Insights Header image
Insights Header image
Insights Header image

Quebec’s Anonymization Regulation: A Step-by-Step Guide For Businesses

September 9, 2024 Privacy & Data Protection Bulletin 5 minute read

As of May 30, 2024, organizations subject to Quebec laws must comply with the Regulation respecting the anonymization of personal information (French version here) (“Quebec Anonymization Regulation”). The main objective of this regulation is to provide a standardized framework for the anonymization of personal information.

This regulation is adopted in furtherance to Article 23 of the Act respecting the protection of personal information in the private sector (“Quebec Privacy Act”) and Article 73 of the Act respecting Access to documents held by public bodies and the Protection of personal information (“Access Act”) requiring that “information anonymized (…) must be anonymized according to generally accepted best practices and according to the criteria and terms determined by regulation.”

As such, under Quebec privacy laws, organizations must anonymize personal information in accordance with “generally accepted best practices” and “the criteria and terms determined by regulation.” The Quebec legislator has therefore adopted the Quebec Anonymization Regulation, which sets out the criteria and terms it expects organizations to comply with.

In this article, we will provide you with an overview of the requirements set out in the Quebec Anonymization Regulation and a step-by-step guide for anonymizing personal information.

Let’s get started.

1.     Requirements of the Quebec Anonymization Regulation

Under the Quebec Anonymization Regulation, personal information must be anonymized according to the criteria it sets out.  Here is a summary of the requirements in a step-by-step format:

1.1.     Step 1: Purpose Identification

Before starting the anonymization process, organizations must clearly establish the purpose for which they intend to use the anonymized information. In other words, companies must first identify why they need anonymized information. This ensures that organizations intend to use anonymized information for a legitimate purpose and can adequately apply appropriate anonymization techniques set out in the Quebec Anonymization Regulation.

It must be noted that if organizations wish to use their anonymized information for purposes other than those initially determined when the personal information was anonymized, they must ensure that the new purposes are consistent with the requirements of the Quebec Anonymization Regulation.

1.2.     Step 2: Supervised Anonymization Process

The Quebec Anonymization Regulation requires that the anonymization process be supervised by a qualified person in the field. This requirement ensures that the appropriate anonymization technique is used, a proper re-identification risk assessment is performed, and the integrity of the entire anonymization process is maintained.

1.3.     Step 3: Initial Data Preparation

At the beginning of the anonymization process, organizations must remove all personal information from their dataset. In other words, any information that could directly or indirectly identify a person must be removed from the dataset.

1.4.     Step 4: Re-Identification Risk Analysis

Once the dataset is stripped of all personal information, organizations must ensure that individuals cannot be re-identified by performing a re-identification risk analysis, considering:

  • the individualization criterion, the correlation criterion, and the inference criterion set out by the Quebec Anonymization Regulation; and,
  • other reasonably available information, particularly in the public space, that could be used to identify a person directly or indirectly.

1.5.     Step 5: Anonymization Techniques and Security Measures

Based on the re-identification risks identified, organizations must establish and apply appropriate anonymization techniques consistent with generally accepted best practices. Additionally, organizations must implement reasonable data protection and security measures to reduce any identified re-identification risk.

1.6.     Step 6: Post-Anonymization Risk Analysis

Once an organization has implemented appropriate anonymization techniques and security measures, it must conduct a new re-identification risk analysis. The results of this new assessment should demonstrate that, at all times (reasonably foreseeable in the circumstances):

  • The anonymization process is irreversible; and,
  • The anonymized information no longer allows the identification of a person, directly or indirectly.

Although the Quebec Anonymization Regulation does not require a result where there is zero risk of re-identification, it does state that the “residual risks of re-identification” be “very low” considering the following parameters:

  • The purpose of the anonymization;
  • The nature of the information;
  • The individualization, correlation, and inference criteria;
  • The risks posed by other available information, particularly in the public space; and,
  • The efforts and resources required to re-identify the personal information.

1.7.     Step 7: Ongoing Assessment

Organizations must periodically reassess their anonymized information to ensure it remains anonymized over time. This includes updating re-identification risk analyses already performed and considering technological advancements that could increase the risk of re-identification.

Any periodic assessment must continue to demonstrate that the anonymization process remains irreversible and that the anonymized information cannot be used to re-identify an individual. The Quebec Anonymization Regulation states that organizations should determine the appropriate reassessment interval based on the residual risks of re-identification identified during their re-identification risk analysis.

