G7: Adopted G7 data protection and privacy authorities statement on statutory and policy definitions for anonymisation, pseudonymisation, and de-identification in G7 jurisdictions

On 11 October 2024, the Office of the Privacy Commissioner of Canada issued a statement on reducing identifiability in cross-national perspectives with statutory and policy definitions for anonymisation, pseudonymisation, and de-identification in G7 jurisdictions. These processes help to innovate data use while minimising privacy risks and ensuring compliance with privacy protection laws. However, significant differences exist between G7 countries in how these terms are defined and integrated into privacy frameworks, leading to challenges for organisations in understanding their obligations. The statement aims to clarify these differences by outlining the legal and policy definitions of these terms, highlighting both overlaps and divergences. It focuses on how terms like de-identification, pseudonymisation, and anonymisation are understood, their thresholds for application, and their effects on whether data is considered personal information and thus subject to legal protections. In de-identification, for instance, definitions vary significantly, from the stricter standards in the US and Canada’s health data laws to more lenient approaches in other jurisdictions. Pseudonymisation typically requires that identifiable information can only be traced with additional data, but it remains considered personal information. Finally, anonymisation, which generally removes identifiability entirely, is treated similarly across jurisdictions, though approaches differ regarding how irreversible the process must be.