Are Privacy Laws Missing the Mark?
With Data Privacy Week 2023 coming to an end, I am reflecting on how my own privacy consulting and legal career has evolved over the past two decades. Implementing privacy best practices and maturing one’s privacy framework are ideas that are no longer new. Data is clearly recognized as a key organizational asset, but in today’s data driven economy it goes much further than this. As structured and unstructured data holdings explode and significant value is found in the metadata (data about the data), data analytics is at the forefront of business partnerships, success and growth. In light of this, I find my own work has shifted towards advising clients on mining data without compromising privacy or introducing unnecessary risk. In addition to understanding how the data can be better protected, discussions and creative solutions are leaning towards transforming data to gain insights from it without failing on the compliance and data ethics fronts.
We saw some light discussion of de-identification and data anonymization during the Government of Canada’s House of Commons speeches in November 2022 as Bill C-27 makes its way through second reading the House of Commons. The proposed Consumer Privacy Protection Act defines ‘de-identify’ to mean ‘to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains’, whereas anonymizing data is to ‘irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.’ We are still waiting for the Federal Privacy Commissioner’s comments but concerns about the interpretation of these definitions can be expected. Dr. Teresa Scassa’s article on the topic provides an excellent review of some of these concerns including the ability given in the proposed law to use de-identified data, as currently defined, for ‘socially beneficial purposes’.
Hopefully we will see more momentum with Bill C-27 soon so organizations are offered clarity on what changes can be expected and when the Bill may actually become law. Many important details are left to regulations that are also an unknown at this time. No matter how great the government’s effort, privacy laws always seem to be one step behind innovative data uses and data flows. Another stellar resource worth reading is Daniel Solove’s recent paper Data is What Data Does: Regulating Use, Harm and Risk instead of Sensitive Data. It focuses on a deeper flaw at the root of many privacy laws – their focus on the nature of personal data, when its the inferences about all types of data, including what we may consider non-sensitive, that need to be critically assessed from a risk of harm perspective.
Privacy professionals are clearly being called upon to work hand-in-hand with data scientists – whether I’m training, consulting or providing legal advice both to public and private sector entities, I am drawing on my own engineering background more than ever to take a risk-based approach to data-handling. Privacy officers and managers must be willing to take a deep dive into understanding their organizations’ data-driven goals, so privacy compliance responsibilities are not thought about in a vacuum or seen as impractical.
As a training partner with the International Association of Privacy Professionals, this is an area I focus on when delivering certification preparatory courses that are becoming increasingly useful for maturing one’s understanding of the complex privacy landscape globally. CLICK HERE to learn more about the courses being offered by PRIVATECH this Spring.