1.8.     Step 8: Record-Keeping Requirement

Effective January 1, 2025, organizations must maintain a register documenting:

  • a description of the anonymized personal information;
  • the purposes for which the anonymized information will be used;
  • the anonymization techniques and security measures applied; and,
  • the date the re-identification risk analysis was performed, along with any updates.

2.     Understanding the Anonymization Criteria

The Quebec Anonymization Regulation specifically identifies three anonymization criteria, namely:

  • correlation criterion;
  • individualization criterion; and
  • inference criterion.

Let’s look at each criterion in more detail.

2.1.     Correlation Criterion

The Quebec Anonymization Act defines the correlation criterion as “the inability to connect datasets concerning the same person.” This criterion ensures that, once personal information has been anonymized, it is no longer possible to link different datasets that pertain to the same individual. In practice, organizations with multiple datasets should not cross-reference them to re-identify an individual. In other words, this criterion prevents the re-identification of an individual through the combination of information from different sources.

2.2.     Individualization Criterion

The Quebec Anonymization Act defines the individualization criterion as “the inability to isolate or distinguish a person within a dataset.” The individualization criterion is designed to prevent any person from being singled out or distinguished within a dataset. Although a dataset may only contain anonymized information, it should be generalized enough so that no specific individual can be isolated from the rest of the dataset. This prevents scenarios where an individual’s identity could be inferred by identifying unique characteristics or patterns within the same dataset.

2.3.     Inference Criterion

The Quebec Anonymization Act defines the inference criterion as “the inability to infer personal information from other available information.” The inference criterion focuses on preventing the deduction of a person’s identity from anonymized information by analyzing it in conjunction with other available information. Although a particular dataset may not allow the identification of any person, this criterion ensures that it is not possible to infer personal information by piecing together information from other sources, such as the public space. The objective of this criterion is to have organizations assess the possible risk of re-identification based on the possible inference from information reasonably available from other sources allowing an individual to be identified.

3.     European Influence on Quebec’s Anonymization Criteria

The Quebec Anonymization Regulation is largely inspired by European developments over the years. More specifically, Opinion 5/2014 on Anonymisation Techniques by the Article 29 Data Protection Working Party represents a great source for the possible interpretation of the Quebec Anonymization Regulation in Quebec. This opinion outlines the limitations and effectiveness of various anonymization methods, emphasizing the risks of re-identification. The key European anonymization criteria they present align closely with Quebec’s regulation:

  1. Singling Out (similar to the Individualization Criterion in Quebec): Ensuring that individual records cannot be singled out within a dataset;
  2. Linkability (similar to the Correlation Criterion in Quebec): Preventing the linkage of records across different datasets to a single individual; and
  3. Inference (the same as the Inference Criterion in Quebec): Reducing the likelihood of inferring personal information from anonymized data.

4.     Conclusion

Quebec’s Quebec Anonymization Regulation represents a significant step forward in ensuring that personal information is protected in a way that aligns with global privacy standards. Organizations can effectively minimize the risk of re-identification by adhering to the defined anonymization criteria and processes outlined in the Quebec Anonymization Regulation. The Quebec Anonymization Regulation not only provides a roadmap for compliance but also encourages organizations to adopt best practices in data management. Organizations must remain proactive, continually assess their anonymization needs and methods, and ensure compliance with Quebec privacy law requirements.

by Amir Kashdaran

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Back to School Homework – Key Highlights and Takeaways from the 2024 OSC Registration, Inspections and Examinations Division Summary Report

Providing insights on the OSC Staff Notice 33-756 – Summary Report for Dealers, Advisers and Investment Fund Managers.

Read More
Sep 25, 2024
Featured Insight

Conference – Expropriation 2.0: Navigating the New Rules

Take a practical look at the recent changes to Quebec's expropriation rules.

Details
Tuesday, October 22, 2024
Featured Insight

Deadlines Approaching: Government of Canada Launches Series of Consultations on Canada’s Trade Future

The Government has launched an unprecedented series of public consultations on trade policy covering economic security, certain products from China, and CUSMA.

Read More
Sep 18, 2024
Featured Insight

The United States Challenges Canada’s Digital Services Tax

On August 30, 2024, the United States challenged Canada’s Digital Services Tax under CUSMA. The dispute implicates billions of dollars in Canada-US trade.

Read More
Sep 18, 2024