Roughly speaking, de-identified information should make it highly unlikely that an individual can be identified. Anonymization should make it impossible. However, there are really important technical conversations happening about whether it's truly possible in our big data age, where we have data brokers who advertise that they have thousands of data points on up to two million or two billion people, that some recombination of data wouldn't facilitate re-identification. It's unlikely. It's not a risk that should be at the top of our consideration, but it should be there.
If this bill is to provide appropriate protection for people, ensuring that the technical standards of anonymization.... Computer science is a changeable field, and these standards change over time. Ensuring that someone has the oversight to ensure that the standards being used are appropriate in the circumstances is fundamentally important.