Finally I mentioned, consistent with my colleagues, that organizations now engage in a practice referred to as de-identification or anonymization or obfuscation, which is extraordinary helpful to protect the privacy interests of individuals while it's processing, but it protects individuals because the data can be rendered non-identifiable. There's an open question—and this raged in Europe for years—as to whether you need authority to actually just de-identify the information. Our respectful suggestion to the committee is that this discussion be put to rest. Clarity should be required, and organizations should be able to take the step to safeguard the data and should be able to de-identify or anonymize data without consent, rather than having to seek consent to de-identify. This is a helpful safeguarding measure, so that's the basic point.
On May 30th, 2017. See this statement in context.