The Untenable Standard of Anonymized Data

July 25, 2023
By: Melanie Szweras and Parnian Soltanipanah

The proposed Consumer Privacy Protection Act (the CPPA) while still in its infancy, sheds light on the potential future of privacy law in Canada. One of the notable changes is the inclusion of statutory definitions of “de-identified” and “anonymized” information.

The CPPA defines the process of de-identifying personal information as “modify[ing] personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.”[1] On the other hand, to “anonymize” means to “irreversibly and permanently modify personal information, in accordance with generally accepted best practices, to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”[2]

While these objective definitions may work in a vacuum, their applicability in real life will be difficult without a more nuanced approach. Using a nuanced approach, if identifiable markers are removed from data and sent to a third party, it is possible for that information to be considered both de-identified and anonymous depending on perspective.  For the company that removes the identifiable markers, the information is likely considered de-identified because there is a risk that the information can be matched with other records in possession of the company. For the third party without access to the original information, the information is likely considered anonymized. Under the current definition of anonymized in the CPPA, the information in the hands of the third party would still only be considered de-identified since there is still some means, possibly only illegal means, in which it can be re-identified.

Identification should have less to do with the process the information has undergone to remove identifiable markers, and more to do with what additional information various parties have access to.

A recent decision from the Court of Justice of the European Union (CJEU) found that a nuanced approach considering the accessibility of information is an important factor in determining whether information has been sufficiently anonymized to no longer be considered personal information.

As background, the terms pseudonymized data and anonymous data under the European Union’s General Data Protection Regulation (GDPR) have similar definitions to de-identified and anonymized data under the CPPA. The GDPR defines anonymous data as information that cannot be used to identify an individual.[3] Pseudonymization is processing personal data in such a manner that the data cannot be attributed to a specific individual, without the use of additional information.[4]

The SRB v EDPS [T557/20] case revolves around a resolution scheme adopted by the Single Resolution Board (SRB) for the Banco Popular Español SA. Affected shareholders and creditors could register by providing documentation, and once verified, could submit written comments to assist the SRB in determining whether the parties affected by the resolution should be granted compensation. The comments, which were aggregated and identified only with an alphanumerical code, were transferred to a third-party auditor, Deloitte. Deloitte was to review the comments and determine whether the shareholders and creditors would have been better off with normal solvency proceedings. A number of complaints were submitted to the European Data Protection Supervisor (EDPS) alleging the SRB violated the privacy statement by transferring comments to Deloitte without their knowledge.

The CJEU held that pseudonymized data shared with a third party will not be considered personal data in the hands of the recipient, where the recipient does not have the additional information or legal means of obtaining this information in order to re-identify the data subject. This decision contends that if the third party cannot legally access additional information to re-identify the data subject, the pseudonymized data they received can be considered anonymous in their hands. In this case, while the SRB held the key allowing them to match the alphanumerical codes on the comments with their authors, Deloitte did not and could not access that key. As such, for all intents and purposes that information could be considered anonymous to Deloitte, and pseudonymous to SRB.

This nuanced approach should be incorporated in the CPPA to replace the strict wording currently proposed. As currently defined, if additional information objectively exists that could re-identify information, regardless of who has access to it, it will be considered de-identified information and thus under the scope of the CPPA. From a practical perspective, this places a heavy burden on third party organizations used for data processing, while the risk to individuals remains relatively low. Protecting personal information is of utmost importance, but a balance between the level of protection and the risk of re-identification needs to be struck. Thus far, the currently proposed CPPA is missing this balance.


[1] CPPA, s.2(1).

[2] CPPA, s.2(1).

[3] GDPR Recital 26.

[4] GDPR Article 4.

Subscribe to our newsletter

You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This site is registered on as a development site.