Anonymization of Personal Information under Quebec Law
Anonymization of Personal Information under Quebec Law
In Canada, privacy legislation governs the use of personal information, and organizations often aim to repurpose this data or rely on anonymization to avoid stringent legal requirements. Regulators, however, maintain rigorous standards for what qualifies as anonymized information, distinguishing it from de-identified information, which remains subject to privacy laws. On May 15, 2024, Quebec defined these requirements by publishing its final regulation on anonymization which establishes specific guidelines on how to properly anonymize personal information. The adoption of this regulation stems from “Act 25“, formally known as An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, which amends the Act Respecting the Protection of Personal Information in the Private Sector (hereinafter referred to as the “Act”) to introduce the possibility for organizations to use anonymized information.
Act 25’s amendment to Section 23 to the Act provides that personal information must be anonymized according to generally accepted best practices and the criteria and terms determined by regulation. However, when Act 25 came into force, such regulation had not yet been adopted, so the Commission d’accès a l’information (Quebec’s privacy regulator, referred to here as the “CAI”) took the position that it was not possible to anonymize personal information.
However, those days are now over as the long awaited regulation has come into force as of the date of publication of this bulletin and it is now possible for organizations to anonymize personal information if the criteria detailed below are met. Organizations who process personal information in Quebec should note that personal information may only be anonymized once the purposes for which it was collected or used are achieved, as the Act allows the anonymization of personal information only as an alternative to its destruction. The CAI has currently taken the position that personal information cannot be anonymized until it has reached that stage. Furthermore, anonymized information is permitted to be used only for serious or legitimate purposes.
Requirements to Anonymize Personal Information
The regulation outlines a three-stage anonymization process:
Stage 1: Before the Anonymization Process
Before beginning the anonymization process, organizations must define the purposes for using anonymized data, ensuring they are consistent with section 23 of the Act which requires that such purposes must be serious and legitimate. After the information has been anonymized, organizations may also use anonymized information for new purposes not identified at the beginning of the anonymization process if these new purposes are also serious and legitimate.
Stage 2: During the Anonymization Process
At the start of the process, all direct identifiers (e.g., names, social insurance numbers, email addresses) must be removed. A preliminary risk analysis must be conducted to assess re-identification risks, considering public information and the following criteria:
- Individualization: Ensures the inability to isolate or distinguish an individual within a dataset.
- Correlation: Ensures the inability to link datasets about the same person.
- Inference: Ensures the inability to infer personal information from other available data.
Based on this analysis, organizations must implement anonymization techniques following best practices and include reasonable protection measures to mitigate re-identification risks. The regulation also requires that the entire anonymization process must be supervised by a qualified professional.
Stage 3: After the Anonymization Process
After implementing anonymization techniques and security measures, organizations must analyze the risks of re-identification. This analysis should show that anonymized information cannot reasonably be used to identify a person. Although zero risk is not required, the residual re-identification risk must be very low, considering:
- The purposes for using anonymized information;
- The nature of the information;
- The individualization, correlation, and inference criteria;
- The risk of publicly available information being used for re-identification; and
- The efforts, resources, and expertise required for re-identification.
Organizations must periodically reassess anonymized data to ensure it remains anonymized, considering technological advancements and new risks. The latest re-identification risk analysis of the organization must be updated after each reassessment and the results of the analysis must continue to show a very low risk of re-identification. Otherwise, the information will no longer be considered anonymized.
We note that the draft regulation, first published on December 20, 2023, has undergone some minor changes, primarily aimed at easing obligations on organizations. The draft regulation provided that assessments of anonymized information should be conducted regularly, while the final version of the regulation now requires the assessment to be conducted periodically. We interpret the change in wording to indicate that assessments are necessary only when there are changes affecting the anonymized information. Otherwise, assessments are not required, thus imposing a lighter burden on organizations. The intervals for these assessments should be determined according to the residual risks identified in the latest re-identification risk analysis and the same factors considered during the initial re-identification risk assessment listed above.
The regulation also requires organizations to maintain a register documenting:
- The description of the anonymized information;
- The purposes for using anonymized data;
- The anonymization techniques and security measures used; and
- The dates of initial and subsequent re-identification risk analyses.
Conclusion
Québec’s Act 25 has introduced significant sanctions to ensure compliance with a number of obligations under the Act. In particular, since September 2023, individuals who identify or attempt to identify a person using de-identified or anonymized information without authorization can face fines up to $25,000,000 or 4% of worldwide turnover for the previous fiscal year, whichever is higher.
In preparation for the coming into effect of the regulation, organizations intending to use anonymized personal information should designate a qualified professional, define the purposes for using anonymized information, conduct thorough preliminary analyses of the individualization, correlation, and inference criteria, and assess the re-identification risk.
Quebec’s Anonymization Regulation came into effect on May 30, 2024, except for the requirement to record specific information in a register, which comes into effect on January 1, 2025.
McMillan’s Privacy & Data Protection Group can help your organization to understand and comply with Quebec’s privacy legislation. Contact us today to learn how we can help you stay in compliance with the evolving legal framework!
by Alice Ahmad
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2024
Insights (5 Posts)View More
Unpacking Partnership Contracts in Quebec’s New Bill 62 Public Infrastructure Legislation
Bill 62 – An Act mainly to diversify the acquisition strategies of public bodies and increase their agility in carrying out infrastructure projects (“Bill 62”) was passed on October 2024 by the Québec National Assembly.
Ontario Employers: New Job Posting Requirements Come into Force January 1, 2026
Employers should note new requirements for publicly advertised job postings that will come into force January 1, 2026.
Managing Climate Risk with Insurance and Contractual Provisions
Carefully crafted contractual clauses and tailor-made insurance can help effectively manage the escalating risks posed by extreme weather.
Legal Considerations in Canada related to “Voice Cloning”
In this bulletin, we discuss some potential causes of actions that one may have in Canada if they become victim of voice cloning.
Ontario Employers: Important Changes to the ESA and OHSA Now in Force
Amendments to the ESA and OHSA regarding doctor's notes, virtual harassment, remote workers, and electronic postings are now in force.
Get updates delivered right to your inbox. You can unsubscribe at any time.