scope for uses of information for research and innovation beyond those specifically provided for in the Bill with respect to de-identified information.  Furthermore, to the extent that concerns may exist with respect the risks of re-identification in using de-identified information, qualifying such information to the higher standard of anonymization could address those concerns.

To be noted however, while the express stipulation in Bill C-27 is that anonymized information is outside the scope of the law – and therefore arguably beyond regulatory surveillance – that conclusion is not entirely correct.  The operative definition stipulates that anonymization must be accomplished “in accordance with generally accepted best practices” – which is the same phrase as found in the Quebec law.  Innovation, Science and Economic Development Canada (ISED), in its briefings on Bill C-27, specifically pointed to this provision as retaining an ultimate regulatory oversight regarding the protocols – meaning protections – for achieving and maintaining the anonymized character of any information.  It can be expected that this stipulation will be fleshed out through, as a minimum, industry codes of practice, reflecting “best practices”, and quite likely through guidance from the federal Privacy Commissioner.

While the comparable Quebec provision was amended prior to adoption to provide that such practices must accord with criteria set out in regulations, it can be argued that the end result – whether stipulated in regulation or by codes of practice potentially approved by the regulator – will be substantially equivalent. [16]  However, Parliament in its consideration of Bill C-27 may determine that more formal stipulation as in a regulation may be appropriate, as is contemplated with respect to  “anonymized data” under the AIDA.[17]

With respect to the potential continued application of the law to anonymized information, two additional observations may be made.  Firstly, to the extent any such information is re-identified, the privacy law would then apply with all its rigour.  Secondly and more importantly, the CPPA’s protective provisions regarding re-identification should – and likely will – be read to apply to anonymized information.  By their express language they apply to information that has been de-identified according to the statutory definition, which clearly would be included in information that has been anonymized.  In sum therefore, while the desired result is for a category of anonymized information that may be utilized outside the full application of the privacy law since it does not – or, under appropriate protections – cannot be used to identify an individual, the potential for re-identification remains, at least theoretically, and therefore the privacy law does, and should, continue to have application to such information.

Conclusions

The Bill C-27 framework for non-identifiable information aligns with analogous frameworks under the EU’s GDPR and the amended Quebec law as well as those being considered for an Ontario privacy law and a reformed law in BC.  As pointed out above, there are several areas where improvements to the proposed provisions could be made.  What is clear however is that, going forward, providing a supportable framework for such information will be an important aspect of privacy laws, as well as those addressing ethical AI, such as the proposed AIDA.

© David Young Law 2022

Read the PDF: Non-identifiable information under Bill C-27

For more information please contact:      David Young       416-968-6286     david@davidyounglaw.ca

Note:     The foregoing does not constitute legal advice. © David Young Law 2022

[1] S. 2(3)

[2] S. 6(5)

[3] In this regard, see the  Office of the Privacy Commissioner’s 2016-17 Annual Report to Parliament.

[4] Research and development (s. 21), due diligence for a prospective sale of a business (s. 22(1)), socially beneficial purposes (s. 39).

[5] The difficulty with the interpretation that the Bill C-11 version of the CPPA would have applied to de-identified information is that it is not clear whether the intended application was to all de-identified information – meaning to include information that by any objective standard would be considered “non-personal” and therefore not identifiable within the law’s stated definition and intended application – or only to information that does not meet this high standard.  Supporting the latter interpretation is the argument that since it reasonably can be expected that such information may (and in certain circumstances will) be re-identified it should be governed by the rules applicable to personal information generally, or some appropriate subset of such rules.  Without clarification, the arguable conclusion is that the Bill was intended to apply to both categories.

[6] The GDPR defines pseudonymized information as personal data that has been processed in such a manner that it can no longer be attributed to a specific individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to prevent re-identification. Since such data is considered re-identifiable it therefore continues to be treated as personal information subject to the GDPR’s general data protection rules.  The GDPR defines anonymous information as information which does not relate to an identified or identifiable natural person and provides expressly that such information is outside the application of the law.

Under Bill 64 (Law 25), personal information is de-identified if it no longer allows the person concerned to be directly identified; information concerning a natural person is anonymized when it is at all times reasonable to expect in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly. Information must be anonymized according to generally accepted best practices and in accordance with criteria and procedures prescribed by regulation.

[7] S. 2(1) – de-identify means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.

[8] S. 2(1) – anonymize means to irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.

[9] Research and development (s. 21), due diligence for a prospective sale of a business (s. 22(1)), socially beneficial purposes (s. 39)

[10] With respect to the mobility right there may be an argument that the individual should have the option to have their information re-identified and transferred in that form.

[11] See Teresa Scassa Blog, July 6, 2022, “Anonymization and De-identification in Bill C-27”.

[12] The language of s.74 is cryptic (“…must ensure that any technical and administrative measures applied to the information are proportionate to the purpose for which the information is de-identified and the sensitivity of the personal information”) leaving the possible interpretation that the organization might have no such measures.  The provision is a holdover from Bill C-11 which required such measures as an integral part of any de-identification procedure; see definition cited above.  An improvement in the wording would make clear the intent that such measures are required.

[13] Exceptions to prohibition.

[14] S. 39

[15] See Teresa Scassa Blog, July 11, 2022, “Data Sharing for Public Good: Does Bill C-27 Reflect Lessons Learned from Past Public Outcry?”

[16] A further distinction with the Quebec provision is that while Bill C-27 stipulates an absolute rule for anonymization (…ensure that no individual can be identified from the information, whether directly or indirectly) Bill 64 (now Law 25) includes a qualification, also added by amendment prior to adoption, recognizing that absolute protection from re-identification may not be possible (information … is anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.) (emphasis added).  Therefore, while the Quebec law includes greater scope for prescriptive protective requirements, it also stipulates a potentially more flexible rule regarding the risks of re-identification.

[17] S. 6.