Egin Kongoli Archives - IPOsgoode /osgoode/iposgoode/tag/egin-kongoli/ An Authoritive Leader in IP Fri, 24 Feb 2023 17:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Anonymous for Now: Demystifying Data De-Identification /osgoode/iposgoode/2023/02/24/anonymous-for-now-demystifying-data-de-identification/ Fri, 24 Feb 2023 17:00:00 +0000 https://www.iposgoode.ca/?p=40615 The post Anonymous for Now: Demystifying Data De-Identification appeared first on IPOsgoode.

]]>

Egin Kongoli is a 3L JD Candidate at Osgoode Hall Law School. This article was written as a requirement for Prof. Pina D’Agostino’s IP Innovation Program.


Canada is getting serious about consumer privacy, or so our lawmakers claim.

Parliament has recognized the public’s need for a data framework that ensures proper transparency and accountability.[i] Ottawa’s response is and the proposed Consumer Privacy Protection Act(CPPA), meant to govern the future collection, use, and disclosure of personal information for commercial purposes. However, while the law modernizes elements of the privacy framework, it leaves out exceptions for de-identified data practices that undermine the very trust the legislation is meant to foster. Standing tenuously on technological assumptions, the exception creates a wild-west scenario ripe for harmful data practices. 

Under the CPPA, organizations are not required to obtain user consent to de-identify, a process that modifies data so that “an individual cannot be directly identified.”[ii] The legislation creates an offence for re-identification and, as such, seems aware of the risk.[iii] Nonetheless, further exceptions are made for data anonymization, by which an organization “irreversibly and permanently modif[ies] personal information… to ensure that no individual can be identified from the information, whether directly or indirectly, by any means.”[iv] The CPPA excludes the anonymized data from its purview because, by their definition, there is no reasonable prospect of re-identification.

This logic rests on several problematic assumptions. First, the line which separates de-identified and anonymized data is vague and rarely obvious until re-identification occurs. De-identified data is by its nature not meant to be re-identified, and thus anonymous by the government’s definition. Moreover, the law assumes organizations have the technological capabilities to ensure irreversible and permanent anonymization. While identifiers may be removed, many other seemingly innocuous data points can be used to . Research from Oxford recently found that . One might imagine many disturbing consequences, from identity fraud to the cancer patient whose allegedly-anonymous data is used to change their insurance coverage and rates.

How can the disclosure and use of data be monitored if the law excludes anonymized data from regulation? Privacy enforcement may require individuals to come forward with complaints about the misuse of their data.[v] The system thus asks users to not only be aware of their data anonymization (which they never consented to) and its subsequent disclosure (kept secret from them) but to catch the bad actors re-identifying information the regulators turned a blind eye to. Our framework’s release-and-forget de-identification model thus opens the door to potential misuse of personal information that will remain altogether hidden from the regulator’s or public’s view. Where is the transparency or accountability?

While the anonymized exception answers the growing demands of businesses seeking to use personal data, the current state of de-identification practices does not satisfy the standards of the CPPA. The European GDPR includes data that does not contain direct identifiers but is capable of re-identification, “,” as within the scope of the law. That our lawmakers decided against regulating allegedly-anonymous data begs whether their priorities indeed lay with the needs of the public or of commerce.


[i] Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, 1st Sess, 44th Parl, 2022, preamble, para 8.

[ii] Ibid at s 2(1).

[iii] Ibid at s 128.

[iv] Ibid at s 2(1).

[v] Ibid at s 107.

The post Anonymous for Now: Demystifying Data De-Identification appeared first on IPOsgoode.

]]>
Powering the Future: Insights on Energy Innovation from a Semester at Alectra (IP Intensive Reflection) /osgoode/iposgoode/2023/01/16/powering-the-future-insights-on-energy-innovation-from-a-semester-at-alectra-ip-intensive-reflection/ Mon, 16 Jan 2023 17:00:00 +0000 https://www.iposgoode.ca/?p=40452 The post Powering the Future: Insights on Energy Innovation from a Semester at Alectra (IP Intensive Reflection) appeared first on IPOsgoode.

