This article published by the International Association of Privacy Professionals delves into key questions shaping the regulation of non-identifiable data: whether data with residual re-identification risk still personal information; who sets re-identification risk management standards; and whether non-identifiable data, like synthetic data, should be regulated to mitigate against inappropriate uses of data and models. Informed by a study examining Canadian privacy laws and regulator interviews, the article argues against an overly cautious approach, asserting that a zero-risk standard impedes the societal and technological benefits of technology. It advocates for a more pragmatic regulatory framework to balance risk and innovation.
