In the IAPP’s Privacy Advisor, there’s a good article by Khaled El Eman and Mike Hintze that argues you do not need consent if you are anonymizing or de-identifying data sets. The analysis is focused on the EU General Data Protection Regulation, and it concludes that organizations that de-identify data sets can rely on the legitimate interests exception in the GDPR.
Clearly, there are good reasons why we want our laws to permit the de-identification of data, and their article makes a compelling argument that the GDPR does exactly this. Time will tell if the data protection authorities agree with their analysis.
It’s different in Canada because our laws do not provide the same legitimate interests exception. This, I think, is another major reason why our laws need to be modernized. The legitimate interests exception is a smart way of realizing that consent is not the ultimate solution to every situation. In fact, as we know, consent in many contexts is impractical — if not downright impossible. The legitimate interests exception allows the accountability principle to shine through and, when applied properly, protects an individual’s fundamental right to privacy.
Khaled is the founder of Privacy Analytics, which is a Canadian organization. I realize the article was written to address the GDPR context, but I hope it also becomes a catalyst that encourages progressive change in Canada. How do we find the right balance between using data for good, which is hugely important, and protecting privacy, which is equally so? Your thoughts on all this are, as always, welcome.
Have a good weekend.
If you want to comment on this post, you need to login.