]]>

Egin Kongoli is an IP Innovation Clinic Fellow and a 3L JD Candidate at Osgoode Hall Law School. This article was written as a requirement for Prof. Pina D’Agostino’s IP Intensive program.


When I was first assigned a utility provider as my placement for the Intellectual Property Law and Technology Intensive, I thought, “What does providing electricity have to do with intellectual property?” As I quickly learned, businesses that haven’t traditionally dealt with IP rights are facing a rising tide of related challenges as they seek to capitalize on new opportunities. Intellectual property directly supports Alectra Utility Corporation’s evolution from a distributor of electricity to a springboard for greater opportunities for their customers. While Alectra’s traditional role as a service provider still makes up most of its business, the provides new incentives to support innovative research and development. My internship at Alectra was spent on, among other things, the ongoing development of an intellectual property strategy to capture more value from the utility’s emerging collaborative business, along with consideration of its institutional business.

Reaching net-zero emissions by 2050 requires a significant transformation of Ontario’s energy system. As a utility provider serving over a million Ontarians, Alectra is poised at the forefront of this project. Through the Green Energy & Technology Centre (GRE&T Centre), Alectra cultivates innovation by identifying, evaluating, and accelerating emerging clean-energy solutions. The work is cutting-edge, like 2021’s GridExchange Pilot, a transactive, blockchain-backed energy platform and marketplace. Through GridExchange, customers with energy assets like solar panels, battery storage, or electric vehicles can receive compensation and rewards for managing their energy use, such as . From municipalities to start-ups, many are eager to access utility data so that they might develop other innovative solutions. Proper strategy, governance, processes, policies and contracts are needed to ensure any IP creation resulting from the collaboration and any real upside potential can be shared with Alectra.

IP strategy determines a standard for how rights-based issues will be handled in the collaborative environment. Canadian universities have paved the way in this regard. Like Alectra, these institutions aim to serve the public interest through the fruits of intellectual inquiry by enabling and encouraging research and development. University IP policies vary, but they all grapple with similar legal issues such as disclosure, use, ownership, commercialization, and revenue sharing. As third-party members working with Alectra and the GRE&T Centre receive data alongside meaningful learning and experience, using personal information by third parties will require careful consideration of not just legal obligations but also Alectra’s reputation. Current privacy legislation dictates that corporations must obtain valid consent from the individual to collect, use or disclose their personal information. At the same time, the federal government’s newly proposed Bill C-27, the Consumer Privacy Protection Act, weaves a web of exceptions to regulated practices that obfuscates oversight. For example, the CPPA excludes “anonymized data” from its purview, regardless of the ongoing debate on whether data can ever be de-identified without a remaining risk of re-identification. However, the proposed legislation permits the de-identification of data and the use of this material without the requisite knowledge or consent of the customer if the disclosure is made for “a socially beneficial purpose,” including the “protection of the environment.” By way of example, if Alectra or another utility discloses data to develop clean-energy infrastructure or energy-saving services, would it be excluded as a socially beneficial purpose? If a business anonymizes and aggregates its data sets, does this mean such disclosures are excluded entirely from regulatory oversight? Personal information must not be collected or used to influence an individual’s behaviour or decisions, but what if such a purpose is an alleged “socially beneficial” one?

My time at Alectra was illuminating. The work was not only related to intellectual property law but was also challenging and required endless inquiry to understand the nuanced interplay of laws and a business’s interests. From privacy to protecting against misappropriation, data practices demand multiple layers of legal and operational consideration. Whether through an NDA or an employment contract, a business’s dealings must reflect its IP strategy. Collaborative agreements must delineate contributions made by the company and benefits shared back. As , contractual measures must be taken to protect the data, but cannot be so strict as to dissuade collaboration. These challenges, and others unnamed here, offer exciting opportunities for lawyers working in the utility space as intellectual property law continues to fuel innovation.

The post Powering the Future: Insights on Energy Innovation from a Semester at Alectra (IP Intensive Reflection) appeared first on IPOsgoode.

]]>