Québec's Act respecting the protection of personal information in the private sector (the “Private Sector Act”) underwent significant amendments that came into force on September 22, 2023. These changes impact all businesses that collect, hold, use or transfer (communicate) personal information in the province. This article will describe a key regulation that has been published regarding the requirements for how personal information must be anonymized under the Private Sector Act. This will be highly relevant for many businesses based in Québec and any other Canadian or foreign-based business collecting personal information in Québec.
Section 23 of the Private Sector Act stipulates that when the purposes for which personal information was collected or used are achieved, businesses must destroy the information or anonymize it to use it for serious and legitimate purposes, subject to any preservation period provided for by law.
Under this section, information concerning a natural person is deemed to be anonymized if it is, at all times, reasonably foreseeable in the circumstances that it irreversibly no longer allows the person to be identified directly or indirectly.
In addition, information must be anonymized according to generally accepted best practices, as well as to the criteria and terms determined by regulation.
On May 15, 2024, the Government of Québec published a Regulation respecting the anonymization of personal information (the “Regulation”). This is significant as it is the first of its kind in Canada.
Anonymization must be distinguished from de-identification. The latter concept refers to when information can no longer be used to directly identify a person. This lower threshold is insufficient in the context of Section 23 of the Private Sector Act.
Parallels can be drawn to the European General Data Protection Regulation's (“GDPR”) concept of pseudo-anonymized data vs anonymous information. The former, while serving to protect personal data, would still be subject to the GDPR, while the latter would be outside the scope of the law (see Recital 26 GDPR)1. In Québec however, there is no indication that anonymized information is no longer subject to the Private Sector Act.
The Regulation seeks to ensure that the personal information of citizens will be anonymized according to a rigorous process that will significantly reduce the re-identification risks associated with anonymization.
The Regulation provides for the following principles:
- before the anonymization process begins, the purposes for which the anonymized personal information is to be used must be established;
- the anonymization process must be carried out under the supervision of a qualified person;
- at the beginning of the anonymization process, all personal information that allows a person to be directly identified must be removed;
- an analysis of the re-identification risks must be conducted at various times during the anonymization process; this analysis must be updated periodically, including to take technological advances into account;
- the analysis of re-identification risks must consider individualization, correlation and inference criteria (these three technical factors are defined in greater detail in the Regulation), as well as the risks that other reasonably available information, particularly in the public space, could be used to identify a person directly or indirectly;
- reasonable protection and security measures must be established to reduce the re-identification risks;
- it is not necessary to demonstrate that there is zero risk persons will be directly or indirectly re-identified from anonymized information, but the residual re-identification risk must be “very low;” and
- some mandatory information concerning the anonymization process must be recorded in a register.
As can be seen, this is a very rigorous process. It is likely that some businesses that believe they have anonymized personal information appropriately have actually not done so in compliance with the Regulation. Therefore, businesses should consider conducting an in-depth review of the anonymization process used for personal information in the past.
The Regulation comes into force on May 30, 2024, except for the obligation to maintain a register, which will come into force on January 1, 2025.
Footnote
1. The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.