Insights Header image
Insights Header image
Insights Header image

Anonymization of Personal Information under Quebec Law

May 31, 2024 Privacy & Data Protection Bulletin 4 minute read

In Canada, privacy legislation governs the use of personal information, and organizations often aim to repurpose this data or rely on anonymization to avoid stringent legal requirements. Regulators, however, maintain rigorous standards for what qualifies as anonymized information, distinguishing it from de-identified information, which remains subject to privacy laws. On May 15, 2024, Quebec defined these requirements by publishing its final regulation on anonymization which establishes specific guidelines on how to properly anonymize personal information. The adoption of this regulation stems from “Act 25“, formally known as An Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, which amends the Act Respecting the Protection of Personal Information in the Private Sector (hereinafter referred to as the “Act”) to introduce the possibility for organizations to use anonymized information.

Act 25’s amendment to Section 23 to the Act provides that personal information must be anonymized according to generally accepted best practices and the criteria and terms determined by regulation. However, when Act 25 came into force, such regulation had not yet been adopted, so the Commission d’accès a l’information (Quebec’s privacy regulator, referred to here as the “CAI”) took the position that it was not possible to anonymize personal information.

However, those days are now over as the long awaited regulation has come into force as of the date of publication of this bulletin and it is now possible for organizations to anonymize personal information if the criteria detailed below are met. Organizations who process personal information in Quebec should note that personal information may only be anonymized once the purposes for which it was collected or used are achieved, as the Act allows the anonymization of personal information only as an alternative to its destruction. The CAI has currently taken the position that personal information cannot be anonymized until it has reached that stage. Furthermore, anonymized information is permitted to be used only for serious or legitimate purposes.

Requirements to Anonymize Personal Information

The regulation outlines a three-stage anonymization process:

Stage 1: Before the Anonymization Process

Before beginning the anonymization process, organizations must define the purposes for using anonymized data, ensuring they are consistent with section 23 of the Act which requires that such purposes must be serious and legitimate. After the information has been anonymized, organizations may also use anonymized information for new purposes not identified at the beginning of the anonymization process if these new purposes are also serious and legitimate.

Stage 2: During the Anonymization Process

At the start of the process, all direct identifiers (e.g., names, social insurance numbers, email addresses) must be removed. A preliminary risk analysis must be conducted to assess re-identification risks, considering public information and the following criteria:

  1. Individualization: Ensures the inability to isolate or distinguish an individual within a dataset.
  2. Correlation: Ensures the inability to link datasets about the same person.
  3. Inference: Ensures the inability to infer personal information from other available data.

Based on this analysis, organizations must implement anonymization techniques following best practices and include reasonable protection measures to mitigate re-identification risks. The regulation also requires that the entire anonymization process must be supervised by a qualified professional.

Stage 3: After the Anonymization Process

After implementing anonymization techniques and security measures, organizations must analyze the risks of re-identification. This analysis should show that anonymized information cannot reasonably be used to identify a person. Although zero risk is not required, the residual re-identification risk must be very low, considering:

  • The purposes for using anonymized information;
  • The nature of the information;
  • The individualization, correlation, and inference criteria;
  • The risk of publicly available information being used for re-identification; and
  • The efforts, resources, and expertise required for re-identification.

Organizations must periodically reassess anonymized data to ensure it remains anonymized, considering technological advancements and new risks. The latest re-identification risk analysis of the organization must be updated after each reassessment and the results of the analysis must continue to show a very low risk of re-identification. Otherwise, the information will no longer be considered anonymized.

We note that the draft regulation, first published on December 20, 2023, has undergone some minor changes, primarily aimed at easing obligations on organizations. The draft regulation provided that assessments of anonymized information should be conducted regularly, while the final version of the regulation now requires the assessment to be conducted periodically. We interpret the change in wording to indicate that assessments are necessary only when there are changes affecting the anonymized information. Otherwise, assessments are not required, thus imposing a lighter burden on organizations. The intervals for these assessments should be determined according to the residual risks identified in the latest re-identification risk analysis and the same factors considered during the initial re-identification risk assessment listed above.

The regulation also requires organizations to maintain a register documenting:

  • The description of the anonymized information;
  • The purposes for using anonymized data;
  • The anonymization techniques and security measures used; and
  • The dates of initial and subsequent re-identification risk analyses.

Conclusion

Québec’s Act 25 has introduced significant sanctions to ensure compliance with a number of obligations under the Act. In particular, since September 2023, individuals who identify or attempt to identify a person using de-identified or anonymized information without authorization can face fines up to $25,000,000 or 4% of worldwide turnover for the previous fiscal year, whichever is higher.

In preparation for the coming into effect of the regulation, organizations intending to use anonymized personal information should designate a qualified professional, define the purposes for using anonymized information, conduct thorough preliminary analyses of the individualization, correlation, and inference criteria, and assess the re-identification risk.

Quebec’s Anonymization Regulation came into effect on May 30, 2024, except for the requirement to record specific information in a register, which comes into effect on January 1, 2025.

McMillan’s Privacy & Data Protection Group can help your organization to understand and comply with Quebec’s privacy legislation. Contact us today to learn how we can help you stay in compliance with the evolving legal framework!

by Alice Ahmad

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Sanctions Enforcement Rising: Border Seizures and Forfeitures, Administrative Penalties and a New Reporting Obligation for Sanctions Evasion Offences

Changes to Canada’s sanctions regime under Bill C-59 will add reporting requirements for importers/exporters, create AMPs, and grant new CBSA seizure powers.

Read More
Jun 13, 2024
Featured Insight

Goodbye CDOR, Hello CORRA: CDOR’s Final Month and CORRA Loan Trends

CDOR will cease being published after June 28, 2024; CORRA is now used in credit agreements with certain trends developing in its use.

Read More
Jun 11, 2024
Featured Insight

Far from being FARA – Canada’s Proposed Foreign Influence Transparency Registry Law Leaves the Details for Another Day

Canada's proposed foreign agent registry doesn't mirror the problematic aspects of FARA, but many details are left to future regulations and guidance.

Read More
Jun 5, 2024
Featured Insight

Building Uniformity: Saskatchewan’s Franchise Disclosure Act Receives Royal Assent

First introduced last fall, Saskatchewan’s Bill 149, The Franchise Disclosure Act, received Royal Assent on May 8, 2024 (the “Act”).[1] In doing so, Saskatchewan now joins British Columbia, Alberta, Manitoba, Ontario, New Brunswick, and Prince Edward Island as the seventh Canadian province to enact franchise-specific legislation.

Read More
Jun 4, 2024
Featured Insight

What You Need to Know about Regulatory Impacts on Auto OEMs

Join us for a webinar where we will be discussing key updates, impacts and changes to the regulatory landscape for Original Equipment Manufacturers.

Details
Wednesday, June 19, 2024