Today the Supreme Court of Canada determined that 30 second previews of songs offered by online music services constitute “fair dealing for the purpose of research”.  The Court addressed important principles of “users’ rights”, and re-stated its finding in the oft-quoted CCH Canadian Ltd. v. Law Society of Upper Canada case, that 

“‘research’ must be given a large and liberal interpretation in order to ensure that users’ rights are not unduly constrained”. 

The Supreme Court has therefore again come down on the side of users with an accommodating approach to fair dealing. 

The decision remains an important reminder, however, that an analysis of fair dealing is always highly fact-specific and case-by-case.  In a previous post, we cautioned that when the issue is fair dealing online, there is no “quick test” and no “one size fits all”.

The UK Information Commissioner’s Office (ICO) has released a draft Code of Practice on Data Anonymisation.  The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data.  Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act.  This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO’s interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected.  The exemption from the need to obtain consent is subject to a number of provisos:

• the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
• the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
• there are no detrimental effects on particular individuals;
• the organization’s privacy policy or some other form of notification explains the anonymization process; and
• there is a system for collecting individuals’ objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set.  An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual.  If so, then this would be a disclosure of personal information.  The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk “in the round”.  In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess.  In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.

In the written text of a speech given yesterday by Canada’s Minister of Industry on Canada’s digital economy, the Minister stated that Canada’s Anti-Spam Legislation (CASL) is expected to take effect next year.

For more on CASL, please see Margot Patterson’s previous posts here and here and here.